adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html
T

169 lines
72 KiB
HTML
Raw Normal View History

Reboot gh-pages
2026-05-08 17:08:43 +00:00
<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><link rel="shortcut icon" href="/assets/images/favicon.png" type="image/x-icon"><link rel="stylesheet" href="/assets/css/just-the-docs-default.css"> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-4622520-7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-4622520-7', { 'anonymize_ip': true }); </script> <script type="text/javascript" src="/assets/js/vendor/lunr.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/mermaid@10.8.0/dist/mermaid.min.js"></script> <script type="text/javascript" src="/assets/js/just-the-docs.js"></script><meta name="viewport" content="width=device-width, initial-scale=1"><title>BrowserExploitServer | Metasploit Documentation Penetration Testing Software, Pen Testing Security</title><meta name="generator" content="Jekyll v4.3.4" /><meta property="og:title" content="BrowserExploitServer" /><meta property="og:locale" content="en_US" /><meta name="description" content="View Metasploit Framework Documentation" /><meta property="og:description" content="View Metasploit Framework Documentation" /><link rel="canonical" href="https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html" /><meta property="og:url" content="https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html" /><meta property="og:site_name" content="Metasploit Documentation Penetration Testing Software, Pen Testing Security" /><meta property="og:type" content="website" /><meta name="twitter:card" content="summary" /><meta property="twitter:title" content="BrowserExploitServer" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"View Metasploit Framework Documentation","headline":"BrowserExploitServer","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://rapid7.github.io/metasploit-framework/assets/images/favicon.png"}},"url":"https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/http/how-to-write-a-browser-exploit-using-browserexploitserver.html"}</script><body> <svg xmlns="http://www.w3.org/2000/svg" style="display: none;"> <symbol id="svg-link" viewBox="0 0 24 24"><title>Link</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path> </svg> </symbol> <symbol id="svg-search" viewBox="0 0 24 24"><title>Search</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-search"> <circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </symbol> <symbol id="svg-menu" viewBox="0 0 24 24"><title>Menu</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-menu"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line> </svg> </symbol> <symbol id="svg-arrow-right" viewBox="0 0 24 24"><title>Expand</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-chevron-right"><polyline points="9 18 15 12 9 6"></polyline> </sv
<span class="p">{</span>
<span class="ss">source: </span><span class="sr">/script/i</span><span class="p">,</span>
<span class="ss">activex: </span><span class="p">[</span>
<span class="p">{</span>
<span class="ss">clsid: </span><span class="s1">'{D27CDB6E-AE6D-11cf-96B8-444553540000}'</span><span class="p">,</span>
<span class="ss">method: </span><span class="s1">'LoadMovie'</span>
<span class="p">}</span>
<span class="p">],</span>
<span class="ss">os_name: </span><span class="sr">/win/i</span>
<span class="p">}</span>
</code></pre></div></div><p>You can also define target-specific requirements. This is also how the mixin is able to automatically select a target, and you can get it with the “get_target” method. Heres an example of how to define target-specific requirements for IE8 on Win XP and IE 9 on Win 7:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="s1">'BrowserRequirements'</span> <span class="o">=&gt;</span>
<span class="p">{</span>
<span class="ss">:source</span> <span class="o">=&gt;</span> <span class="sr">/script|headers/i</span><span class="p">,</span>
<span class="s1">'ua_name'</span> <span class="o">=&gt;</span> <span class="no">HttpClients</span><span class="o">::</span><span class="no">IE</span><span class="p">,</span>
<span class="p">},</span>
<span class="s1">'Targets'</span> <span class="o">=&gt;</span>
<span class="p">[</span>
<span class="p">[</span> <span class="s1">'Automatic'</span><span class="p">,</span> <span class="p">{}</span> <span class="p">],</span>
<span class="p">[</span>
<span class="s1">'Windows XP with IE 8'</span><span class="p">,</span>
<span class="p">{</span>
<span class="ss">:os_name</span> <span class="o">=&gt;</span> <span class="s1">'Windows XP'</span><span class="p">,</span>
<span class="s1">'ua_ver'</span> <span class="o">=&gt;</span> <span class="s1">'8.0'</span><span class="p">,</span>
<span class="s1">'Rop'</span> <span class="o">=&gt;</span> <span class="kp">true</span><span class="p">,</span>
<span class="s1">'Offset'</span> <span class="o">=&gt;</span> <span class="mh">0x100</span>
<span class="p">}</span>
<span class="p">],</span>
<span class="p">[</span>
<span class="s1">'Windows 7 with IE 9'</span><span class="p">,</span>
<span class="p">{</span>
<span class="s1">'os_name'</span> <span class="o">=&gt;</span> <span class="s1">'Windows 7'</span><span class="p">,</span>
<span class="s1">'ua_ver'</span> <span class="o">=&gt;</span> <span class="s1">'9.0'</span><span class="p">,</span>
<span class="s1">'Rop'</span> <span class="o">=&gt;</span> <span class="kp">true</span><span class="p">,</span>
<span class="s1">'Offset'</span> <span class="o">=&gt;</span> <span class="mh">0x200</span>
<span class="p">}</span>
<span class="p">]</span>
<span class="p">]</span>
</code></pre></div></div><p>You can use these for <strong>:os_name</strong>:</p><div class="table-wrapper"><table><thead><tr><th>Constant<th>Purpose<tbody><tr><td>OperatingSystems::Match::WINDOWS<td>Match all versions of Windows<tr><td>OperatingSystems::Match::WINDOWS_95<td>Match Windows 95<tr><td>OperatingSystems::Match::WINDOWS_98<td>Match Windows 98<tr><td>OperatingSystems::Match::WINDOWS_ME<td>Match Windows ME<tr><td>OperatingSystems::Match::WINDOWS_NT3<td>Match Windows NT 3<tr><td>OperatingSystems::Match::WINDOWS_NT4<td>Match Windows NT 4<tr><td>OperatingSystems::Match::WINDOWS_2000<td>Match Windows 2000<tr><td>OperatingSystems::Match::WINDOWS_XP<td>Match Windows XP<tr><td>OperatingSystems::Match::WINDOWS_2003<td>Match Windows Server 2003<tr><td>OperatingSystems::Match::WINDOWS_VISTA<td>Match Windows Vista<tr><td>OperatingSystems::Match::WINDOWS_2008<td>Match Windows Server 2008<tr><td>OperatingSystems::Match::WINDOWS_7<td>Match Windows 7<tr><td>OperatingSystems::Match::WINDOWS_2012<td>Match Windows 2012<tr><td>OperatingSystems::Match::WINDOWS_8<td>Match Windows 8<tr><td>OperatingSystems::Match::WINDOWS_81<td>Match Windows 8.1<tr><td>OperatingSystems::Match::LINUX<td>Match a Linux distro<tr><td>OperatingSystems::Match::MAC_OSX<td>Match Mac OSX<tr><td>OperatingSystems::Match::FREEBSD<td>Match FreeBSD<tr><td>OperatingSystems::Match::NETBSD<td>Match NetBSD<tr><td>OperatingSystems::Match::OPENBSD<td>Match OpenBSD<tr><td>OperatingSystems::Match::VMWARE<td>Match VMWare<tr><td>OperatingSystems::Match::ANDROID<td>Match Android<tr><td>OperatingSystems::Match::APPLE_IOS<td>Match Apple IOS</table></div><p>You can use these for <strong>:ua_name</strong>:</p><div class="table-wrapper"><table><thead><tr><th>Constant<th>Value<tbody><tr><td>HttpClients::IE<td>“MSIE”<tr><td>HttpClients::FF<td>“Firefox”<tr><td>HttpClients::SAFARI<td>“Safari”<tr><td>HttpClients::OPERA<td>“Opera”<tr><td>HttpClients::CHROME<td>“Chrome”</table></div><p>More of these constants can be found here: <a href="https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/constants.rb">https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/constants.rb</a></p><p>All currently supported requirements by the mixin can be found here (see REQUIREMENT_KEY_SET): <a href="https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb#L46">https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb#L46</a></p><h3 id="set-up-a-listener"> <a href="#set-up-a-listener" class="anchor-heading" aria-labelledby="set-up-a-listener"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Set up a listener</h3><p>After the detection stage and the requirement check, the mixin will trigger the “on_request_exploit” callback method, thats where you handle the HTTP request, craft the HTML, and send back the exploit response. Heres an example of how to set up “on_request_exploit”:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#</span>
<span class="c1"># Listens for the HTTP request</span>
<span class="c1"># cli is the socket</span>
<span class="c1"># request is the Rex::Proto::Http::Request object</span>
<span class="c1"># target_info is a hash that contains all the browser info (aka the profile)</span>
<span class="c1">#</span>
<span class="k">def</span> <span class="nf">on_request_exploit</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">target_info</span><span class="p">)</span>
<span class="n">print_status</span><span class="p">(</span><span class="s2">"Here's what I know about the target: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">.</span><span class="nf">inspect</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span>
<span class="k">end</span>
</code></pre></div></div><h3 id="crafting-html-with-browserexploitserver"> <a href="#crafting-html-with-browserexploitserver" class="anchor-heading" aria-labelledby="crafting-html-with-browserexploitserver"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Crafting HTML with BrowserExploitServer</h3><p>There are two coding styles the BrowserExploitServer mixin supports: The good old HTML, or <a href="http://ruby-doc.org/stdlib-2.1.3/libdoc/erb/rdoc/ERB.html">ERB</a> template. The first is pretty self-explanatory:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">on_request_exploit</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">target_info</span><span class="p">)</span>
<span class="n">html</span> <span class="o">=</span> <span class="sx">%Q|
&lt;html&gt;
Hello, world!
&lt;/html&gt;
|</span>
<span class="n">send_exploit_html</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">html</span><span class="p">)</span>
<span class="k">end</span>
</code></pre></div></div><p><a href="http://ruby-doc.org/stdlib-2.1.3/libdoc/erb/rdoc/ERB.html">ERB</a> is a new way to write Metasploit browser exploits. If youve written one or two web applications, this is no stranger to you. When youre using the BrowserExploitServer mixin to write an exploit, what really happens is youre writing a rails template. Heres an example of using of this feature:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">on_request_exploit</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">target_info</span><span class="p">)</span>
<span class="n">html</span> <span class="o">=</span> <span class="sx">%Q|
&lt;html&gt;
Do you feel lucky, punk?&lt;br&gt;
&lt;% if [true, false].sample %&gt;
Lucky!&lt;br&gt;
&lt;% else %&gt;
Bad luck, bro!&lt;Br&gt;
&lt;% end %&gt;
&lt;/html&gt;
|</span>
<span class="n">send_exploit_html</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">html</span><span class="p">)</span>
<span class="k">end</span>
</code></pre></div></div><p>If you want to access local variables or arguments, make sure to pass the binding object to send_exploit_html:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">exploit_template1</span><span class="p">(</span><span class="n">target_info</span><span class="p">,</span> <span class="n">txt</span><span class="p">)</span>
<span class="n">txt2</span> <span class="o">=</span> <span class="s2">"I can use local vars!"</span>
<span class="n">template</span> <span class="o">=</span> <span class="sx">%Q|
&lt;% msg = "This page is generated by an exploit" %&gt;
&lt;%=msg%&gt;&lt;br&gt;
&lt;%=txt%&gt;&lt;br&gt;
&lt;%=txt2%&gt;&lt;br&gt;
&lt;p&gt;&lt;/p&gt;
Data gathered from source: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">[</span><span class="ss">:source</span><span class="p">]</span><span class="si">}</span><span class="sx">&lt;br&gt;
OS name: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">[</span><span class="ss">:os_name</span><span class="p">]</span><span class="si">}</span><span class="sx">&lt;br&gt;
UA name: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">[</span><span class="ss">:ua_name</span><span class="p">]</span><span class="si">}</span><span class="sx">&lt;br&gt;
UA version: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">[</span><span class="ss">:ua_ver</span><span class="p">]</span><span class="si">}</span><span class="sx">&lt;br&gt;
Java version: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">[</span><span class="ss">:java</span><span class="p">]</span><span class="si">}</span><span class="sx">&lt;br&gt;
Office version: </span><span class="si">#{</span><span class="n">target_info</span><span class="p">[</span><span class="ss">:office</span><span class="p">]</span><span class="si">}</span><span class="sx">
|</span>
<span class="k">return</span> <span class="n">template</span><span class="p">,</span> <span class="nb">binding</span><span class="p">()</span>
<span class="k">end</span>
<span class="k">def</span> <span class="nf">on_request_exploit</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">target_info</span><span class="p">)</span>
<span class="n">send_exploit_html</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">exploit_template</span><span class="p">(</span><span class="n">target_info</span><span class="p">,</span> <span class="n">txt</span><span class="p">))</span>
<span class="k">end</span>
</code></pre></div></div><p>The BrowserExploitServer mixin also offers plenty of other things useful while crafting the exploit. For example: it can generate a target-specific payload when you call the “get_payload” method. It also gives you access to the RopDb mixin, which contains a collection of ROPs to bypass DEP (Data Execution Prevention). Make sure to check out the API documentation for more information.</p><p>To get thing started, heres a code example you can use start developing your browser exploit:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">##</span>
<span class="c1"># This module requires Metasploit: https://metasploit.com/download</span>
<span class="c1"># Current source: https://github.com/rapid7/metasploit-framework</span>
<span class="c1">##</span>
<span class="k">class</span> <span class="nc">MetasploitModule</span> <span class="o">&lt;</span> <span class="no">Msf</span><span class="o">::</span><span class="no">Exploit</span><span class="o">::</span><span class="no">Remote</span>
<span class="no">Rank</span> <span class="o">=</span> <span class="no">NormalRanking</span>
<span class="kp">include</span> <span class="no">Msf</span><span class="o">::</span><span class="no">Exploit</span><span class="o">::</span><span class="no">Remote</span><span class="o">::</span><span class="no">BrowserExploitServer</span>
<span class="k">def</span> <span class="nf">initialize</span><span class="p">(</span><span class="n">info</span> <span class="o">=</span> <span class="p">{})</span>
<span class="k">super</span><span class="p">(</span>
<span class="n">update_info</span><span class="p">(</span>
<span class="n">info</span><span class="p">,</span>
<span class="s1">'Name'</span> <span class="o">=&gt;</span> <span class="s1">'BrowserExploitServer Example'</span><span class="p">,</span>
<span class="s1">'Description'</span> <span class="o">=&gt;</span> <span class="sx">%q{
This is an example of building a browser exploit using the BrowserExploitServer mixin
}</span><span class="p">,</span>
<span class="s1">'License'</span> <span class="o">=&gt;</span> <span class="no">MSF_LICENSE</span><span class="p">,</span>
<span class="s1">'Author'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'sinn3r'</span> <span class="p">],</span>
<span class="s1">'References'</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="p">[</span> <span class="s1">'URL'</span><span class="p">,</span> <span class="s1">'http://metasploit.com'</span> <span class="p">]</span>
<span class="p">],</span>
<span class="s1">'Platform'</span> <span class="o">=&gt;</span> <span class="s1">'win'</span><span class="p">,</span>
<span class="s1">'BrowserRequirements'</span> <span class="o">=&gt;</span> <span class="p">{</span>
<span class="ss">source: </span><span class="sr">/script|headers/i</span>
<span class="p">},</span>
<span class="s1">'Targets'</span> <span class="o">=&gt;</span> <span class="p">[</span>
<span class="p">[</span> <span class="s1">'Automatic'</span><span class="p">,</span> <span class="p">{}</span> <span class="p">],</span>
<span class="p">[</span>
<span class="s1">'Windows XP with IE 8'</span><span class="p">,</span>
<span class="p">{</span>
<span class="s1">'os_name'</span> <span class="o">=&gt;</span> <span class="s1">'Windows XP'</span><span class="p">,</span>
<span class="s1">'ua_name'</span> <span class="o">=&gt;</span> <span class="s1">'MSIE'</span><span class="p">,</span>
<span class="s1">'ua_ver'</span> <span class="o">=&gt;</span> <span class="s1">'8.0'</span>
<span class="p">}</span>
<span class="p">],</span>
<span class="p">[</span>
<span class="s1">'Windows 7 with IE 9'</span><span class="p">,</span>
<span class="p">{</span>
<span class="s1">'os_name'</span> <span class="o">=&gt;</span> <span class="s1">'Windows 7'</span><span class="p">,</span>
<span class="s1">'ua_name'</span> <span class="o">=&gt;</span> <span class="s1">'MSIE'</span><span class="p">,</span>
<span class="s1">'ua_ver'</span> <span class="o">=&gt;</span> <span class="s1">'9.0'</span>
<span class="p">}</span>
<span class="p">]</span>
<span class="p">],</span>
<span class="s1">'Payload'</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="s1">'BadChars'</span> <span class="o">=&gt;</span> <span class="s2">"</span><span class="se">\x00</span><span class="s2">"</span> <span class="p">},</span>
<span class="s1">'DisclosureDate'</span> <span class="o">=&gt;</span> <span class="s1">'2013-04-01'</span><span class="p">,</span>
<span class="s1">'DefaultTarget'</span> <span class="o">=&gt;</span> <span class="mi">0</span>
<span class="p">)</span>
<span class="p">)</span>
<span class="k">end</span>
<span class="k">def</span> <span class="nf">exploit_template</span><span class="p">(</span><span class="n">target_info</span><span class="p">)</span>
<span class="n">template</span> <span class="o">=</span> <span class="sx">%(
Data source: &lt;%=target_info[:source]%&gt;&lt;br&gt;
OS name: &lt;%=target_info[:os_name]%&gt;&lt;br&gt;
UA name: &lt;%=target_info[:ua_name]%&gt;&lt;br&gt;
UA version: &lt;%=target_info[:ua_ver]%&gt;&lt;br&gt;
Java version: &lt;%=target_info[:java]%&gt;&lt;br&gt;
Office version: &lt;%=target_info[:office]%&gt;
)</span>
<span class="k">return</span> <span class="n">template</span><span class="p">,</span> <span class="nb">binding</span>
<span class="k">end</span>
<span class="k">def</span> <span class="nf">on_request_exploit</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">_request</span><span class="p">,</span> <span class="n">target_info</span><span class="p">)</span>
<span class="n">send_exploit_html</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">exploit_template</span><span class="p">(</span><span class="n">target_info</span><span class="p">))</span>
<span class="k">end</span>
<span class="k">end</span>
</code></pre></div></div><h3 id="javascript-obfuscation"> <a href="#javascript-obfuscation" class="anchor-heading" aria-labelledby="javascript-obfuscation"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> JavaScript Obfuscation</h3><p>BrowserExploitServer relies on the <a href="https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/jsobfu.rb">JSObfu mixin</a> to support JavaScript obfuscation. When youre writing JavaScript, you should always write it like this:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">js</span> <span class="o">=</span> <span class="n">js_obfuscate</span><span class="p">(</span><span class="n">your_code</span><span class="p">)</span>
</code></pre></div></div><p>The <code class="language-plaintext highlighter-rouge">#js_obfuscate</code> will return a <code class="language-plaintext highlighter-rouge">Rex::Exploitation::JSObfu</code> object. To get the obfuscated JavaScript, call the <code class="language-plaintext highlighter-rouge">#to_s</code> method:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">js</span><span class="p">.</span><span class="nf">to_s</span>
</code></pre></div></div><p>If you need to access an obfuscated symbol name, you can use then <code class="language-plaintext highlighter-rouge">#sym</code> method:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># Get the obfuscated version of function name test()</span>
<span class="n">var_name</span> <span class="o">=</span> <span class="n">js</span><span class="p">.</span><span class="nf">sym</span><span class="p">(</span><span class="s1">'test'</span><span class="p">)</span>
</code></pre></div></div><p>Note that by default, even though your module is calling the <code class="language-plaintext highlighter-rouge">#js_obfuscate</code> method, obfuscation will not kick in unless the user sets the JsObfuscate datastore option. This option is an OptInt, which allows you to set the number of times to obfuscate (default is 0).</p><p>If your BES-based exploit does not want obfuscation at all, always make sure you call the <code class="language-plaintext highlighter-rouge">#deregister_options</code> and remove the JsObfuscate option. Like this:</p><div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">deregister_options</span><span class="p">(</span><span class="s1">'JsObfuscate'</span><span class="p">)</span>
</code></pre></div></div><p>To learn more about Metasploits JavaScript obfuscation capabilities, please read <a href="/docs/development/developing-modules/libraries/obfuscation/how-to-obfuscate-javascript-in-metasploit.html">How to obfuscate JavaScript in Metasploit</a>.</p><h3 id="related-articles"> <a href="#related-articles" class="anchor-heading" aria-labelledby="related-articles"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Related Articles:</h3><ul><li><a href="/docs/development/developing-modules/guides/how-to-write-a-browser-exploit-using-httpserver.html">How to write a browser exploit using HttpServer</a><li><a href="/docs/using-metasploit/other/information-about-unmet-browser-exploit-requirements.html">Information About Unmet Browser Exploit Requirements</a></ul><hr><footer><p><a href="#top" id="back-to-top">Back to top</a></p><p class="text-small text-grey-dk-000 mb-0"> <a href="https://github.com/rapid7/metasploit-framework/tree/master/docs/metasploit-framework.wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer.md" id="edit-this-page">Edit this page on GitHub</a></p></footer></div></div><div class="search-overlay"></div></div><script type="text/javascript" src="/assets/js/toggle_mode.js"></script> <script> var config = { theme: 'default', logLevel: 'fatal', securityLevel: 'strict', startOnLoad: true, arrowMarkerAbsolute: false, er: { diagramPadding: 20, layoutDirection: 'TB', minEntityWidth: 100, minEntityHeight: 75, entityPadding: 15, stroke: 'gray', fill: 'honeydew', fontSize: 12, useMaxWidth: true, }, flowchart:{ diagramPadding: 8, htmlLabels: true, curve: 'basis', }, sequence: { diagramMarginX: 50, diagramMarginY: 10, actorMargin: 50, width: 150, height: 65, boxMargin: 10, boxTextMargin: 5, noteMargin: 10, messageMargin: 35, messageAlign: 'center', mirrorActors: true, bottomMarginAdj: 1, useMaxWidth: true, rightAngles: false, showSequenceNumbers: false, }, gantt: { titleTopMargin: 25, barHeight: 20, barGap: 4, topPadding: 50, leftPadding: 75, fontSize: 11, gridLineStartPadding: 35, fontFamily: '\'Open Sans\', sans-serif', numberSectionStyles: 4, axisFormat: '%Y-%m-%d', topAxis: false, }, }; mermaid.initialize(config); window.mermaid.init(undefined, document.querySelectorAll('.language-mermaid')); </script>
Reference in New Issue Copy Permalink