Updated How to write a browser exploit using BrowserExploitServer (markdown)

2014-12-03 13:32:43 -08:00
parent 76b02a1c01
commit f5682e85bc
1 changed files with 31 additions and 36 deletions
@@ -1,5 +1,3 @@
-**Nov 30th 2014 - This documentation is outdated. The use of os_flavor should be corrected.
-
 The Metasploit Framework provides different mixins you can use to develop a browser exploit, mainly they are:

 * **[Msf::Exploit::Remote::HttpServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-HttpServer)** - The most basic form of a HTTP server.
@@ -17,7 +15,7 @@ Hint: In the module, you can check the :source key in the profile to determine w

 ### Setting Exploitable Requirements

-Being able to set browser requirements is an important feature of the mixin. It allows your attack to be smarter, more targeted, and prevents accidents. Here's a scenario: Say you have a vulnerability against Internet Explorer that only affects a specific range of MSHTML builds, you can set the :os_name, :os_flavor, :ua_name, :ua_ver, and :mshtml_build to make sure it doesn't blindly exploit against anything else. The :mshtml_build requirement can be found in "Product version" under MSHTML's file properties.
+Being able to set browser requirements is an important feature of the mixin. It allows your attack to be smarter, more targeted, and prevents accidents. Here's a scenario: Say you have a vulnerability against Internet Explorer that only affects a specific range of MSHTML builds, you can set the :os_name, :ua_name, :ua_ver, and :mshtml_build to make sure it doesn't blindly exploit against anything else. The :mshtml_build requirement can be found in "Product version" under MSHTML's file properties.

 Exploitable browser requirements are defined under "BrowserRequirements" in the module's metadata. Here's an example of defining a vulnerable target running some ActiveX control:

@@ -36,8 +34,8 @@ You can also define target-specific requirements. This is also how the mixin is
 ```ruby
 'BrowserRequirements' =>
  {
-    :source => /script|headers/i,
-    :os_name => /win/i
+    :source   => /script|headers/i,
+    'ua_name' => HttpClients::IE,
  },
 'Targets'             =>
  [
@@ -45,8 +43,7 @@ You can also define target-specific requirements. This is also how the mixin is
    [
      'Windows XP with IE 8',
      {
-        'os_flavor' => WindowsVersions::XP,
-        'ua_name'   => HttpClients::IE,
+        :os_name    => 'Windows XP',
        'ua_ver'    => '8.0',
        'Rop'       => true,
        'Offset'    => 0x100
@@ -55,8 +52,7 @@ You can also define target-specific requirements. This is also how the mixin is
    [
      'Windows 7 with IE 9',
      {
-        'os_flavor' => WindowsVersions::SEVEN,
-        'ua_name'   => HttpClients::IE,
+        'os_name'   => 'Windows 7',
        'ua_ver'    => '9.0',
        'Rop'       => true,
        'Offset'    => 0x200
@@ -67,29 +63,31 @@ You can also define target-specific requirements. This is also how the mixin is

 You can use these for **:os_name**:

-| Constant | Value |
+| Constant | Purpose |
 | -------- | ----- |
-| OperatingSystems::LINUX | "Linux" |
-| OperatingSystems::MAC_OSX | "Mac OS X" |
-| OperatingSystems::WINDOWS | "Microsoft Windows" |
-| OperatingSystems::FREEBSD | "FreeBSD" |
-| OperatingSystems::NETBSD | "NetBSD" |
-| OperatingSystems::OPENBSD | "OpenBSD" |
-| OperatingSystems::VMWARE |  "VMware" |
-
-
-You can use these for **:os_flavor**:
-
-| Constant | Value |
-| -------- | ----- |
-| WindowsVersions::NT | "NT" |
-| WindowsVersions::XP | "XP" |
-| WindowsVersions::TWOK | "2000" |
-| WindowsVersions::TWOK3 | "2003" |
-| WindowsVersions::VISTA | "Vista" |
-| WindowsVersions::TWOK8 | "2008" |
-| WindowsVersions::SEVEN | "7" |
-| WindowsVersions::EIGHT | "8" |
+| OperatingSystems::Match::WINDOWS | Match all versions of Windows |
+| OperatingSystems::Match::WINDOWS_95 | Match Windows 95 |
+| OperatingSystems::Match::WINDOWS_98 | Match Windows 98 |
+| OperatingSystems::Match::WINDOWS_ME | Match Windows ME |
+| OperatingSystems::Match::WINDOWS_NT3 | Match Windows NT 3 |
+| OperatingSystems::Match::WINDOWS_NT4 | Match Windows NT 4 |
+| OperatingSystems::Match::WINDOWS_2000 | Match Windows 2000 |
+| OperatingSystems::Match::WINDOWS_XP | Match Windows XP |
+| OperatingSystems::Match::WINDOWS_2003 | Match Windows Server 2003 |
+| OperatingSystems::Match::WINDOWS_VISTA | Match Windows Vista |
+| OperatingSystems::Match::WINDOWS_2008 | Match Windows Server 2008 |
+| OperatingSystems::Match::WINDOWS_7 | Match Windows 7 |
+| OperatingSystems::Match::WINDOWS_2012 | Match Windows 2012 |
+| OperatingSystems::Match::WINDOWS_8 | Match Windows 8 |
+| OperatingSystems::Match::WINDOWS_81 | Match Windows 8.1 |
+| OperatingSystems::Match::LINUX | Match a Linux distro |
+| OperatingSystems::Match::MAC_OSX | Match Mac OSX |
+| OperatingSystems::Match::FREEBSD | Match FreeBSD |
+| OperatingSystems::Match::NETBSD | Match NetBSD |
+| OperatingSystems::Match::OPENBSD | Match OpenBSD |
+| OperatingSystems::Match::VMWARE | Match VMWare |
+| OperatingSystems::Match::ANDROID | Match Android |
+| OperatingSystems::Match::APPLE_IOS | Match Apple IOS |

 You can use these for **:ua_name**:

@@ -170,7 +168,6 @@ def exploit_template1(target_info, txt)
 	<p></p>
 	Data gathered from source: #{target_info[:source]}<br>
 	OS name: #{target_info[:os_name]}<br>
-	Flavor: #{target_info[:os_flavor]}<br>
 	UA name: #{target_info[:ua_name]}<br>
 	UA version: #{target_info[:ua_ver]}<br>
 	Java version: #{target_info[:java]}<br>
@@ -218,7 +215,6 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' =>
        {
          :source => /script|headers/i,
-          :os_name => /win/i
        },
      'Targets'        =>
        [
@@ -226,7 +222,7 @@ class Metasploit3 < Msf::Exploit::Remote
          [
            'Windows XP with IE 8',
            {
-              'os_flavor' => 'XP',
+              'os_name'   => 'Windows XP',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '8.0'
            }
@@ -234,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote
          [
            'Windows 7 with IE 9',
            {
-              'os_flavor' => '7',
+              'os_name'   => 'Windows 7',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '9.0'
            }
@@ -249,7 +245,6 @@ class Metasploit3 < Msf::Exploit::Remote
    template = %Q|
    Data source: <%=target_info[:source]%><br>
    OS name: <%=target_info[:os_name]%><br>
-    Flavor: <%=target_info[:os_flavor]%><br>
    UA name: <%=target_info[:ua_name]%><br>
    UA version: <%=target_info[:ua_ver]%><br>
    Java version: <%=target_info[:java]%><br>