Add BrowserExploitServer mixin

data/js/detect/addons.js → data/js/detect/ie_addons.js

@@ -1,9 +1,47 @@
-window.addons_detect = { };
+window.ie_addons_detect = { };
+
+/**
+ * Returns true if this ActiveX is available, otherwise false.
+ * Grabbed this directly from browser_autopwn.rb
+ **/
+window.ie_addons_detect.hasActiveX = function (axo_name, method) {
+  var axobj = null;
+  if (axo_name.substring(0,1) == String.fromCharCode(123)) {
+    axobj = document.createElement("object");
+    axobj.setAttribute("classid", "clsid:" + axo_name);
+    axobj.setAttribute("id", axo_name);
+    axobj.setAttribute("style", "visibility: hidden");
+    axobj.setAttribute("width", "0px");
+    axobj.setAttribute("height", "0px");
+    document.body.appendChild(axobj);
+    if (typeof(axobj[method]) == 'undefined') {
+      var attributes = 'id="' + axo_name + '"';
+      attributes += ' classid="clsid:' + axo_name + '"';
+      attributes += ' style="visibility: hidden"';
+      attributes += ' width="0px" height="0px"';
+      document.body.innerHTML += "<object " + attributes + "></object>";
+      axobj = document.getElementById(axo_name);
+    }
+  } else {
+    try {
+      axobj = new ActiveXObject(axo_name);
+    } catch(e) {
+      // If we can't build it with an object tag and we can't build it
+      // with ActiveXObject, it can't be built.
+      return false;
+    };
+  }
+  if (typeof(axobj[method]) != 'undefined') {
+    return true;
+  }
+
+  return false;
+};
 
 /**
  * Returns the version of Microsoft Office. If not found, returns null.
  **/
-window.addons_detect.getMsOfficeVersion = function () {
+window.ie_addons_detect.getMsOfficeVersion = function () {
   var version;
   var types = new Array();
   for (var i=1; i <= 5; i++) {

data/js/detect/misc_addons.js

@@ -0,0 +1,64 @@
+window.misc_addons_detect = { };
+
+/**
+ * Returns the Java version
+ **/
+window.misc_addons_detect.getJavaVersion = function () {
+	var foundVersion = null;
+
+	//
+	// This finds the Java version from Java WebStart's ActiveX control
+	// This is specific to Windows
+	//
+	for (var i1=0; i1 < 10; i1++) {
+	for (var i2=0; i2 < 10; i2++) {
+	for (var i3=0; i3 < 10; i3++) {
+	for (var i4=0; i4 < 10; i4++) {
+		var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
+		var progId = "JavaWebStart.isInstalled." + version;
+		try {
+			new ActiveXObject(progId);
+			return version;
+		}
+		catch (e) {
+			continue;
+		}		
+	}}}}
+
+	//
+	// This finds the Java version from window.navigator.mimeTypes
+	// This seems to work pretty well for most browsers except for IE
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var m = /java.+;version=(.+)/.exec(mimes[i].type);
+			if (m) {
+				var version = parseFloat(m[1]);
+				if (version > foundVersion) {
+					foundVersion = version;
+				}
+			}
+		}
+	}
+
+	//
+	// This finds the Java version from navigator plugins
+	// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
+	// So we do this last.
+	//
+	if (foundVersion == null) {
+		var foundJavaString = "";
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Java/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}

data/js/detect/os.js

@@ -867,6 +867,12 @@ window.os_detect.getVersion = function(){
 				os_flavor = "7";
 				os_sp = "SP1";
 				break;
+			case "10016720":
+				// IE 10.0.9200.16721 / Windows 7 SP1
+				ua_version = "10.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
 			case "1000":
 				// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
 				ua_version = "10.0";

data/js/network/ajax_download.js

@@ -1,25 +1,16 @@
 function ajax_download(oArg) {
-  var method = oArg.method;
-  var path   = oArg.path;
-  var data   = oArg.data;
+  if (!oArg.method) { oArg.method = "GET"; }
+  if (!oArg.path)   { throw "Missing parameter 'path'"; }
+  if (!oArg.data)   { oArg.data = null; }
 
-  if (method == undefined) { method = "GET"; }
-  if (method == path)      { throw "Missing parameter 'path'"; }
-  if (data   == undefined) { data = null; }
-
-  if (window.XMLHttpRequest) {
-    xmlHttp = new XMLHttpRequest();
-  }
-  else {
-    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
-  }
+  var xmlHttp = new XMLHttpRequest();
 
   if (xmlHttp.overrideMimeType) {
     xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
   }
 
-  xmlHttp.open(method, path, false);
-  xmlHttp.send(data);
+  xmlHttp.open(oArg.method, oArg.path, false);
+  xmlHttp.send(oArg.data);
   if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
     return xmlHttp.responseText;
   }

data/js/network/ajax_post.js

@@ -0,0 +1,10 @@
+function postInfo(path, data) {
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open('POST', path, false);
+  xmlHttp.send(data);
+}

data/js/network/xhr_shim.js

@@ -0,0 +1,15 @@
+if (!window.XMLHTTPRequest) {
+  (function() {
+    var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+    for (idx = 0; idx < activeObjs.length; idx++) {
+      try {
+        new ActiveXObject(activeObjs[idx]);
+        window.XMLHttpRequest = function() {
+          return new ActiveXObject(activeObjs[idx]);
+        };
+        break;
+      }
+      catch (e) {}
+    }
+  })();
+}

lib/msf/core/exploit/http/server.rb

@@ -678,14 +678,6 @@ def initialize(info = {})
         OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
         OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)',  0]),
       ], Exploit::Remote::HttpServer::HTML)
-
-    # Cache Javascript
-    @cache_base64         = nil
-    @cache_ajax_download  = nil
-    @cache_mstime_malloc  = nil
-    @cache_property_spray = nil
-    @cache_heap_spray     = nil
-    @cache_os_detect      = nil
   end
 
   #
@@ -744,6 +736,14 @@ def js_ajax_download
   end
 
 
+  #
+  # Transfers data using a POST request
+  #
+  def js_ajax_post
+    @cache_ajax_post ||= Rex::Exploitation::Js::Network.ajax_post
+  end
+
+
   #
   # This function takes advantage of MSTIME's CTIMEAnimationBase::put_values function that's
   # suitable for a no-spray technique.  There should be an allocation that contains an array of
@@ -813,6 +813,14 @@ def js_os_detect
     @cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os
   end
 
+  def js_ie_addons_detect
+    @cache_ie_addons_detect ||= ::Rex::Exploitation::Js::Detect.ie_addons
+  end
+
+  def js_misc_addons_detect
+    @cache_misc_addons_detect ||= ::Rex::Exploitation::Js::Detect.misc_addons
+  end
+
   # Transmits a html response to the supplied client
   #
   # HTML evasions are implemented here.

lib/msf/core/exploit/mixins.rb

@@ -97,3 +97,5 @@
 
 # WebApp
 require 'msf/core/exploit/web'
+
+require 'msf/core/exploit/remote/browser_exploit_server'