Name | safari_file_stealing2 |
CVE | CVE-2009-1699 |
Exploit Pack | CANVAS |
Description | Safari < 3.2 XSL File Stealing |
Notes | CVE Name: CVE-2009-1699 VENDOR: Apple Reference: http://scary.beasts.org/security/CESA-2009-006.html Arugments: After you have placed your single file in the correct filelist.txt file, run this module from httpserver with the following arguments: os: os:mac os:windows driveletter: driveletter:c driveletter:d NOTES: for now this is a quick demonstration of the issue as it only will steal 1 file from the target but soon will fully support multiple files. Put the file you would like to steal in Resources/safari_file_stealing/filelist.txt file and use arguments listed when you run from the httpserver module Rememeber to exclude the drive letter and beginning forward slashes when declaring your file in the filelist.txt file! Typical examples: Documents and Settings/Administrator/doc.txt etc/passwd boot.ini When the file is sent to CANVAS it will be called stolen_fileX.txt (where X is a random number) and will be located in Reports/ Keep in mind that not only will you get the results of the text file back but the contents of document.body.innerHTML so don't be alarmed when you see lots of javascript at the end of the file. Also, binary files are not yet supported ... Repeatability: Infinite (client side - no crash) CVE url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1699 |
Learn more about the CANVAS Exploit Pack here: CANVAS |