Land #3146, @wchen-r7's flash version detection code

2014-04-02 15:13:41 -05:00 · 2014-04-02 15:13:41 -05:00 · 577bd7c855
parent e9c7866b51 a173fcf2fa
commit 577bd7c855
3 changed files with 72 additions and 19 deletions
--- a/data/js/detect/misc_addons.js
+++ b/data/js/detect/misc_addons.js
@ -46,6 +46,53 @@ window.misc_addons_detect.hasSilverlight = function () {
 	return found;
 }

+/**
+ * Returns the Adobe Flash version
+**/
+window.misc_addons_detect.getFlashVersion = function () {
+	var foundVersion = null;
+
+	//
+	// Gets the Flash version by using the GetVariable function via ActiveX
+	//
+	try {
+		var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
+		foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
+	} catch (e) {}
+
+	//
+	// This should work fine for most non-IE browsers
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var pluginDesc = mimes[i].enabledPlugin.description.toString();
+			var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
+			if (m != null) {
+				foundVersion = m[0].match(/\d.+/g)[0];
+				break;
+			}
+		}
+	}
+
+	//
+	// Detection for Windows + Firefox
+	//
+	if (foundVersion == null) {
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
+
 /**
 * Returns the Java version
 **/
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@ -55,7 +55,8 @@ module Msf
      :java         => 'java',         # Example: 1.6, 1.6.0.0
      :clsid        => 'clsid',        # ActiveX clsid. Also requires the :method key
      :method       => 'method',       # ActiveX method. Also requires the :clsid key
-      :mshtml_build => 'mshtml_build'  # mshtml build. Example: "65535"
+      :mshtml_build => 'mshtml_build', # mshtml build. Example: "65535"
+      :flash        => 'flash'         # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
    }

    def initialize(info={})
@ -225,6 +226,9 @@ module Msf
    # 'office'       : The version of Microsoft Office (IE only)
    # 'activex'      : Whether a specific method is available from an ActiveX control (IE only)
    # 'java'         : The Java version
+    # 'mshtml_build' : The MSHTML build version
+    # 'flash'        : The Flash version
+    # 'silverlight'  : The Silverlight version
    #
    # @param tag [String] Either a cookie or IP + User-Agent
    # @return [Hash] The profile found. If not found, returns nil
@ -375,7 +379,8 @@ module Msf
          "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"      : osInfo.ua_version,
          "<%=REQUIREMENT_KEY_SET[:arch]%>"        : osInfo.arch,
          "<%=REQUIREMENT_KEY_SET[:java]%>"        : window.misc_addons_detect.getJavaVersion(),
-          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight()
+          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight(),
+          "<%=REQUIREMENT_KEY_SET[:flash]%>"       : window.misc_addons_detect.getFlashVersion()
        };

        <% if  os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
--- a/modules/exploits/multi/browser/firefox_svg_plugin.rb
+++ b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@ -75,7 +75,8 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
-        :ua_ver  => /17\..*/
+        :ua_ver  => /17\..*/,
+        :flash   => /[\d.]+/
      }
    ))