Example of doing Flash detection with Flash

wchen-r7 · wchen-r7 · commit 21e44f235e80 · 2015-07-08T13:18:57.000-05:00
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -90,6 +90,8 @@ def initialize(info={})
       @info_receiver_page     = rand_text_alpha(5)
       @exploit_receiver_page  = rand_text_alpha(6)
       @noscript_receiver_page = rand_text_alpha(7)
+      @flash_receiver_page    = rand_text_alpha(8)
+      @flash_swf              = rand_text_alpha(9)
 
       register_options(
       [
@@ -331,6 +333,11 @@ def process_browser_info(source, cli, request)
 
       # Gathering target info from the detection stage
       case source
+      when :flash
+        # Flash version detection
+        parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
+        version_info = 'FLASH VERSION HERE'
+        update_profile(target_info, :flash, version_info)
       when :script
         # Gathers target data from a POST request
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
@@ -411,6 +418,15 @@ def get_detection_html(user_agent)
           "vuln_test"   : <%= js_vuln_test %>
         };
 
+        if (d["flash"])  {
+          // Load SWF for accurate Flash detection
+          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
+          // <%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/
+          var flashObject = document.createElement("object");
+          flashObject.setAttribute("data", "Flash location from the @flash_swf instance variable");
+          document.body.appendChild(flashObject); // Do you actually need to do this?
+        }
+
         <% if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
           d['office'] = ie_addons_detect.getMsOfficeVersion();
           d['mshtml_build'] = ScriptEngineBuildVersion().toString();
@@ -468,6 +484,11 @@ def cookie_header(tag)
       cookie
     end
 
+    def load_swf_detection
+      # Your SWF loads here
+      ''
+    end
+
 
     # Handles exploit stages.
     #
@@ -492,6 +513,15 @@ def on_request_uri(cli, request)
         html = get_detection_html(ua)
         send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
 
+      when /#{@flash_swf}/
+        swf = load_swf_detection
+        send_response(cli, swf)
+
+      when /#{@flash_receiver_page}/
+        vprint_status("Received information from Flash")
+        process_browser_info(:flash, cli, request)
+        send_not_found(cli)
+
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled
