Add prototype with AS3

jvazquez-r7 · jvazquez-r7 · commit 9116460cb06c · 2015-07-13T16:33:55.000-05:00
diff --git a/data/flash_detector/detector.swf b/data/flash_detector/detector.swf
diff --git a/external/source/flash_detector/Detector.as b/external/source/flash_detector/Detector.as
@@ -0,0 +1,36 @@
+/* 
+Code to do flash version detection from ActionScript
+
+* How to build:
+    1. Use Flex SDK 4.6 / AIRSDK 18 
+    2. Build with: mxmlc -o msf.swf Exploit.as
+*/
+
+package
+{
+    import flash.display.Sprite
+    import flash.external.ExternalInterface
+    import flash.system.Capabilities
+
+    public class Detector extends Sprite
+	{
+                
+        public function Detector()
+        {
+            var version:String = getVersion()
+            ExternalInterface.call("setFlashVersion", version)
+        }
+        
+        private function getVersion():String
+        {
+            try {
+                var version:String = flash.system.Capabilities.version
+                version = version.split(/ /)[1]
+                version = version.replace(/,/g, ".")
+                return version
+            } catch (err:Error) {
+                return ""
+            }
+        }
+    }
+}
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -90,8 +90,7 @@ def initialize(info={})
       @info_receiver_page     = rand_text_alpha(5)
       @exploit_receiver_page  = rand_text_alpha(6)
       @noscript_receiver_page = rand_text_alpha(7)
-      @flash_receiver_page    = rand_text_alpha(8)
-      @flash_swf              = rand_text_alpha(9)
+      @flash_swf              = "#{rand_text_alpha(9)}.swf"
 
       register_options(
       [
@@ -333,11 +332,6 @@ def process_browser_info(source, cli, request)
 
       # Gathering target info from the detection stage
       case source
-      when :flash
-        # Flash version detection
-        parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
-        version_info = 'FLASH VERSION HERE'
-        update_profile(target_info, :flash, version_info)
       when :script
         # Gathers target data from a POST request
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
@@ -394,6 +388,9 @@ def get_detection_html(user_agent)
       <%= js_misc_addons_detect %>
       <%= js_ie_addons_detect if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
 
+      var flash_version = "";
+      var do_flash_loop = true;
+
       function objToQuery(obj) {
         var q = [];
         for (var key in obj) {
@@ -402,6 +399,52 @@ def get_detection_html(user_agent)
         return Base64.encode(q.join('&'));
       }
 
+      function isEmpty(str) {
+        return (!str \|\| 0 === str.length);
+      }
+
+      function sendInfo(info) {
+        var query = objToQuery(info);
+        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
+          window.location="<%= get_module_resource %>";
+        });
+      }
+
+      function setFlashVersion(ver) {
+        console.log('called! :) ' + ver)
+        flash_version = ver
+        do_flash_loop = false
+        console.log('flash version after set_version: ' + flash_version)
+        return;
+      }
+
+      function createFlashObject(src, attributes, parameters) {
+        var i, html, div, obj, attr = attributes \|\| {}, param = parameters \|\| {};
+        attr.type = 'application/x-shockwave-flash';
+        if (window.ActiveXObject) {
+          attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000';
+          param.movie = src;
+        } else {
+          attr.data = src;
+        }
+
+        html = '<object';
+        for (i in attr) {
+          html += ' ' + i + '="' + attr[i] + '"';
+        }
+        html += '>';
+        for (i in param) {
+          html += '<param name="' + i + '" value="' + param[i] + '" />';
+        }
+        html += '</object>';
+        div = document.createElement('div');
+        div.innerHTML = html;
+        obj = div.firstChild;
+        div.removeChild(obj);
+        console.log(obj)
+        alert('check obj')
+        return obj;
+      }
 
       window.onload = function() {
         var osInfo = os_detect.getVersion();
@@ -418,15 +461,6 @@ def get_detection_html(user_agent)
           "vuln_test"   : <%= js_vuln_test %>
         };
 
-        if (d["flash"])  {
-          // Load SWF for accurate Flash detection
-          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
-          // <%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/
-          var flashObject = document.createElement("object");
-          flashObject.setAttribute("data", "Flash location from the @flash_swf instance variable");
-          document.body.appendChild(flashObject); // Do you actually need to do this?
-        }
-
         <% if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
           d['office'] = ie_addons_detect.getMsOfficeVersion();
           d['mshtml_build'] = ScriptEngineBuildVersion().toString();
@@ -448,10 +482,30 @@ def get_detection_html(user_agent)
           <% end %>
         <% end %>
 
-        var query = objToQuery(d);
-        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
-          window.location="<%= get_module_resource %>";
-        });
+        if (d["flash"] != null && (d["flash"].match(/[\\d]+.[\\d]+.[\\d]+.[\\d]+/)) == null) {
+          alert('flash detection!')
+          // Load SWF for accurate Flash detection
+          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
+          var flashObject = createFlashObject('<%=get_resource.chomp("/")%>/<%=@flash_swf%>', {width: 1, height: 1}, {allowScriptAccess: 'always', Play: 'True'});
+
+          (function loop(){
+            console.log('loop: ' + flash_version)
+            setTimeout(function(){
+              if (do_flash_loop) {
+                loop()
+              }
+              console.log('finally: ' + flash_version)
+              if (!isEmpty(flash_version)) {
+                d["flash"] = flash_version
+              }
+              sendInfo(d)
+            }, 1000);
+          })();
+
+          document.body.appendChild(flashObject)
+        } else {
+          sendInfo(d)
+        }
       }
       |).result(binding())
 
@@ -485,8 +539,10 @@ def cookie_header(tag)
     end
 
     def load_swf_detection
-      # Your SWF loads here
-      ''
+      path = ::File.join(Msf::Config.data_directory, 'flash_detector', 'detector.swf')
+      swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+      swf
     end
 
 
@@ -514,14 +570,10 @@ def on_request_uri(cli, request)
         send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
 
       when /#{@flash_swf}/
+        vprint_status("Sending SWF used for Flash detection")
         swf = load_swf_detection
-        send_response(cli, swf)
-
-      when /#{@flash_receiver_page}/
-        vprint_status("Received information from Flash")
-        process_browser_info(:flash, cli, request)
-        send_not_found(cli)
-
+        send_response(cli, swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+        
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled
