Merge branch 'bapv2_flash_test' into bapv2

Author: wchen-r7

data/flash_detector/flashdetector.swf

@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="utf-8"/>
+	<title>flash_detector</title>
+	<meta name="description" content="" />
+	
+	<script src="js/swfobject.js"></script>
+	<script>
+		var flashvars = {
+		};
+		var params = {
+			menu: "false",
+			scale: "noScale",
+			allowFullscreen: "true",
+			allowScriptAccess: "always",
+			bgcolor: ""
+		};
+		var attributes = {
+			id:"flashdetector"
+		};
+		swfobject.embedSWF(
+			"flashdetector.swf", 
+			"altContent", "100%", "100%", "8.0.0", 
+			"expressInstall.swf", 
+			flashvars, params, attributes);
+	</script>
+	<style>
+		html, body { height:100%; overflow:hidden; }
+		body { margin:0; }
+	</style>
+</head>
+<body>
+	<div id="altContent">
+		<h1>flash_detector</h1>
+		<p><a href="http://www.adobe.com/go/getflashplayer">Get Adobe Flash player</a></p>
+	</div>
+</body>
+</html>

external/source/flash_detector/bin/expressInstall.swf

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <!-- Output SWF options -->
+  <output>
+    <movie disabled="False" />
+    <movie input="" />
+    <movie path="bin\flashdetector.swf" />
+    <movie fps="30" />
+    <movie width="800" />
+    <movie height="600" />
+    <movie version="8" />
+    <movie background="#FFFFFF" />
+  </output>
+  <!-- Other classes to be compiled into your SWF -->
+  <classpaths>
+    <class path="src" />
+  </classpaths>
+  <!-- Build options -->
+  <build>
+    <option verbose="False" />
+    <option strict="False" />
+    <option infer="False" />
+    <option useMain="True" />
+    <option useMX="False" />
+    <option warnUnusedImports="False" />
+    <option traceMode="FlashConnectExtended" />
+    <option traceFunction="" />
+    <option libraryPrefix="" />
+    <option excludeFile="" />
+    <option groupClasses="False" />
+    <option frame="1" />
+    <option keep="True" />
+  </build>
+  <!-- Class files to compile (other referenced classes will automatically be included) -->
+  <compileTargets>
+    <compile path="src\Main.as" />
+  </compileTargets>
+  <!-- Assets to embed into the output SWF -->
+  <library>
+    <!-- example: <asset path="..." id="..." update="..." glyphs="..." mode="..." place="..." sharepoint="..." /> -->
+  </library>
+  <!-- Paths to exclude from the Project Explorer tree -->
+  <hiddenPaths>
+    <!-- example: <hidden path="..." /> -->
+  </hiddenPaths>
+  <!-- Executed before build -->
+  <preBuildCommand />
+  <!-- Executed after build -->
+  <postBuildCommand alwaysRun="False" />
+  <!-- Other project options -->
+  <options>
+    <option showHiddenPaths="False" />
+    <option testMovie="Default" />
+  </options>
+</project>

external/source/flash_detector/bin/index.html

@@ -0,0 +1,31 @@
+import flash.external.ExternalInterface
+import System.capabilities
+
+class Main 
+{
+	
+	public static function main(swfRoot:MovieClip):Void 
+	{
+		// entry point
+		var app:Main = new Main();
+	}
+	
+	public function Main() 
+	{
+		var version:String = getVersion()
+		ExternalInterface.call("setFlashVersion", version)
+	}
+
+	private function getVersion():String
+	{
+		try {
+			var version:String = capabilities.version
+			version = version.split(" ")[1]
+			version = version.split(",").join(".")
+			return version
+		} catch (err:Error) {
+			return ""
+		}
+	}
+	
+}

external/source/flash_detector/bin/js/swfobject.js

@@ -90,6 +90,7 @@ def initialize(info={})
       @info_receiver_page     = Rex::Text.rand_text_alpha(5)
       @exploit_receiver_page  = Rex::Text.rand_text_alpha(6)
       @noscript_receiver_page = Rex::Text.rand_text_alpha(7)
+      @flash_swf              = "#{Rex::Text.rand_text_alpha(9)}.swf"
 
       register_options(
       [
@@ -372,6 +373,57 @@ def get_detection_html(user_agent)
         return Base64.encode(q.join('&'));
       }
 
+      function isEmpty(str) {
+        return (!str \|\| 0 === str.length);
+      }
+
+      function sendInfo(info) {
+        var query = objToQuery(info);
+        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
+          window.location="<%= get_module_resource %>";
+        });
+      }
+
+      var flashVersion = "";
+      var doInterval = true;
+      var maxTimeout = null;
+      var intervalTimeout = null;
+
+      function setFlashVersion(ver) {
+        flashVersion = ver
+        if (maxTimeout != null) {
+          clearTimeout(maxTimeout);
+          maxTimeout = null
+        }
+        doInterval = false
+        return;
+      }
+
+      function createFlashObject(src, attributes, parameters) {
+        var i, html, div, obj, attr = attributes \|\| {}, param = parameters \|\| {};
+        attr.type = 'application/x-shockwave-flash';
+        if (window.ActiveXObject) {
+          attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000';
+          param.movie = src;
+        } else {
+          attr.data = src;
+        }
+
+        html = '<object';
+        for (i in attr) {
+          html += ' ' + i + '="' + attr[i] + '"';
+        }
+        html += '>';
+        for (i in param) {
+          html += '<param name="' + i + '" value="' + param[i] + '" />';
+        }
+        html += '</object>';
+        div = document.createElement('div');
+        div.innerHTML = html;
+        obj = div.firstChild;
+        div.removeChild(obj);
+        return obj;
+      }
 
       window.onload = function() {
         var osInfo = os_detect.getVersion();
@@ -409,10 +461,36 @@ def get_detection_html(user_agent)
           <% end %>
         <% end %>
 
-        var query = objToQuery(d);
-        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
-          window.location="<%= get_module_resource %>";
-        });
+        if (d["flash"] != null && (d["flash"].match(/[\\d]+.[\\d]+.[\\d]+.[\\d]+/)) == null) {
+          var flashObject = createFlashObject('<%=get_resource.chomp("/")%>/<%=@flash_swf%>', {width: 1, height: 1}, {allowScriptAccess: 'always', Play: 'True'});
+
+          // After 5s stop waiting and use the version retrieved with JS if there isn't anything
+          maxTimeout = setTimeout(function() {
+            if (intervalTimeout != null) {
+              doInterval = false
+              clearInterval(intervalTimeout)
+            }
+            if (!isEmpty(flashVersion)) {
+              d["flash"] = flashVersion
+            }
+            sendInfo(d);
+          }, 5000);
+
+          // Check if there is a new flash version every 100ms
+          intervalTimeout = setInterval(function() {
+            if (!doInterval) {
+              clearInterval(intervalTimeout);
+              if (!isEmpty(flashVersion)) {
+                d["flash"] = flashVersion
+              }
+              sendInfo(d);
+            }
+          }, 100);
+
+          document.body.appendChild(flashObject)
+        } else {
+          sendInfo(d)
+        }
       }
       |).result(binding())
 
@@ -446,6 +524,13 @@ def cookie_header(tag)
       cookie
     end
 
+    def load_swf_detection
+      path = ::File.join(Msf::Config.data_directory, 'flash_detector', 'flashdetector.swf')
+      swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+      swf
+    end
+
 
     # Handles exploit stages.
     #
@@ -469,6 +554,11 @@ def on_request_uri(cli, request)
         html = get_detection_html(ua)
         send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
 
+      when /#{@flash_swf}/
+        vprint_status("Sending SWF used for Flash detection")
+        swf = load_swf_detection
+        send_response(cli, swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled

external/source/flash_detector/flash_detector.as2proj

@@ -78,7 +78,7 @@ def initialize(info={})
 
     register_advanced_options([
         OptInt.new('ExploitReloadTimeout', [false, 'Number of milliseconds before trying the next exploit', 3000]),
-        OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 20]),
+        OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 21]),
         OptString.new('HTMLContent', [false, 'HTML Content', '']),
         OptAddressRange.new('AllowedAddresses', [false, "A range of IPs you're interested in attacking"]),
         OptInt.new('MaxSessionCount', [false, 'Number of sessions to get', -1]),