metasploit-framework
https://github.com/rapid7/metasploit-framework
Ruby
Metasploit Framework
Msf::Exploit::Remote::HttpServer::HTML#js_mstime_malloc
This function takes advantage of MSTIME's CTIMEAnimationBase::put_values function that's
suitable for a no-spray technique. There should be an allocation that contains an array of
pointers to strings that we control, and each string should reside in its own buffer.
Please note newer IEs (such as IE9), no longer support SMIL, therefore this only works on
Internet Explorer 8 or prior. Note that "mstime_malloc" also requires a rather specific
writing style, so make sure you have the following before using:
* You must have the following at the beginning of your HTML file:
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
* You must have the following in <meta>:
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
The "mstime_malloc" JavaScript function supports the following arguments:
shellcode => The shellcode to place.
offset => Optional. The pointer index that points to the shellcode.
heapBlockSize => Object size.
objId => The ID to your ANIMATECOLOR element.
Example of using "js_mstime_malloc":
<script>
#{js_mstime_malloc}
shellcode = unescape("%u4141%u4141%u4141%u4141%u4141");
offset = 3;
s = 0x58;
mstime_malloc({shellcode:shellcode,offset:offset,heapBlockSize:s,objId:oId});
</script>Edit
git clone [email protected]:rapid7/metasploit-framework.git
cd metasploit-framework
open lib/msf/core/exploit/http/server/html.rb
Contribute
# Make a new branchgit checkout -b -your-name--update-docs-Msf--Exploit--Remote--HttpServer--HTML-js_mstime_malloc-for-pr
# Commit to gitgit add lib/msf/core/exploit/http/server/html.rbgit commit -m "better docs for Msf::Exploit::Remote::HttpServer::HTML#js_mstime_malloc"
# Open pull requestgem install hub # on a mac you can `brew install hub`
hub fork
git push <your name> -your-name--update-docs-Msf--Exploit--Remote--HttpServer--HTML-js_mstime_malloc-for-pr
hub pull-request
# Celebrate!