metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

Msf::Exploit::Remote::HttpServer::HTML#js_property_spray

This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)
function to trigger allocations by ntdll!RtlAllocateHeap.  It is based on Corelan's
publication on "DEPS – Precise Heap Spray on Firefox and IE10".  In IE, the shellcode
should land at address 0x0c0d2020, as this is the most consistent location across
various versions.

The "sprayHeap" JavaScript function supports the following arguments:
  shellcode     => The shellcode to spray in JavaScript.  Note: Avoid null bytes.
  objId         => Optional. The ID for a <div> HTML tag.
  offset        => Optional. Number of bytes to align the shellcode, default: 0x00
  heapBlockSize => Optional. Allocation size, default: 0x80000
  maxAllocs     => Optional. Number of allocation calls, default: 0x350

Example of using the 'sprayHeap' function:
  <script>
  #{js_property_spray}

  var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
  sprayHeap({shellcode:s, heapBlockSize:0x80000});
  </script>

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open lib/msf/core/exploit/http/server/html.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-Msf--Exploit--Remote--HttpServer--HTML-js_property_spray-for-pr


# Commit to git

git add lib/msf/core/exploit/http/server/html.rbgit commit -m "better docs for Msf::Exploit::Remote::HttpServer::HTML#js_property_spray"


# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-Msf--Exploit--Remote--HttpServer--HTML-js_property_spray-for-pr

hub pull-request


# Celebrate!