metasploit-framework
https://github.com/rapid7/metasploit-framework
Ruby
Metasploit Framework
Msf::Exploit::Remote::HttpServer::HTML#js_property_spray
This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)
function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's
publication on "DEPS – Precise Heap Spray on Firefox and IE10". In IE, the shellcode
should land at address 0x0c0d2020, as this is the most consistent location across
various versions.
The "sprayHeap" JavaScript function supports the following arguments:
shellcode => The shellcode to spray in JavaScript. Note: Avoid null bytes.
objId => Optional. The ID for a <div> HTML tag.
offset => Optional. Number of bytes to align the shellcode, default: 0x00
heapBlockSize => Optional. Allocation size, default: 0x80000
maxAllocs => Optional. Number of allocation calls, default: 0x350
Example of using the 'sprayHeap' function:
<script>
#{js_property_spray}
var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
sprayHeap({shellcode:s, heapBlockSize:0x80000});
</script>Edit
git clone [email protected]:rapid7/metasploit-framework.git
cd metasploit-framework
open lib/msf/core/exploit/http/server/html.rb
Contribute
# Make a new branchgit checkout -b -your-name--update-docs-Msf--Exploit--Remote--HttpServer--HTML-js_property_spray-for-pr
# Commit to gitgit add lib/msf/core/exploit/http/server/html.rbgit commit -m "better docs for Msf::Exploit::Remote::HttpServer::HTML#js_property_spray"
# Open pull requestgem install hub # on a mac you can `brew install hub`
hub fork
git push <your name> -your-name--update-docs-Msf--Exploit--Remote--HttpServer--HTML-js_property_spray-for-pr
hub pull-request
# Celebrate!