2007-04-03 07:35:54 +00:00
|
|
|
require 'rex/text'
|
|
|
|
|
require 'rex/exploitation/obfuscatejs'
|
2011-09-01 10:21:15 +00:00
|
|
|
require 'rex/exploitation/jsobfu'
|
2007-04-03 07:35:54 +00:00
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
|
module Exploitation
|
|
|
|
|
|
2007-04-03 07:36:33 +00:00
|
|
|
#
|
|
|
|
|
# Encapsulates the generation of the Alexander Sotirov's HeapLib javascript
|
|
|
|
|
# stub
|
|
|
|
|
#
|
2007-04-03 07:35:54 +00:00
|
|
|
class HeapLib
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The source file to load the javascript from
|
|
|
|
|
#
|
2008-01-25 03:15:26 +00:00
|
|
|
JavascriptFile = File.join(File.dirname(__FILE__), "heaplib.js.b64")
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2011-09-01 08:58:18 +00:00
|
|
|
#
|
|
|
|
|
# The list of symbols found in the file. This is used to dynamically
|
|
|
|
|
# replace contents.
|
|
|
|
|
#
|
2011-10-24 04:54:03 +00:00
|
|
|
SymbolNames =
|
2011-09-01 08:58:18 +00:00
|
|
|
{
|
|
|
|
|
"Methods" =>
|
|
|
|
|
[
|
|
|
|
|
"vtable",
|
|
|
|
|
"lookasideAddr",
|
|
|
|
|
"lookaside",
|
|
|
|
|
"freeList",
|
|
|
|
|
"gc",
|
|
|
|
|
"flushOleaut32",
|
|
|
|
|
"freeOleaut32",
|
|
|
|
|
"allocOleaut32",
|
|
|
|
|
"free",
|
|
|
|
|
"alloc",
|
|
|
|
|
"addr",
|
|
|
|
|
"hex",
|
|
|
|
|
"round",
|
|
|
|
|
"paddingStr",
|
|
|
|
|
"padding",
|
|
|
|
|
"debugBreak",
|
|
|
|
|
"debugHeap",
|
|
|
|
|
"debug",
|
|
|
|
|
],
|
|
|
|
|
"Classes" =>
|
|
|
|
|
[
|
|
|
|
|
{ 'Namespace' => "heapLib", 'Class' => "ie" }
|
|
|
|
|
],
|
|
|
|
|
"Namespaces" =>
|
|
|
|
|
[
|
|
|
|
|
"heapLib"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
2007-04-03 07:35:54 +00:00
|
|
|
#
|
|
|
|
|
# Initializes the heap library javascript
|
|
|
|
|
#
|
2011-09-01 08:58:18 +00:00
|
|
|
def initialize(custom_js = '', opts = {})
|
|
|
|
|
load_js(custom_js, opts)
|
2007-04-03 07:35:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Return the replaced version of the javascript
|
|
|
|
|
#
|
|
|
|
|
def to_s
|
|
|
|
|
@js
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Loads the raw javascript from the source file and strips out comments
|
|
|
|
|
#
|
2011-09-01 08:58:18 +00:00
|
|
|
def load_js(custom_js, opts = {})
|
2011-08-30 22:08:51 +00:00
|
|
|
|
2007-04-03 07:35:54 +00:00
|
|
|
# Grab the complete javascript
|
2011-09-01 08:58:18 +00:00
|
|
|
File.open(JavascriptFile) do |f|
|
2007-04-03 07:35:54 +00:00
|
|
|
@js = f.read
|
2011-09-01 08:58:18 +00:00
|
|
|
end
|
2011-08-30 22:08:51 +00:00
|
|
|
|
2008-01-25 03:15:26 +00:00
|
|
|
# Decode the text
|
|
|
|
|
@js = Rex::Text.decode_base64(@js)
|
2011-08-30 22:08:51 +00:00
|
|
|
|
2008-01-25 03:15:26 +00:00
|
|
|
# Append the real code
|
2007-04-03 07:35:54 +00:00
|
|
|
@js += "\n" + custom_js
|
2011-09-01 08:58:18 +00:00
|
|
|
|
|
|
|
|
if opts[:newobfu]
|
|
|
|
|
# Obfuscate the javascript using the new lexer method
|
|
|
|
|
@js = JSObfu.new(@js)
|
|
|
|
|
return @js.obfuscate
|
|
|
|
|
elsif opts[:noobfu]
|
|
|
|
|
# Do not obfuscate, let the exploit do the work (useful to avoid double obfuscation)
|
|
|
|
|
return @js
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Default to the old method
|
|
|
|
|
# Obfuscate the javascript using the old method
|
|
|
|
|
@js = ObfuscateJS.obfuscate(@js, 'Symbols' => SymbolNames)
|
2007-04-03 07:35:54 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
2011-10-24 04:52:22 +00:00
|
|
|
end
|
