From 66425455510a3de256551bffad7d513acd75ce32 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 24 Apr 2013 17:36:45 -0500 Subject: [PATCH] Adds new JavaScript function "js_download" "js_download" is a JavaScript function used to download data (text or binary) from the web server. --- lib/msf/core/exploit/http/server.rb | 50 +++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index c1e0c8429c..d9cced3875 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -792,6 +792,56 @@ protected return js end + + # + # Downloads data using ajax + # + # Supported argumnets: + # method => Optional. HTTP Verb (eg. GET/POST) + # path => Relative path to the file. In IE, you can actually use an URI. But in Firefox, you + # must use a relative path, otherwise you will be blocked by the browser. + # data => Optional. Data to pass to the server + # + # Example of using the ajax_download() function: + # For IE, your web server has to return this header to download binary data: + # "text/plain; charset=x-user-defined" + # + # + def js_download + %Q|function ajax_download(oArg) { + method = oArg.method; + path = oArg.path; + data = oArg.data; + + if (method == undefined) { method = "GET"; } + if (method == path) { throw "Missing parameter 'path'"; } + if (data == undefined) { data = null; } + + if (window.XMLHttpRequest) { + xmlHttp = new XMLHttpRequest(); + } + else { + xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); + } + + if (xmlHttp.overrideMimeType) { + xmlHttp.overrideMimeType("text/plain; charset=x-user-defined"); + } + + xmlHttp.open(method, path, false); + xmlHttp.send(data); + if (xmlHttp.readyState == 4 && xmlHttp.status == 200) { + return xmlHttp.responseText; + } + return null; + } + | + end + # # This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) # function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's