From ee1209b7fb4a4f53f42cc10a191c6b8d5a204a11 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 3 Mar 2014 11:53:51 -0600
Subject: [PATCH] This should work

---
 lib/msf/core/exploit/http/server.rb     |  4 +-
 lib/rex/exploitation/js/memory.rb       |  7 ++-
 test/modules/auxiliary/test/heaplib2.rb | 82 +++++++++++++++++++++++++
 3 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 test/modules/auxiliary/test/heaplib2.rb

diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index a8bf6bef6e..f28f94d050 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -722,8 +722,8 @@ protected
   #
   # Returns the heaplib2 javascript
   #
-  def heaplib2
-    @cache_heaplib2 ||= Rex::Exploitation::Js::Memory.heaplib2
+  def js_heaplib2(custom_js = '', opts = {})
+    @cache_heaplib2 ||= Rex::Exploitation::Js::Memory.heaplib2(custom_js, opts={})
   end
 
   def js_base64
diff --git a/lib/rex/exploitation/js/memory.rb b/lib/rex/exploitation/js/memory.rb
index 90c9a7e48c..bbbebd8cf0 100644
--- a/lib/rex/exploitation/js/memory.rb
+++ b/lib/rex/exploitation/js/memory.rb
@@ -24,11 +24,16 @@ class Memory
       }).obfuscate
   end
 
-  def self.heaplib2
+  def self.heaplib2(custom_js='', opts={})
     js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heaplib2.js"))
 
+    unless custom_js.blank?
+      js << custom_js
+    end
+
     js = ::Rex::Exploitation::JSObfu.new js
     js.obfuscate
+    return js
   end
 
   def self.property_spray
diff --git a/test/modules/auxiliary/test/heaplib2.rb b/test/modules/auxiliary/test/heaplib2.rb
new file mode 100644
index 0000000000..f0b0a06fbc
--- /dev/null
+++ b/test/modules/auxiliary/test/heaplib2.rb
@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "heaplib2 test",
+      'Description'    => %q{
+        This tests heaplib2
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'sinn3r' ],
+      'References'     => 
+        [
+          [ 'URL', 'http://metasploit.com' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Mar 1 2014",
+      'DefaultTarget'  => 0))
+  end
+
+
+  def on_request_uri(cli, request)
+    spray = %Q|
+    function log(msg) {
+      console.log("[*] " + msg);
+      Math.atan2(0x0101, msg);
+    }
+
+    log("Creating element div");
+    var element = document.createElement("div");
+
+    log("heapLib2");
+    var heaplib = new heapLib2.ie(element, 0x80000);
+
+    log("Creating spray");
+    var spray = unescape("%u4141%u4141");
+    while (spray.length < 0x20000) { spray += spray };
+
+    log("spraying...");
+    for (var i=0; i<0x400; i++) {
+      heaplib.sprayalloc("userspray"+i, spray);
+    }
+
+    alert("free is about to happen");
+
+    log("freeing...");
+    for (var i=0; i<0x400; i++) {
+      heaplib.free("userspray"+i);
+    }
+    |
+
+    html = %Q|
+    <html>
+    <script>
+    #{js_heaplib2(spray)}
+    </script>
+    </html>
+    |
+
+    print_status("Sending html")
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+  end
+
+  def run
+    exploit
+  end
+
+end
\ No newline at end of file