This should work

2024-11-05 14:57:30 +01:00 · 2014-03-03 11:53:51 -06:00 · 2014-03-03 11:53:51 -06:00 · ee1209b7fb
commit ee1209b7fb
parent 8cf5c3b97e
3 changed files with 90 additions and 3 deletions
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@ -722,8 +722,8 @@ protected
  #
  # Returns the heaplib2 javascript
  #
-  def heaplib2
-    @cache_heaplib2 ||= Rex::Exploitation::Js::Memory.heaplib2
+  def js_heaplib2(custom_js = '', opts = {})
+    @cache_heaplib2 ||= Rex::Exploitation::Js::Memory.heaplib2(custom_js, opts={})
  end

  def js_base64
--- a/lib/rex/exploitation/js/memory.rb
+++ b/lib/rex/exploitation/js/memory.rb
@ -24,11 +24,16 @@ class Memory
      }).obfuscate
  end

-  def self.heaplib2
+  def self.heaplib2(custom_js='', opts={})
    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heaplib2.js"))

+    unless custom_js.blank?
+      js << custom_js
+    end
+
    js = ::Rex::Exploitation::JSObfu.new js
    js.obfuscate
+    return js
  end

  def self.property_spray
--- a/test/modules/auxiliary/test/heaplib2.rb
+++ b/test/modules/auxiliary/test/heaplib2.rb
@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "heaplib2 test",
+      'Description'    => %q{
+        This tests heaplib2
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'sinn3r' ],
+      'References'     => 
+        [
+          [ 'URL', 'http://metasploit.com' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Mar 1 2014",
+      'DefaultTarget'  => 0))
+  end
+
+
+  def on_request_uri(cli, request)
+    spray = %Q|
+    function log(msg) {
+      console.log("[*] " + msg);
+      Math.atan2(0x0101, msg);
+    }
+
+    log("Creating element div");
+    var element = document.createElement("div");
+
+    log("heapLib2");
+    var heaplib = new heapLib2.ie(element, 0x80000);
+
+    log("Creating spray");
+    var spray = unescape("%u4141%u4141");
+    while (spray.length < 0x20000) { spray += spray };
+
+    log("spraying...");
+    for (var i=0; i<0x400; i++) {
+      heaplib.sprayalloc("userspray"+i, spray);
+    }
+
+    alert("free is about to happen");
+
+    log("freeing...");
+    for (var i=0; i<0x400; i++) {
+      heaplib.free("userspray"+i);
+    }
+    |
+
+    html = %Q|
+    <html>
+    <script>
+    #{js_heaplib2(spray)}
+    </script>
+    </html>
+    |
+
+    print_status("Sending html")
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+  end
+
+  def run
+    exploit
+  end
+
+end