adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
be21ef692d401b119bb797eccf3bb9783ab27793
metasploit-gs/test/modules/exploits/test/js_tester.rb
T
Brent Cook 6300758c46 use https for metaploit.com links
2017-07-24 06:26:21 -07:00

104 lines
2.1 KiB
Ruby
Raw Blame History

require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "IE Test for Javascript Libs",
'Description' => %q{
Tests Javascript hotness
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' => [ [ 'URL', 'https://metasploit.com' ] ],
'Platform' => 'win',
'Targets' => [ [ 'Automatic', {} ] ],
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'Privileged' => false,
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end
def test_base64
%Q|
#{js_base64}
var s = "hello, world!!";
document.write(Base64.encode(s));
|
end
def test_ajax_download
%Q|
#{js_ajax_download}
ajax_download({path:"/test.bin"});
|
end
def test_mstime_malloc
%Q|
#{js_mstime_malloc}
shellcode = unescape("%u4141%u4141%u4141%u4141%u4141");
offset = 3;
s = 0x58;
objId = "myanim";
mstime_malloc({shellcode:shellcode,offset:offset,heapBlockSize:s,objId:oId});
|
end
def test_property_spray
%Q|
#{js_property_spray}
var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
sprayHeap({shellcode:s});
|
end
def test_heap_spray
%Q|
#{js_heap_spray}
var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
sprayHeap(s, 0x0c0c0c0c, 0x40000);
|
end
def on_request_uri(cli, request)
# Change the following to a specific function
js = test_base64
html = %Q|
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
<script>
#{js}
</script>
</head>
<body>
<t:ANIMATECOLOR id="myanim"/>
</body>
</html>
|
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
end
end
Reference in New Issue View Git Blame Copy Permalink