Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Adds new function js_property_spray #1531
This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's publication on "DEPS – Precise Heap Spray on Firefox and IE10".
It has been tested on IE 8, 9, and 10. Also on Firefox.
Here's a very basic example on how to test the new function:
jlee-r7, we have second thoughts about that because you can say the shellcode is landing at address X, but if your dev env is loaded with random junk, modules could occupy that particular memory address. If that's the case, those who lack understanding on how spraying works can just blame us for their own problems. In my opinion, they should be able to find it themselves.
I actually have a blog on the way that will mention where you'll see your code in memory.
Awesome work! Congratulations! Sharing my test results:
Sometimes the shellcode isn't in the expected address:
Sometimes it's near from the expected address:
And others the shellcode is at the expected address:
After increasing maxAllocs seem to work better:
The @wchen-r7 explanation about the landing address topic has sense. On the other hand, would be nice to update the comment with a link to the blog post once its written.
Checking with @wchen-r7 about the IE10 case and merging once he agrees.
Juan -- yeah, that behavior for IE 10 is actually expected. When I was testing with Peter, he told me that anything below 0x350 times, the success rate seems to drop. So we decided to set it to 0x350 as default. Based on your results, maybe that value needs to be a bit higher. I think what I can do is mention this in the blog, that way people can be aware of that.
I used the first script published in "DEPS – Precise Heap Spray on Firefox and IE10" , after debugging the heap using !heap -stat -h , I got confused becuse the output shows 500 iteration of a Heap Block size of 7ff52 (I used the same default value 0x80000)
0:011> !heap -stat -h
Moreover , After I dumped the memory I encountered a heap corruption as illustrated below
0:011> !heap -flt s 0x7ff52
Why it is not showing the same output as your expermint in "New Heap Spray Technique for Metasploit Browser Exploitation" !