Landing rapid7#1733, setting a sensible heapsray offset

Tod Beardsley · Tod Beardsley · commit 25fcbd4e707a · 2013-04-15T16:32:48.000-05:00
@wchen-r7 says that nobody's using it today, much less relying on the default, so this should make no functional difference to any browser exploits.
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
@@ -800,7 +800,7 @@ def js_base64
 	# The "sprayHeap" JavaScript function supports the following arguments:
 	#   shellcode     => The shellcode to spray in JavaScript.  Note: Avoid null bytes.
 	#   objId         => Optional. The ID for a <div> HTML tag.
-	#   offset        => Optional. Number of bytes to align the shellcode, default: 0x104
+	#   offset        => Optional. Number of bytes to align the shellcode, default: 0x00
 	#   heapBlockSize => Optional. Allocation size, default: 0x80000
 	#   maxAllocs     => Optional. Number of allocation calls, default: 0x350
 	#
@@ -825,7 +825,7 @@ def js_property_spray
 			objId         = oArg.objId;
 
 			if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
-			if (offset        == undefined)  { offset        = 0x104; }
+			if (offset        == undefined)  { offset        = 0x00; }
 			if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
 			if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
 
