Land rapid7#1937, @wchen-r7's fix for heap spray js code

jvazquez-r7 · jvazquez-r7 · commit 430511cbff1b · 2013-06-11T09:17:40.000-05:00
diff --git a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
@@ -148,7 +148,6 @@ def ie_heap_spray(my_target, p)
 		for (var i=1; i < 0x300; i++) {
 			heap_obj.alloc(block);
 		}
-		var overflow = nops.substring(0, 10);
 		|
 
 		js = heaplib(js, {:noobfu => true})
diff --git a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb
@@ -157,7 +157,6 @@ def ie_heap_spray(my_target, p)
 		for (var i=1; i < 0x300; i++) {
 			heap_obj.alloc(block);
 		}
-		var overflow = nops.substring(0, 10);
 		|
 
 		js = heaplib(js, {:noobfu => true})
diff --git a/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb b/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb
@@ -164,7 +164,6 @@ def ie_heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
 			|
 
 		end
diff --git a/modules/exploits/windows/browser/ibm_spss_c1sizer.rb b/modules/exploits/windows/browser/ibm_spss_c1sizer.rb
@@ -150,7 +150,6 @@ def ie_heap_spray(my_target, p)
 		for (var i=1; i < 0x300; i++) {
 			heap_obj.alloc(block);
 		}
-		var overflow = nops.substring(0, 10);
 		|
 
 		js = heaplib(js, {:noobfu => true})
diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb
@@ -234,8 +234,6 @@ def get_spray(t, js_code, js_nops)
 		for (var i=1; i < 0x300; i++) {
 			heap_obj.alloc(block);
 		}
-
-		var overflow = nops.substring(0, 10);
 		JS
 	end
 
diff --git a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb
@@ -174,7 +174,6 @@ def ie_heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
 			|
 
 		end
diff --git a/modules/exploits/windows/browser/inotes_dwa85w_bof.rb b/modules/exploits/windows/browser/inotes_dwa85w_bof.rb
@@ -179,7 +179,6 @@ def ie_heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
 			|
 
 		end
diff --git a/modules/exploits/windows/browser/ms11_081_option.rb b/modules/exploits/windows/browser/ms11_081_option.rb
@@ -111,7 +111,6 @@ def ie_heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
 		}
 		|
 
diff --git a/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb b/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb
@@ -102,8 +102,6 @@ def heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
-
 		|
 
 		js = heaplib(js, {:noobfu => true})
diff --git a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb
@@ -174,7 +174,6 @@ def ie_heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
 			|
 
 		end
diff --git a/modules/exploits/windows/browser/quickr_qp2_bof.rb b/modules/exploits/windows/browser/quickr_qp2_bof.rb
@@ -177,7 +177,6 @@ def ie_heap_spray(my_target, p)
 			for (var i=1; i < 0x300; i++) {
 				heap_obj.alloc(block);
 			}
-			var overflow = nops.substring(0, 10);
 			|
 
 		end

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,6 @@ def ie_heap_spray(my_target, p)`
`148`	`148`	`for (var i=1; i < 0x300; i++) {`
`149`	`149`	`heap_obj.alloc(block);`
`150`	`150`	`}`
`151`		`- var overflow = nops.substring(0, 10);`
`152`	`151`	`\|`
`153`	`152`
`154`	`153`	`js = heaplib(js, {:noobfu => true})`
Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,6 @@ def ie_heap_spray(my_target, p)`
`157`	`157`	`for (var i=1; i < 0x300; i++) {`
`158`	`158`	`heap_obj.alloc(block);`
`159`	`159`	`}`
`160`		`- var overflow = nops.substring(0, 10);`
`161`	`160`	`\|`
`162`	`161`
`163`	`162`	`js = heaplib(js, {:noobfu => true})`
Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,6 @@ def ie_heap_spray(my_target, p)`
`164`	`164`	`for (var i=1; i < 0x300; i++) {`
`165`	`165`	`heap_obj.alloc(block);`
`166`	`166`	`}`
`167`		`- var overflow = nops.substring(0, 10);`
`168`	`167`	`\|`
`169`	`168`
`170`	`169`	`end`
Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,6 @@ def ie_heap_spray(my_target, p)`
`150`	`150`	`for (var i=1; i < 0x300; i++) {`
`151`	`151`	`heap_obj.alloc(block);`
`152`	`152`	`}`
`153`		`- var overflow = nops.substring(0, 10);`
`154`	`153`	`\|`
`155`	`154`
`156`	`155`	`js = heaplib(js, {:noobfu => true})`
Original file line number	Diff line number	Diff line change
`@@ -234,8 +234,6 @@ def get_spray(t, js_code, js_nops)`
`234`	`234`	`for (var i=1; i < 0x300; i++) {`
`235`	`235`	`heap_obj.alloc(block);`
`236`	`236`	`}`
`237`		`-`
`238`		`- var overflow = nops.substring(0, 10);`
`239`	`237`	`JS`
`240`	`238`	`end`
`241`	`239`
Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,6 @@ def ie_heap_spray(my_target, p)`
`174`	`174`	`for (var i=1; i < 0x300; i++) {`
`175`	`175`	`heap_obj.alloc(block);`
`176`	`176`	`}`
`177`		`- var overflow = nops.substring(0, 10);`
`178`	`177`	`\|`
`179`	`178`
`180`	`179`	`end`
Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,6 @@ def ie_heap_spray(my_target, p)`
`179`	`179`	`for (var i=1; i < 0x300; i++) {`
`180`	`180`	`heap_obj.alloc(block);`
`181`	`181`	`}`
`182`		`- var overflow = nops.substring(0, 10);`
`183`	`182`	`\|`
`184`	`183`
`185`	`184`	`end`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,6 @@ def ie_heap_spray(my_target, p)`
`111`	`111`	`for (var i=1; i < 0x300; i++) {`
`112`	`112`	`heap_obj.alloc(block);`
`113`	`113`	`}`
`114`		`- var overflow = nops.substring(0, 10);`
`115`	`114`	`}`
`116`	`115`	`\|`
`117`	`116`
Original file line number	Diff line number	Diff line change
`@@ -102,8 +102,6 @@ def heap_spray(my_target, p)`
`102`	`102`	`for (var i=1; i < 0x300; i++) {`
`103`	`103`	`heap_obj.alloc(block);`
`104`	`104`	`}`
`105`		`- var overflow = nops.substring(0, 10);`
`106`		`-`
`107`	`105`	`\|`
`108`	`106`
`109`	`107`	`js = heaplib(js, {:noobfu => true})`