Land rapid7#1919, update js_property_spray documentation

wvu · wvu · commit 4edceea27b0a · 2013-06-07T08:31:57.000-05:00
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
@@ -924,7 +924,9 @@ def js_mstime_malloc
 	#
 	# This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)
 	# function to trigger allocations by ntdll!RtlAllocateHeap.  It is based on Corelan's
-	# publication on "DEPS – Precise Heap Spray on Firefox and IE10".
+	# publication on "DEPS – Precise Heap Spray on Firefox and IE10".  In IE, the shellcode
+	# should land at address 0x0c0d2020, as this is the most consistent location across
+	# various versions.
 	#
 	# The "sprayHeap" JavaScript function supports the following arguments:
 	#   shellcode     => The shellcode to spray in JavaScript.  Note: Avoid null bytes.

Original file line number	Diff line number	Diff line change
`@@ -924,7 +924,9 @@ def js_mstime_malloc`
`924`	`924`	`#`
`925`	`925`	`# This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)`
`926`	`926`	`# function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's`
`927`		`- # publication on "DEPS – Precise Heap Spray on Firefox and IE10".`
	`927`	`+ # publication on "DEPS – Precise Heap Spray on Firefox and IE10". In IE, the shellcode`
	`928`	`+ # should land at address 0x0c0d2020, as this is the most consistent location across`
	`929`	`+ # various versions.`
`928`	`930`	`#`
`929`	`931`	`# The "sprayHeap" JavaScript function supports the following arguments:`
`930`	`932`	`# shellcode => The shellcode to spray in JavaScript. Note: Avoid null bytes.`