Updates js_property_spray documentation

wchen-r7 · wchen-r7 · commit 8e2de6d14fe0 · 2013-06-07T00:28:22.000-05:00
After many tests, it turns out address 0x0c0d2020 is the most
consistent location acorss various IE versions.  For dev purposes,
it's rather important to have this documented somewhere.

Thanks to corelanc0d3r for the data.
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
@@ -924,7 +924,9 @@ def js_mstime_malloc
 	#
 	# This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)
 	# function to trigger allocations by ntdll!RtlAllocateHeap.  It is based on Corelan's
-	# publication on "DEPS – Precise Heap Spray on Firefox and IE10".
+	# publication on "DEPS – Precise Heap Spray on Firefox and IE10".  In IE, the shellcode
+	# should land at address 0x0c0d2020, as this is the most consistent location across
+	# various versions.
 	#
 	# The "sprayHeap" JavaScript function supports the following arguments:
 	#   shellcode     => The shellcode to spray in JavaScript.  Note: Avoid null bytes.

Original file line number	Diff line number	Diff line change
`@@ -924,7 +924,9 @@ def js_mstime_malloc`
`924`	`924`	`#`
`925`	`925`	`# This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)`
`926`	`926`	`# function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's`
`927`		`- # publication on "DEPS – Precise Heap Spray on Firefox and IE10".`
	`927`	`+ # publication on "DEPS – Precise Heap Spray on Firefox and IE10". In IE, the shellcode`
	`928`	`+ # should land at address 0x0c0d2020, as this is the most consistent location across`
	`929`	`+ # various versions.`
`928`	`930`	`#`
`929`	`931`	`# The "sprayHeap" JavaScript function supports the following arguments:`
`930`	`932`	`# shellcode => The shellcode to spray in JavaScript. Note: Avoid null bytes.`