Closed ptresearch closed 7 years ago
I went back a couple of years, and still couldn't find when this exploit last worked. Got to the point where installing ruby 1.8 was required :P.
I hate to sound like a jerk, but perhaps that's grounds for removing the module.
I wondered if this bug was related to #2545, but I wasn't able to go back far enough to test. :/
Looks like that PR changed the behavior of js_heap_spray
to return ObfuscateJS#obfuscate
(an obfuscated JS string) instead of the ObfuscateJS
instance itself, which has the opts
accessor.
Seems like something @wchen-r7 would know about or be able to fix. I'm going to back off this, since I have too many tickets still.
Ok, I will take a look :-) Thanks!
Thank you, @wchen-r7!
I have submitted a fix here: https://github.com/rapid7/rex-exploitation/pull/2
There are about 19 modules that use the heap_spray method. All of them treat the return value as Rex::Exploitation::ObfuscateJS, so this patch should address it properly.
Thanks again, @wchen-r7. :)
Steps to reproduce
Some other modules are also seem to be affected: exploit/windows/browser/baofeng_storm_onbeforevideodownload exploit/windows/browser/symantec_altirisdeployment_runcmd exploit/windows/browser/ibmegath_getxmlvalue
Metasploit version
msf > version Framework: 4.12.40-dev Console : 4.12.40-dev
OS version
Ubuntu 15.10 (GNU/Linux 4.2.0-35-generic x86_64)