A version of the following code appears in this presentation about heap spraying (this link causes a powerpoint download), as well as in this lecture video by Dan Boneh.
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...");
oneblock = unescape("%u0C0C%u0C0C");
cause-overflow(overflow-string); //overflow buf[]
</SCRIPT>
The cause-overflow() function isn’t implemented here, but I think it would just write shellcode + nop all over the heap.
Is shellcode actually machine code for something like exec(/bin/sh), or is shellcode the memory location of some shell code?
Is oneblock a NOP slide?
(More generally, what is this code doing? Why does it cause a heap spray?)
P.S. Not homework; I’m just a noob to javascript.
(Can’t open either of those two links from this machine.)
I’ve never played with heap spraying in Javascript — the thought is really rather horrible.
It has nothing to do with shell code (since it isn’t running in a shell) but rather it gets right down to machine language — the native code of the CPU.
This is a rather crude and someone inaccurate way of describing things, but it gets the basics across.
The heap is nothing special. It is just computer memory. The stack is nothing terribly special either, it is just computer memory. Program space is nothing terribly special either, it is just computer memory.
Normally[*], the running program is kept in “Program space.” Big things the program creates are kept in the “Heap” and temporary things the program makes are kept in the “Stack.” (Simplification — deal with it.)
The idea of buffer overruns, smashing the stack or spraying the heap or whatever the latest trick is … to somehow fill the computer memory with a carefully crafted bad data and force the computer to stop running things in the program space, but rather in your carefully crafted bad data.
In involves rather careful knowledge of
[*] Yes, there are some efforts being made to change this and make computers more protected