shellcode2asmjs: Generate arbitrary ASM.JS JIT-Spray payloads
sc2asm.py should allow you to generate arbitrary payloads for ASM.JS JIT-Spray for Firefox 32-bit < 51 (Windows). More Information about ASM.JS JIT-Spray can be found in the slides and blogposts.
Instead of manually inserting your opcodes into ASM.JS constants, use sc2asmjs.py to generate ASM.JS code containing your payload.
Disclaimer:
All code and research about ASM.JS JIT-Spray is provided for educational purposes only. All code is experimental Proof of Concept code.
sc2asmjs.py - Payload generator
shellcode2asmjs consists of the following:
- main tool:
sc2asmjs.py -h
- zero stage and standalone payloads:
asm_payloads/nops.asm (test shellcode)
asm_payloads/three_byte_stager.asm (3-byte loader executing custom shellcodes)
asm_payloads/two_byte_stager.asm (2-byte loader executing custom shellcodes)
asm_payloads/WinExec_cmd.asm (standalone WinExec shellcode executing cmd.exe)
- first stage msf payloads (i.e., executed by stage0):
bin_payloads/msf_windows_exec_calc.py
bin_payloads/msf_windows_exec_cmd.py
bin_payloads/msf_windows_exec_mspaint.py
- ASM.JS templates for payload insertion:
asmjs_templates/dynamic_2_byte.html (setting array elements)
asmjs_templates/dynamic.html (payload is dynamically generated)
asmjs_templates/pool_of_floats.html (payload is transformed into float constants)
asmjs_templates/static.html (asm.js payload is statically inserted)
- output folders:
out/ (location of various generated payloads)
tmp/ (folder used to hold temp stuff created by sc2asmjs)
Payloads
Several ASM.JS JIT-Spray payloads are already generated:
out/msf_exec_cmd_2_byte_stager.html
out/msf_exec_cmd_dynamic.html
out/msf_exec_cmd_float_pool.html
out/msf_exec_mspaint_static.html
out/WinExec_cmd_static.html
Exploits
Exploits using ASM.JS JIT-Spray can be found here: