Skypher

http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html

I’ve created a heap-spray generator. It generates a small piece of JavaScript that sprays the heap using the following customizable settings:

• Shellcode, easy to enter using hexadecimal byte values (see also BETA3).


• Target address and block size.


• heap header size based on target browsers or manual value.

The resulting code is smaller than any heap-spray I’ve seen in the wild:

• The heap-spray code itself is just over 70 bytes.


• The shellcode can be encoded using a custom-build 7-bit encoding.

Most exploits contain shellcode encoded as “\uXXXX” or even “%uXXXX”. The resulting encoded shellcode data contains 3 bytes for every byte in the original shellcode. Because this is very wasteful, it is quite easy to improve on this by creating a custom en-/decoder. The “7-bit” encoding I created converts the 16-bit characters in the unicode string that contains the shellcode to a series of 7-bit values, which are encoded into latin-1 characters. The resulting encoded shellcode data contains only 1.125 bytes for every byte in the shellcode, a saving of almost 63% compared to conventional encodings.
The heap-spray will of course need some additional code to decode the shellcode, so the combined code+data will only be smaller for large enough shellcodes. Because my decoder is also rather small (just under 130 bytes), the break-even point is just under 70 bytes of shellcode. For a a 100 byte shellcode, you save about 50 bytes and for a 200 bytes shellcode, you save about 200 bytes!

You can try out the heap-spray generator here.