sc2asm.py should allow you to generate arbitrary payloads for ASM.JS JIT-Spray for Firefox 32-bit < 51 (Windows). More Information about ASM.JS JIT-Spray can be found in the slides and blogposts.
Instead of manually inserting your opcodes into ASM.JS constants, use sc2asmjs.py to generate ASM.JS code containing your payload.
All code and research about ASM.JS JIT-Spray is provided for educational purposes only. All code is experimental Proof of Concept code.
shellcode2asmjs consists of the following:
- main tool:
sc2asmjs.py -h
- zero stage and standalone payloads:
asm_payloads/nops.asm (test shellcode)
asm_payloads/three_byte_stager.asm (3-byte loader executing custom shellcodes)
asm_payloads/two_byte_stager.asm (2-byte loader executing custom shellcodes)
asm_payloads/WinExec_cmd.asm (standalone WinExec shellcode executing cmd.exe)
- first stage msf payloads (i.e., executed by stage0):
bin_payloads/msf_windows_exec_calc.py
bin_payloads/msf_windows_exec_cmd.py
bin_payloads/msf_windows_exec_mspaint.py
- ASM.JS templates for payload insertion:
asmjs_templates/dynamic_2_byte.html (setting array elements)
asmjs_templates/dynamic.html (payload is dynamically generated)
asmjs_templates/pool_of_floats.html (payload is transformed into float constants)
asmjs_templates/static.html (asm.js payload is statically inserted)
- output folders:
out/ (location of various generated payloads)
tmp/ (folder used to hold temp stuff created by sc2asmjs)
Several ASM.JS JIT-Spray payloads are already generated:
out/msf_exec_cmd_2_byte_stager.html
out/msf_exec_cmd_dynamic.html
out/msf_exec_cmd_float_pool.html
out/msf_exec_mspaint_static.html
out/WinExec_cmd_static.html
Exploits using ASM.JS JIT-Spray can be found here: