PHP 3.0.16 and below remote format string exploit for Linux/x86. Gives a uid=nobody shell. File logging must be enabled for this exploit to work. Includes offset brute forcing and instructions for finding offsets.
f8889150d30826db631280ac6c92c44dad3ef711b843e0bf21d413cdc2f3a9ee