Hi Folks,
today I wanna point out this nice Exploit on PHP 6.0 Dev. str_transliterate() Buffer Overflow, implemented by Pr0T3cT10n. Why I say that it’s a nice exploit ? Well, in my opinion this is a great easy example of Buffer Overflow.. optimal to learn and amazing to show that even new applications own old bugs due to poor security development.
Right now I’m thinking to CeSeNA folks (cesena.ing2.unibo.it), many of them burn to know how to inject a shell code through Buffer Overflow. For all of you interested on the “art of exploitation”, I totally suggest to start from this self-commenting example. (Click to Enlarge)

There are no comments regarding shellcodes since I’ve discussed a lot in the past. I will probably use this exploit during my future talks on Buffer Overflow. Hope you enjoy this didactic exploit.
Original code. (Download here)
Original Vulnerable app (Download here)
*Upgrade:*
Yes, of course: \u4141 is two ‘A’ , and \u9090 is two NOPs. Basically 20 x (2)NOP = 40 and 256 x (2)A = 512. Thanks to TheLeader for pointing it out .

7 thoughts on “ PHP 6.0 Dev str_transliterate(). A great Example ! ”

  1. NVM, The in-memory representation of that character is 0x41, 0x41 which also represents a double 'A'.

    So you can just ignore my last comment (what happens when I stay awake 'till 4AM ;] ).

  2. Well dam, seems I haven't been too much focused either.
    Since it is unicode, it's not a double 'A'.

    Checking the unicode table reveals “\u4141” is rather this little unicode character buddy – '䅁'.

    Sorry, Too much ASCII exploitation makes these interpretations automatic – after all security researchers are human beings =]

  3. @TheLeader

    “Another interesting thing in your post I noticed right now – the buffer is actually 512 x 'A', the nops are 40 x 0x90 – that is because they are unicode encoded and each char = 2 bytes.”

    HaHaHa, Yes of course ! The image not fully correct. since \u4141 is double 'A' . That's right ! Thank you for the notice. I've been very busy today and the last 2 post have been very fuggitive

  4. Another interesting thing in your post I noticed right now – the buffer is actually 512 x 'A', the nops are 40 x 0x90 – that is because they are unicode encoded and each char = 2 bytes.

    Also because of the unicode attack vector, every 2 bytes are shifted – which makes the exploit a little bit harder to understand (esp. the shellcode part) but I agree it is a nice example to learn from.

  5. @TheLeader. I totally agree with you when you say

    “This exploit has a potential of being way more generic and work on multiple platforms”

    I am looking forward to see next release !

    Thanks for follow me.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.