cbcvebase.
CVE-2012-2376
published 2012-05-21

CVE-2012-2376: Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.05%
97.1th percentile
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.

Affected

105 ranges· showing 25
VendorProductVersion rangeFixed in
phpphp<= 5.4.3
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

commandcom_print_typeinfo
  • Look for HTTP requests invoking com_print_typeinfo() with crafted COM object VARIANT type arguments on Windows-hosted PHP 5.4.3 and earlier; the function mishandles VARIANT types leading to a stack/heap buffer overflow.
  • The exploit uses heap spray targeting address 0x048d0030 and pivots the stack via an XCHG EAX,ESP ROP gadget in ole32.dll (0x7752ae9f), then calls VirtualProtect (0x7c801ad4) to mark shellcode PAGE_EXECUTE_READWRITE before executing a bind-shell payload on port 1337. Detect heap spray patterns and ROP gadget sequences in PHP process memory.
  • The exploit delivers a two-stage payload: an HTML page (offset-brute.html) that iterates offsets and issues GET requests to a PHP script (0day.php) containing the malicious com_print_typeinfo call. Monitor for repeated GET requests to PHP scripts with incrementing offset parameters from a browser context.
  • The shellcode begins with a stack-adjustment stub (\xbc\x0c\xb0\xc0\x00) followed by the encoded bind-shell. Use the leading byte sequence as a signature to detect the shellcode in network traffic or PHP process memory.
  • Exploitation is Windows-only; Linux/Unix PHP deployments are not affected. Focus detection efforts on Windows IIS/Apache PHP deployments running PHP <= 5.4.3.
  • ·The exploit was tested and tuned specifically for Windows XP SP3 (Polish locale); hardcoded addresses (ole32.dll ROP gadget 0x7752ae9f, VirtualProtect 0x7c801ad4) are version/locale-specific and will differ on other Windows builds, limiting direct reuse of the PoC without re-bruteforcing offsets.
  • ·The PoC includes an offset-bruteforce loop (offset-brute.html) that iterates heap spray offsets via repeated GET requests, meaning the exploit may require many requests before succeeding; detection rules should account for this brute-force pattern rather than a single-shot trigger.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.