PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit

An interesting submission to EDB today from the guys at http://www.nullbyte.org.il – a PHP 6.0 0day buffer overflow.

OffSec Team

0 min read

An interesting submission to the Exploit Database today from the guys at ~~http://www.nullbyte.org.il~~ – a PHP 6.0 0day buffer overflow.

From the exploit comments:
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC ## Take a look, 'unicode.semantics' has to be on! ## php.ini > unicode.semantics = on

Their exploit code was tested and verified by the EDB team – check it here.

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec

Research & Tutorials

CVE-2025-32433: Vulnerability in Erlang/OTP SSH Implementation

Read about a critical vulnerability found in the SSH implementation of Erlang/OTP arising from improper handling of SSH protocol messages.

Apr 23, 2025

3 min read

Research & Tutorials

CVE-2024-13059: Exploiting Path Traversal in AnythingLLM for Remote Code Execution

Discover CVE-2024-13059, a critical vulnerability flat that affects AnythingLLM’s handling of ASCII filenames in the multer library.

Apr 17, 2025

2 min read

Enterprise Security

How OSCP Holders Can Lead Their Teams to Greater Cybersecurity Resilience

Champion OSCP training in your organization to build a unified, resilient security team.

Apr 11, 2025

6 min read

View all blogs

New course! SJD-100: Secure Java Development Essentials