Bugtraq mailing list archives
PHP Buffer Overflow(popen)
From: ew1zz () hotmail com
Date: 12 Jan 2009 13:36:37 -0000
Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func) Type: Remote and Local Requirements for exploit: popen() enabled. By: e.wiZz! Enes Muić ew1zz () hotmail com PHP Popen() function overview: Popen function in php opens a pipe to a process executed by forking the command given by command. It was implementet since PHP 4 version. popen ( string $command_to_execute , string $mode ) Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache here,is because when we execute poc.php Apache HTTP server crash without any report in error log.You can test on WAMP too,on CLI or browser. Tested on: PHP 5.2.8/4.2.1/4.2.0 Apache 2.2.11 PoC: <?php $____buff=str_repeat("A",9999); $handle = popen('/whatever/', $____buff); echo $handle; ?>
Current thread:
- PHP Buffer Overflow(popen) ew1zz (Jan 12)