module
PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
| Disclosed | Created |
|---|---|
| 2007-03-04 | 2018-05-30 |
Disclosed
2007-03-04
Created
2018-05-30
Description
This module exploits an integer overflow vulnerability in the unserialize()
function of the PHP web server extension. This vulnerability was patched by
Stefan in version 4.5.0 and applies all previous versions supporting this function.
This particular module targets numerous web applications and is based on the proof
of concept provided by Stefan Esser. This vulnerability requires approximately 900k
of data to trigger due the multiple Cookie headers requirement. Since we
are already assuming a fast network connection, we use a 2Mb block of shellcode for
the brute force, allowing quick exploitation for those with fast networks.
One of the neat things about this vulnerability is that on x86 systems, the EDI register points
into the beginning of the hashtable string. This can be used with an egghunter to
quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction
is known. The EDI method is faster, but the bandwidth-intensive brute force used by this
module is more reliable across a wider range of systems.
function of the PHP web server extension. This vulnerability was patched by
Stefan in version 4.5.0 and applies all previous versions supporting this function.
This particular module targets numerous web applications and is based on the proof
of concept provided by Stefan Esser. This vulnerability requires approximately 900k
of data to trigger due the multiple Cookie headers requirement. Since we
are already assuming a fast network connection, we use a 2Mb block of shellcode for
the brute force, allowing quick exploitation for those with fast networks.
One of the neat things about this vulnerability is that on x86 systems, the EDI register points
into the beginning of the hashtable string. This can be used with an egghunter to
quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction
is known. The EDI method is faster, but the bandwidth-intensive brute force used by this
module is more reliable across a wider range of systems.
Authors
hdm x@hdm.io
GML grandmasterlogic@gmail.com
Stefan Esser sesser@hardened-php.net
GML grandmasterlogic@gmail.com
Stefan Esser sesser@hardened-php.net
Platform
Linux
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.