This module exploits an integer overflow vulnerability in the unserialize()
function of the PHP web server extension. This vulnerability was patched by
Stefan in version 4.5.0 and applies all previous versions supporting this function.
This particular module targets numerous web applications and is based on the proof
of concept provided by Stefan Esser. This vulnerability requires approximately 900k
of data to trigger due the multiple Cookie headers requirement. Since we
are already assuming a fast network connection, we use a 2Mb block of shellcode for
the brute force, allowing quick exploitation for those with fast networks.
One of the neat things about this vulnerability is that on x86 systems, the EDI register points
into the beginning of the hashtable string. This can be used with an egghunter to
quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction
is known. The EDI method is faster, but the bandwidth-intensive brute force used by this
module is more reliable across a wider range of systems.
- hdm <email@example.com>
- GML <firstname.lastname@example.org>
- Stefan Esser <email@example.com>