[Full-disclosure] PHP 5 ecalloc memory manager unserialize() array int overflow ia 32 bits poc
Slythers Bro
slythers at gmail.com
Tue Oct 17 15:48:48 BST 2006
<?
print_r(unserialize('a:1073741823:{i:0;s:30:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'));
?>
in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow
here segfault in zend_hash_find() but it's possible to fake the bucket and
exploit a zend_hash_del_index_or_key
i tried a memory dump , just fake the bucked with the pointer of the
$GLOBALS's bucket but segfault before in memory_shutdown...
don't cry a river :P
ethic is for gayz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061017/03fc36f4/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.