"<span style="font-size: larger;"><b>ia 32 bits poc"<br>poc = Proof Of Concept<br></b></span><br><div><span class="gmail_quote">On 10/18/06, <b class="gmail_sendername">Josh Bressers</b> <<a href="mailto:josh@bress.net">
josh@bress.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">><br>> <?<br>><br>> print_r(unserialize('a:1073741823:{i:0;s:30:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'));
<br>> ?><br>><br>> in function zend_hash_init() int overflow ( ecalloc() )-> heap overflow<br>> here segfault in zend_hash_find() but it's possible to fake the bucket and<br>> exploit a zend_hash_del_index_or_key
<br>> i tried a memory dump , just fake the bucked with the pointer of the<br>> $GLOBALS's bucket but segfault before in memory_shutdown...<br>><br><br>This looks to be CVE-2006-4812, which was discovered by Stefan Esser. He
<br>published his advisory last week:<br><a href="http://www.hardened-php.net/advisory_092006.133.html">http://www.hardened-php.net/advisory_092006.133.html</a><br><br>--<br> JB<br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">
http://secunia.com/</a><br></blockquote></div><br>