This module exploits the following vulnerability, as described by the CVE database: "The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete." However, this exploit does not use the zend_hash_init technique used by other proof-of-concept codes and research papers, and does therefore not depend on a specific PHP configuration. Notably it does not require register_globals to be turned on (it is off by default) and will work against any Linux machine running Apache (1 or 2) and PHP (from 4.1.0 to 4.3.7). Successful exploitation of this vulnerability is highly dependent on Apache's and PHP's versions, configurations, and memory usage. This module will successively run 5 different phases: the first 4 phases will determine the parameters needed to trigger the memory_limit in an exploitable manner, the 5th and last phase will bruteforce the 3 remaining parameters and finally install an agent.
This module exploits an argument injection vulnerability in PHP up to version 5.3.12 and 5.4.2 when running as a standalone CGI processor and takes advantage of the -d flag to achieve remote code execution.
This module exploits a buffer overflow in PHP. The specific flaw is in the apache_request_handlers() function. The apache_request_handlers() function fails to validate the length of certain headers in the HTTP request and blindly copy all the string received in the vulnerable header to the stack causing a buffer overflow.
This module exploits a Remote Code Execution vulnerability in PHPMyAdmin installing an agent. In PHPMyAdmin 3.0.0 RC1 it works with MYSQL 5 and above. In PHPMyAdmin 2.9.11 and below, it works if the databes is before MYSQL 5 This module starts a web server on the Core Impact Console to publish the agent, which is downloaded from the target. It only works for Cookie-Authenticated sites.
The highlight parameter in the viewtopic.php script is not properly sanitized when it is decoded, this is exploited by this module to execute arbitrary php code on a vulnerable server in order to upload and execute an agent. When the target platform is Windows, this module leaves a file at the phpBB installation path with the name: decoded-XXXXXX.exe (where XXXXXX is a random number). This file will not be removed on agent uninstall, so it must be manually deleted.
Subscribe to Remote