Metasploit mailing list archives

Metasploit 3 module for PHP < 4.5.0 unserialize() bug

From: a10n3.s7r1k3r at gmail.com (Kashif Iftikhar)
Date: Tue, 13 Mar 2007 06:44:56 +0000
Here is the output on Linux 2.6.20

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Linux version 2.6.20 (root@*******) (gcc version 3.4.6) #4 Wed Feb 14
23:40:45 GMT 2007
08048000-0808c000 r-xp 00000000 03:01 81294      /usr/sbin/httpd
0808c000-08093000 rwxp 00044000 03:01 81294      /usr/sbin/httpd
08093000-0815a000 rwxp 08093000 00:00 0          [heap]
b2d31000-b3132000 rwxp b2d31000 00:00 0
b3132000-b3179000 r-xp 00000000 03:01 188386
/usr/lib/mysql/libmysqlclient.so.15.0.0
b3179000-b3274000 rwxp 00046000 03:01 188386
/usr/lib/mysql/libmysqlclient.so.15.0.0
b3274000-b3275000 rwxp b3274000 00:00 0
b329a000-b529a000 rwxs 00000000 00:07 1769476    /SYSV00000000 (deleted)
b529a000-b52b0000 r-xp 00000000 03:01 85262      /usr/lib/libsasl2.so.2.0.22
b52b0000-b52b1000 rwxp 00015000 03:01 85262      /usr/lib/libsasl2.so.2.0.22
b52b1000-b72b1000 rwxs 00000000 00:07 1736707    /SYSV00000000 (deleted)
b72b1000-b72ba000 r-xp 00000000 03:01 67936      /lib/tls/libnss_files-2.3.6.so
b72ba000-b72bc000 rwxp 00008000 03:01 67936      /lib/tls/libnss_files-2.3.6.so
b72bc000-b72c4000 r-xp 00000000 03:01 67938      /lib/tls/libnss_nis-2.3.6.so
b72c4000-b72c6000 rwxp 00007000 03:01 67938      /lib/tls/libnss_nis-2.3.6.so
b72c6000-b72ce000 r-xp 00000000 03:01 67934      /lib/tls/libnss_compat-2.3.6.so
b72ce000-b72d0000 rwxp 00007000 03:01 67934      /lib/tls/libnss_compat-2.3.6.so
b72e4000-b73fb000 r-xp 00000000 03:01 154384     /usr/lib/libxml2.so.2.6.26
b73fb000-b7401000 rwxp 00116000 03:01 154384     /usr/lib/libxml2.so.2.6.26
b7401000-b7430000 r-xp 00000000 03:01 63237      /usr/lib/libidn.so.11.5.10
b7430000-b7431000 rwxp 0002f000 03:01 63237      /usr/lib/libidn.so.11.5.10
b7431000-b7467000 r-xp 00000000 03:01 62954      /usr/lib/libcurl.so.3.0.0
b7467000-b7468000 rwxp 00036000 03:01 62954      /usr/lib/libcurl.so.3.0.0
b7468000-b7540000 r-xp 00000000 03:01 3129       /lib/libcrypto.so.5
b7540000-b7552000 rwxp 000d8000 03:01 3129       /lib/libcrypto.so.5
b7552000-b7555000 rwxp b7552000 00:00 0
b7555000-b7580000 r-xp 00000000 03:01 3197       /lib/libssl.so.5
b7580000-b7583000 rwxp 0002a000 03:01 3197       /lib/libssl.so.5
b7583000-b7593000 r-xp 00000000 03:01 67940      /lib/tls/libresolv-2.3.6.so
b7593000-b7595000 rwxp 0000f000 03:01 67940      /lib/tls/libresolv-2.3.6.so
b7595000-b7597000 rwxp b7595000 00:00 0
b7597000-b75ae000 r-xp 00000000 03:01 63427      /usr/lib/libpcre.so.0.0.1
b75ae000-b75b5000 rwxp 00016000 03:01 63427      /usr/lib/libpcre.so.0.0.1
b75b5000-b75c4000 r-xp 00000000 03:01 3119       /lib/libbz2.so.1.0.3
b75c4000-b75c5000 rwxp 0000f000 03:01 3119       /lib/libbz2.so.1.0.3
b75c5000-b75ca000 r-xp 00000000 03:01 208878     /usr/lib/libgdbm.so.3.0.0
b75ca000-b75cb000 rwxp 00004000 03:01 208878     /usr/lib/libgdbm.so.3.0.0
b75cb000-b769d000 r-xp 00000000 03:01 3132       /lib/libdb-4.2.so
b769d000-b769f000 rwxp 000d2000 03:01 3132       /lib/libdb-4.2.so
b769f000-b76bb000 r-xp 00000000 03:01 63280      /usr/lib/libjpeg.so.62.0.0
b76bb000-b76bc000 rwxp 0001b000 03:01 63280      /usr/lib/libjpeg.so.62.0.0
b76bc000-b76f4000 r-xp 00000000 03:01 208932     /usr/lib/libpng.so.3.1.2.12
b76f4000-b76f5000 rwxp 00037000 03:01 208932     /usr/lib/libpng.so.3.1.2.12
b76f5000-b7757000 r-xp 00000000 03:01 129516     /usr/lib/libfreetype.so.6.3.8
b7757000-b775a000 rwxp 00062000 03:01 129516     /usr/lib/libfreetype.so.6.3.8
b775a000-b7784000 r-xp 00000000 03:01 83070      /usr/local/lib/libgmp.so.3.3.3
b7784000-b7785000 rwxp 0002a000 03:01 83070      /usr/local/lib/libgmp.so.3.3.3
b7785000-b77ba000 r-xp 00000000 03:01 63298      /usr/lib/libldap-2.3.so.0.2.15
b77ba000-b77bb000 rwxp 00034000 03:01 63298      /usr/lib/libldap-2.3.so.0.2.15
b77bb000-b77f7000 r-xp 00000000 03:01 63327      /usr/lib/libmhash.so.2.0.0
b77f7000-b77f8000 rwxp 0003c000 03:01 63327      /usr/lib/libmhash.so.2.0.0
b7803000-b780f000 rwxs 00000000 00:07 1802245    /SYSV00000000 (deleted)
b780f000-b7811000 r-xp 00000000 03:01 195970
/usr/lib/php/extensions/gettext.so
b7811000-b7812000 rwxp 00002000 03:01 195970
/usr/lib/php/extensions/gettext.so
b7812000-b781c000 r-xp 00000000 03:01 195971
/usr/lib/php/extensions/mysql.so
b781c000-b781d000 rwxp 00009000 03:01 195971
/usr/lib/php/extensions/mysql.so
b781d000-b782f000 r-xp 00000000 03:01 67933      /lib/tls/libnsl-2.3.6.so
b782f000-b7831000 rwxp 00011000 03:01 67933      /lib/tls/libnsl-2.3.6.so
b7831000-b7833000 rwxp b7831000 00:00 0
b7834000-b7845000 r-xp 00000000 03:01 63735      /usr/lib/libz.so.1.2.3
b7845000-b7846000 rwxp 00010000 03:01 63735      /usr/lib/libz.so.1.2.3
b7846000-b7851000 r-xp 00000000 03:01 92736      /usr/lib/liblber-2.3.so.0.2.15
b7851000-b7852000 rwxp 0000a000 03:01 92736      /usr/lib/liblber-2.3.so.0.2.15
b7852000-b7855000 r-xp 00000000 03:01 154527     /usr/lib/libmm.so.14.0.22
b7855000-b7856000 rwxp 00003000 03:01 154527     /usr/lib/libmm.so.14.0.22
b7856000-b7c38000 r-xp 00000000 03:01 195977     /usr/libexec/apache/libphp4.so
b7c38000-b7c77000 rwxp 003e2000 03:01 195977     /usr/libexec/apache/libphp4.so
b7c77000-b7c92000 rwxp b7c77000 00:00 0
b7c92000-b7c94000 r-xp 00000000 03:01 81301
/usr/libexec/apache/mod_setenvif.so
b7c94000-b7c95000 rwxp 00001000 03:01 81301
/usr/libexec/apache/mod_setenvif.so
b7c95000-b7c97000 r-xp 00000000 03:01 212277
/usr/libexec/apache/mod_log_forensic.so
b7c97000-b7c98000 rwxp 00001000 03:01 212277
/usr/libexec/apache/mod_log_forensic.so
b7c98000-b7c9a000 r-xp 00000000 03:01 81310
/usr/libexec/apache/mod_usertrack.so
b7c9a000-b7c9b000 rwxp 00002000 03:01 81310
/usr/libexec/apache/mod_usertrack.so
b7c9b000-b7c9c000 r-xp 00000000 03:01 212291
/usr/libexec/apache/mod_headers.so
b7c9c000-b7c9d000 rwxp 00000000 03:01 212291
/usr/libexec/apache/mod_headers.so
b7c9d000-b7c9f000 r-xp 00000000 03:01 81303
/usr/libexec/apache/mod_expires.so
b7c9f000-b7ca0000 rwxp 00001000 03:01 81303
/usr/libexec/apache/mod_expires.so
b7ca0000-b7ca2000 r-xp 00000000 03:01 81302
/usr/libexec/apache/mod_cern_meta.so
b7ca2000-b7ca3000 rwxp 00001000 03:01 81302
/usr/libexec/apache/mod_cern_meta.so
b7ca3000-b7cb8000 r-xp 00000000 03:01 212275     /usr/libexec/apache/libproxy.so
b7cb8000-b7cb9000 rwxp 00015000 03:01 212275     /usr/libexec/apache/libproxy.so
b7cb9000-b7cbb000 r-xp 00000000 03:01 212290
/usr/libexec/apache/mod_digest.so
b7cbb000-b7cbc000 rwxp 00001000 03:01 212290
/usr/libexec/apache/mod_digest.so
b7cbc000-b7cbe000 r-xp 00000000 03:01 212268
/usr/libexec/apache/mod_auth_dbm.so
b7cbe000-b7cbf000 rwxp 00001000 03:01 212268
/usr/libexec/apache/mod_auth_dbm.so
b7cbf000-b7cc0000 r-xp 00000000 03:01 212289
/usr/libexec/apache/mod_auth_anon.so
b7cc0000-b7cc1000 rwxp 00000000 03:01 212289
/usr/libexec/apache/mod_auth_anon.so
b7cc1000-b7cc3000 r-xp 00000000 03:01 81308      /usr/libexec/apache/mod_auth.so
b7cc3000-b7cc4000 rwxp 00001000 03:01 81308      /usr/libexec/apache/mod_auth.so
b7cc4000-b7cc6000 r-xp 00000000 03:01 81304
/usr/libexec/apache/mod_access.so
b7cc6000-b7cc7000 rwxp 00001000 03:01 81304
/usr/libexec/apache/mod_access.so
b7cc7000-b7cd3000 r-xp 00000000 03:01 212284
/usr/libexec/apache/mod_rewrite.so
b7cd3000-b7cd4000 rwxp 0000c000 03:01 212284
/usr/libexec/apache/mod_rewrite.so
b7cd4000-b7cd6000 r-xp 00000000 03:01 212279
/usr/libexec/apache/mod_alias.so
b7cd6000-b7cd7000 rwxp 00001000 03:01 212279
/usr/libexec/apache/mod_alias.so
b7cd7000-b7cd9000 r-xp 00000000 03:01 212283
/usr/libexec/apache/mod_userdir.so
b7cd9000-b7cda000 rwxp 00001000 03:01 212283
/usr/libexec/apache/mod_userdir.so
b7cda000-b7cdc000 r-xp 00000000 03:01 212281
/usr/libexec/apache/mod_speling.so
b7cdc000-b7cdd000 rwxp 00001000 03:01 212281
/usr/libexec/apache/mod_speling.so
b7cdd000-b7cde000 r-xp 00000000 03:01 212271
/usr/libexec/apache/mod_actions.so
b7cde000-b7cdf000 rwxp 00001000 03:01 212271
/usr/libexec/apache/mod_actions.so
b7cdf000-b7ce2000 r-xp 00000000 03:01 81309      /usr/libexec/apache/mod_imap.so
b7ce2000-b7ce3000 rwxp 00003000 03:01 81309      /usr/libexec/apache/mod_imap.so
b7ce3000-b7ce4000 r-xp 00000000 03:01 81306      /usr/libexec/apache/mod_asis.so
b7ce4000-b7ce5000 rwxp 00000000 03:01 81306      /usr/libexec/apache/mod_asis.so
b7ce5000-b7ce8000 r-xp 00000000 03:01 212285     /usr/libexec/apache/mod_cgi.so
b7ce8000-b7ce9000 rwxp 00002000 03:01 212285     /usr/libexec/apache/mod_cgi.so
b7ce9000-b7cea000 r-xp 00000000 03:01 212287     /usr/libexec/apache/mod_dir.so
b7cea000-b7ceb000 rwxp 00001000 03:01 212287     /usr/libexec/apache/mod_dir.so
b7ceb000-b7cf1000 r-xp 00000000 03:01 212282
/usr/libexec/apache/mod_autoindex.so
b7cf1000-b7cf2000 rwxp 00005000 03:01 212282
/usr/libexec/apache/mod_autoindex.so
b7cf2000-b7cfa000 r-xp 00000000 03:01 212286
/usr/libexec/apache/mod_include.so
b7cfa000-b7cfb000 rwxp 00007000 03:01 212286
/usr/libexec/apache/mod_include.so
b7cfb000-b7cff000 r-xp 00000000 03:01 192176     /usr/libexec/apache/mod_info.so
b7cff000-b7d00000 rwxp 00003000 03:01 192176     /usr/libexec/apache/mod_info.so
b7d00000-b7d01000 rwxp b7d00000 00:00 0
b7d01000-b7e2a000 r-xp 00000000 03:01 67928      /lib/tls/libc-2.3.6.so
b7e2a000-b7e2b000 r-xp 00128000 03:01 67928      /lib/tls/libc-2.3.6.so
b7e2b000-b7e2e000 rwxp 00129000 03:01 67928      /lib/tls/libc-2.3.6.so
b7e2e000-b7e31000 rwxp b7e2e000 00:00 0
b7e31000-b7e33000 r-xp 00000000 03:01 67931      /lib/tls/libdl-2.3.6.so
b7e33000-b7e35000 rwxp 00001000 03:01 67931      /lib/tls/libdl-2.3.6.so
b7e35000-b7e53000 r-xp 00000000 03:01 129521     /usr/lib/libexpat.so.0.5.0
b7e53000-b7e55000 rwxp 0001e000 03:01 129521     /usr/lib/libexpat.so.0.5.0
b7e55000-b7f50000 r-xp 00000000 03:01 171907     /lib/libdb-4.4.so
b7f50000-b7f53000 rwxp 000fb000 03:01 171907     /lib/libdb-4.4.so
b7f53000-b7f58000 r-xp 00000000 03:01 67930      /lib/tls/libcrypt-2.3.6.so
b7f58000-b7f5a000 rwxp 00004000 03:01 67930      /lib/tls/libcrypt-2.3.6.so
b7f5a000-b7f81000 rwxp b7f5a000 00:00 0
b7f81000-b7fa2000 r-xp 00000000 03:01 67932      /lib/tls/libm-2.3.6.so
b7fa2000-b7fa4000 rwxp 00020000 03:01 67932      /lib/tls/libm-2.3.6.so
b7fa5000-b7fa9000 r-xp 00000000 03:01 212278
/usr/libexec/apache/mod_status.so
b7fa9000-b7faa000 rwxp 00003000 03:01 212278
/usr/libexec/apache/mod_status.so
b7faa000-b7fb0000 r-xp 00000000 03:01 81307
/usr/libexec/apache/mod_negotiation.so
b7fb0000-b7fb1000 rwxp 00005000 03:01 81307
/usr/libexec/apache/mod_negotiation.so
b7fb1000-b7fb4000 r-xp 00000000 03:01 212280     /usr/libexec/apache/mod_mime.so
b7fb4000-b7fb5000 rwxp 00002000 03:01 212280     /usr/libexec/apache/mod_mime.so
b7fb5000-b7fba000 r-xp 00000000 03:01 212276
/usr/libexec/apache/mod_mime_magic.so
b7fba000-b7fbb000 rwxp 00004000 03:01 212276
/usr/libexec/apache/mod_mime_magic.so
b7fbb000-b7fbe000 r-xp 00000000 03:01 212272
/usr/libexec/apache/mod_log_config.so
b7fbe000-b7fbf000 rwxp 00002000 03:01 212272
/usr/libexec/apache/mod_log_config.so
b7fbf000-b7fc1000 r-xp 00000000 03:01 212273
/usr/libexec/apache/mod_define.so
b7fc1000-b7fc2000 rwxp 00001000 03:01 212273
/usr/libexec/apache/mod_define.so
b7fc2000-b7fc3000 r-xp 00000000 03:01 212288     /usr/libexec/apache/mod_env.so
b7fc3000-b7fc4000 rwxp 00000000 03:01 212288     /usr/libexec/apache/mod_env.so
b7fc4000-b7fc6000 r-xp 00000000 03:01 212270
/usr/libexec/apache/mod_vhost_alias.so
b7fc6000-b7fc7000 rwxp 00001000 03:01 212270
/usr/libexec/apache/mod_vhost_alias.so
b7fc8000-b7fc9000 rwxp b7fc8000 00:00 0
b7fc9000-b7fcd000 r-xp 00000000 03:01 224106     /lib/libsafe.so.2.0.16
b7fcd000-b7fce000 rwxp 00003000 03:01 224106     /lib/libsafe.so.2.0.16
b7fce000-b7fcf000 rwxp b7fce000 00:00 0
b7fcf000-b7fe5000 r-xp 00000000 03:01 67954      /lib/ld-2.3.6.so
b7fe5000-b7fe7000 rwxp 00015000 03:01 67954      /lib/ld-2.3.6.so
bfa9c000-bfab0000 rwxp bfa9c000 00:00 0          [stack]
bfab0000-bfab2000 rw-p bfab0000 00:00 0
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


-Kashif.
Current thread:

Metasploit 3 module for PHP < 4.5.0 unserialize() bug H D Moore (Mar 10)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 12)
  - Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 13)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug H D Moore (Mar 17)