Exploit - Php 5.5.9

She replayed the attacker's steps in a local sandbox, her fingers dancing over a cloned environment.

<?php // Simulated memory spray for CVE-2015-4024 $evil_url = "http://127.0.0.1/trigger#" . str_repeat("A", 2048); $headers = get_headers($evil_url, 1); if ($headers === FALSE) // The crash is expected. The exploit relies on the use-after-free. $memory_leak = memory_get_usage(); // Attacker would then spray the heap with a crafted serialized object. php 5.5.9 exploit

Then, the trigger. A crafted HTTP request with a malicious User-Agent header, longer than a novella, containing a specific sequence of null bytes and heap spray data. The get_headers() function, when fed a URL with a fragment identifier longer than 1024 bytes, would try to free a memory pointer that was already freed. A classic double-free. She replayed the attacker's steps in a local

%!s(int=2026) © %!d(string=Evergreen Garden)

What's on this Page