tags:phpOOB_readheap_overflow
original link: Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3) newsletter link: exploits.club Weekly Newsletter 41 - Exploit Dev Lifecycle, Binder Internals, UEFI Deep-Dive, and More


Exploits Club Summary:

The third and final part detailing how a 24 year old bug can be used to exploit the PHP engine was released earlier this week. This part builds on the exploit detailed in part 2, this time making it more generic and not dependent on any program output. The exploitation strategy starts by allocating a large amount of byte buffers of varying sizes, and then strategically using the corruption to achieve an arbitrary read primitive (after jumping through a few hurdles). It then uses this arbitrary read to find the addresses necessary to further exploitation, such as system and malloc. After this, it is able to use the same exploit strategy as detailed in the original 2 parts.