CVE-2007-1701

PHP 4.0.0-4.4.4 - Remote Code Execution via Session Data Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1701. PoCs published by Stefan Esser.

AI-analyzed exploit summary This exploit targets a PHP session_decode() vulnerability (CVE-2007-1701) by manipulating session data to overwrite memory and execute shellcode. It uses a heap spray technique and leverages the substr_compare() vulnerability to locate offsets for precise memory corruption.

Description

PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".

Exploits (1)

exploitdb WORKING POC VERIFIED

by Stefan Esser · phplocallinux

https://www.exploit-db.com/exploits/3572

View Code ZIP pw:eip

This exploit targets a PHP session_decode() vulnerability (CVE-2007-1701) by manipulating session data to overwrite memory and execute shellcode. It uses a heap spray technique and leverages the substr_compare() vulnerability to locate offsets for precise memory corruption.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: PHP (versions affected by CVE-2007-1701)

No auth needed

Prerequisites: PHP with vulnerable session_decode() function · Ability to control session data

MITRE ATT&CK