php_disable_functions_bypass icon indicating copy to clipboard operation
php_disable_functions_bypass copied to clipboard

Published 20 hours ago verified publisher icon beched

[FAILED] Get failed while running the poc, /proc/$pid/mem not writable

Open WangYihang opened this issue 7 years ago • 3 comments

Hi, beched, thank you so much for your excellent work! I want try your poc, but get failed... could your please give me a hand? Here is the error message:

➜  ~ php procfs_bypass.php                           
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org)                                       
[*] Trying to get open@plt offset in PHP binary      
[+] Offset is 0x648058                               
[*] Libc location: /lib/x86_64-linux-gnu/libc-2.26.so                                                     
[*] Trying to get open and system symbols from Libc  
[+] Got them. Seeking for address in memory          
[*] open@plt addr: 0x0                               
[*] system@plt addr: 0xfffffffffff44090              
[*] Rewriting open@plt address                       
[-] Write failed. Exiting

the file /proc/$pid/mem is not writable...

➜  ~ ps aux | grep php
root     12403  0.0  2.9 161832 14596 pts/2    S+   03:52   0:00 php -a
root     12934  0.0  0.2  14788  1076 pts/4    S+   03:58   0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn php
➜  ~ ls -al /proc/12403/maps
-r--r--r-- 1 root root 0 May  4 03:52 /proc/12403/maps
➜  ~ ls -al /proc/12403/mem 
-rw------- 1 root root 0 May  4 03:52 /proc/12403/mem

I am not sure if the php team fix this vulnerability or not? thank you so much~

WangYihang avatar May 04 '18 04:05 WangYihang

I think PHP team has removed the __libc__system@GLIBC functions in php binary, but maybe there are some other functions which have the same signature like system can help us to execute commands... like: popen ?

➜  18733 readelf -a /usr/bin/php | grep 'FUNC.*\@GLIBC' | grep system
➜  18733 readelf -a /usr/bin/php | grep 'FUNC.*\@GLIBC' | grep __open
   463: 00000000     0 FUNC    GLOBAL DEFAULT  UND __open64_2@GLIBC_2.7 (5)
➜  18733 readelf -a /usr/bin/php | grep 'FUNC.*\@GLIBC' | grep popen 
   424: 00000000     0 FUNC    GLOBAL DEFAULT  UND popen@GLIBC_2.1 (10)

WangYihang avatar May 05 '18 02:05 WangYihang

the source code just search through libc.so, so there is not problem about __libc_system,and linux enabled writing to /proc/pid/mem since 2.6.39 enable writing to /proc/pid/mem . here is my fixed script procfs_bypass fixed,tested on kali2 4.9.30,php 7.0,hope it helps

verctor avatar May 28 '18 14:05 verctor

Cool, your script is so excellent! learned a lot from you, thank you so much~

WangYihang avatar May 28 '18 14:05 WangYihang