State Of The Art Post Exploitation In Hardened Php Environments presented at SyScan 2009

by Stefan Esser,

Tags: Security Exploitation

Summary : When an attacker manages to execute arbitrary PHP code in a web application he nowadays
often ends up in hardened PHP environments that not only make use of PHP's internal
protections like safemode, openbasedir or disable_functions but also make use of Suhosin
and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened
memory managers or unix file permissions.In such a situation taking over the server becomes a challenge and requires PHP shellcode
that is able to use local PHP exploits to get around these protections. This talk will show
the problems arising from the different protection mechanisms for PHP shellcode, will give
an insight into the internal memory structures of PHP that are required to write stable
local exploits and will demonstrate how a special class of vulnerabilities in PHP that also
exists in standard functions enables PHP shellcode to get around most of these protections.