Utilizing Code Reuse/Return Oriented Programming In Php Web Application Exploits presented at SyScan 2010

by Stefan Esser,

Tags: Security Web

Summary : In 2009 one of the hottest topics has been code reuse and return oriented programming
as means to bypass exploitation mitigation features in modern operating systems. We have
seen ROP being applied to x86, SPARC, ARM and even election machines. Time has come to take
ROP into the world of web application security.This presentation consists of two parts that will apply code reuse and ROP techniques to modern PHP exploits. The
first part will show how ROP is applied entirely at the PHP level, reusing code parts of the already running PHP
application to eventually achieve arbitrary code execution. It will be detailed how different PHP vulnerability
classes can be used for these attacks, demonstrating some lesser known facts and tricks in PHP exploitation on the way.The second part of the presentation will go below the PHP level and feature a memory corruption
in PHP itself that is exposed to remote attackers through several widespread PHP applications. It will be demonstrated
step by step how it is possible to develop a remote exploit for this vulnerability, defeating ASLR and NX/DEP on the
way, by utilizing an information leak and returning into the PHP interpreter to execute arbitrary PHP code.u57282009u5e74uff0cu6700u71b1u9580u7684u8b70u984cu4e4bu4e00u5c31u662fu900fu904eu4ee3u78bcu91cdu7528u548creturn orientedu7a0bu5f0fu8a2du8a08u4f86u8d8au904eu73feu5728u904bu4f5cu7cfbu7d71u7684u653bu64cau7de9u89e3u529fu80fdu3002u6211u5011u5df2u7d93u770bu904eROPu88abu61c9u7528u5728x86u3001SPARCu3001ARMuff0cu751au81f3u96fbu5b50u6a5fu68b0u4e0au3002u800cu4ecauff0cu6642u9593u5df2u7d93u5e36u9818ROPu9032u5165u7db2u8defu61c9u7528u7a0bu5f0fu5b89u5168u7684u9818u57dfu3002u9019u500bu5831u544au5305u542bu5169u500bu90e8u4efduff0cu9019u5169u500bu90e8u4efdu90fdu662fu5c07u4ee3u78bcu91cdu7528u548cROPu6280u8853u61c9u7528u5728u73feu4ee3PHPu653bu64cau3002u7b2cu4e00u90e8u4efdu5c07u6703u5448u73feROPu662fu5982u4f55u5b8cu5168u61c9u7528u5728PHPu5c64u7d1auff0cu91cdu7528u5df2u7d93u5728u57f7u884cu7684PHPu61c9u7528u7a0bu5f0fu7684u90e8u4efdu4ee3u78bcuff0cu6700u5f8cu9054u5230u4efbu610fu57f7u884cu4ee3u78bcu3002u6df1u5165u63a2u8a0eu4e0du540cu7684u985eu5225u7684PHPu5f31u9edeu5982u4f55u88abu5229u7528u65bcu9019u4e9bu653bu64cauff0cu904eu7a0bu4e2du4e5fu6703u5448u73feu4e00u4e9bu6bd4u8f03u4e0du70bau4ebau77e5u7684u771fu76f8u548cPHPu653bu64cau7684u624bu6cd5u3002u9019u500bu5831u544au7684u7b2cu4e8cu90e8u4efdu5c07u6703u63a2u8a0ePHPu5c64u7d1au4e4bu4e0buff0cu4e5fu5c31u662fPHPu672cu8eabu7684u8a18u61b6u6bc0u640du4e26u85c9u7531u5e7eu500bu5e38u898bu7684PHPu61c9u7528u7a0bu5f0fu66b4u9732u65bcu9060u7aefu653bu64cau8005u3002u6211u5011u5c07u6703u4e00u6b65u4e00u6b65u7684u5448u73feuff0cu4e00u500bu9060u7aefu7684u653bu64cau5982u4f55u88abu767cu5c55u4f86u5229u7528u9019u500bu5f31u9edeuff0cu4e26u5728u904eu7a0bu4e2du6253u6557ASLRu548cNX/DEPuff0cu800cu9019u90fdu662fu900fu904eu904bu7528u4e00u500bu8cc7u8a0au6f0fu6d1eu548cu8fd4u56dePHPu89e3u8b6fu7a0bu5f0fu4ee5u9054u5230u4efbu610fu57f7u884cPHPu78bcu3002