来源

关联漏洞

描述

CVE-2024-4577 RCE PoC

介绍

# CVE-2024-4577-RCE-PoC

*While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.*

**This vulnerability was found by [Orange Tsai (@orange_8361)](https://x.com/orange_8361) of [DEVCORE (@d3vc0r3)](https://x.com/d3vc0r3). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.**

* *Why is it necessary to rewrite the exploit script when there are already many publicly available PoCs online?*
  1. Since many publicly available PoCs are based on the same original exploit, many vendors have used these PoCs as references and blocked certain keywords to prevent their exploitation. However, they often overlook blocking all potential exploit vectors. To address this, the script includes a simple mechanism for generating random parameters, as well as different LFI-to-RCE exploitation methods, to enhance the success rate of PHP CGI injection leading to RCE.
  2. During a test where I was attempting to reproduce an environmental vulnerability, I discovered that my PoC consistently triggered an HTTP 500 error, regardless of adjustments. Since I was working in a vulnerable environment, I started investigating the cause of the error. Then, I recalled an [article by Devcore](https://devco.re/blog/2020/03/11/play-with-dotnet-viewstate-exploit-and-create-fileless-webshell/) mentioning that, in certain exploit scenarios, the server would return an HTTP 500 error, even though the RCE exploit was actually successful. With this in mind, I decided to test whether I could spawn calc.exe locally, and to my surprise, it worked—it was a blind RCE!

      However, when I checked the Apache error log, I found an error referencing allow_url_include, despite the fact that the attack had executed successfully (and I still don't fully understand the root cause; if you have insights, please contact me). This led me to create an exploit that includes an option to test for blind RCE as well😊.
  3. If your target is an operating system version prior to Windows 7, you can still escalate to a visible RCE or reverse shell through other methods. However, these techniques are outside the scope of this article, so we won’t go into detail. As a penetration tester or red team specialist, you should be able to find alternative solutions fairly quickly, which can be an interesting process😊.

文件快照

 [4.0K]  /data/pocs/fa15cfbd7dc1052c0b0af71c7da991ea699c7959
└── [2.6K]  README.md

0 directories, 1 file

备注