B18: SlowHorses enlarges your exploitation window while racing

As part of my research into the exploitation of race conditions within Web applications written in PHP, I developed a little script that I wanted to share with you today (this tool/script named SlowHorses is now available on GitHub).

I’ll show you how to use this tool via an example, and then, all you will have to do is find vulnerable Web applications.

Example of use

Let’s assume that our target exposes the following two PHP scripts:

• file_1.php
• file_2.php

File: file_1.php

<?php

$f = fopen($_GET["url"], "r");
$g = tmpfile();

while (!feof($f)) {
    $data = fread($f, 1024);
    fwrite($g, $data);
}

?>

File: file_2.php

<?php

require $_GET["path"];

?>

We can exploit a race condition to execute any PHP code we want. To do this, we’re going to use SlowHorses to make the exploitation window as large as possible (infinite in the best-case scenario).

Here’s what the exploitation diagram looks like:

Let’s keep it going with a Proof Of Concept.

Proof Of Concept

Within SlowHorses replace the default payload:

<?php phpinfo(); ?>

By:

<?php system("id"); ?>

Which gives the following result once the attack has been launched: