Shall we -->
I was browsing/researching the web and stumbled upon some old war-games posted by Meathive, who happens to be the author of KinqPinz, which provides an excellent resource for security experts and coders.
I've been studying/learning php recently and thought I would tackle the following:
http://www.governmentsecurity.org/forum/topic/31635-php-14-satisfy-the-signal-handler/
https://kinqpinz.info/wargames/php/14/
 | |
| Vi - Image of Signal.php |
Heres the c0de:
#!/usr/bin/php <?php/* * https://kinqpinz.info/wargames/ * PHP #14 - Satisfy the signal handler. */ declare( ticks=1 ); if( !extension_loaded( "pcntl" ) ) die( "No pcntl support!\n" ); if( PHP_SAPI != "cli" ) die( "Run in term!\n" ); pcntl_signal( SIGILL,"____sighandler" ); function ____sighandler( $num ) { switch( $num ) { case SIGILL: echo "Bingo!\n"; exit; break; } } while( TRUE ) { echo "Waiting...\n"; usleep( 3000000 ); } ?>
Well, Let's Dance!
After chmod 755'ing the file and running the php script, I realized it was stuck in a conditional loop, printing/echoing the "Waiting.." every 3 seconds waiting for a return value or a change in the paramter to satisfy the loop/condition/signal handler existing here:
} while( TRUE ) { echo "Waiting...\n"; usleep( 3000000 ); } ?>
Then, examining the code that reads:
pcntl_signal( SIGILL,"____sighandler" ); function ____sighandler( $num ) { switch( $num ) { case SIGILL: echo "Bingo!\n"; exit; break; }
You'll realize the pcntl_signal is not passing the SIGILL paramter to satisfy the condition.
Hmm, ps -aux --> grab the PID
Pass the following signal call to the corresponding pid..
kill -s SIGILL <PID>
Bingo!
 |
| Anticipated Result |
Resources Used:
http://www.khmere.com/freebsd_book/html/ch04.html
http://php.net/manual/en/ref.pcntl.php
http://users.actcom.co.il/~choo/lupg/tutorials/signals/signals-programming.html
http://php.net/manual/en/function.pcntl-signal.php
