Rating: 5.0

Although I failed to solve the challenge during CTF, but I think it is worthwhile to do a write-up.

The challenge is to exploit a PHP script engine using this bug. We can execute arbitrary PHP code but we must bypass disabled_function restriction to execute shell command, using a UAF vulnerability. Therefore, this is actually more a Pwn challenge than a Web challenge.

However, different from official PHP engine, a custom libphp7.so is provided. This engine does not provide any loop functionality such as for/while/do-while/foreach. Moreover, in remote server, the recursion depth is also restricted, and strlen function always returns NULL, even though these cases do not occur in my local environment.

The exploit idea is similar to the exploit provided in Github: use UAF to overlap a string with an object, so that we can leak the addresses, then clone a function object and rewrite relevant function pointer to make the function system.

Original writeup (https://mem2019.github.io/jekyll/update/2020/05/04/Easy-PHP-UAF.html).