The nice thing about the extension was that it handled anti-CSRF tokens for all the tools transparently instead of having something specific for the intruder. Not that you can’t do any job just with the intruder but it’s just easier to use.

I dropped an email to portswigger the day after I wrote this post but never got a response back, we’ll never know if he reused my code but I want to think that at least it helped

However, previous to Burp 1.4beta, one could implement automation against anti-automation, including anti-CSRF tokens by using the recursive grep Intruder payload set. This is only available in the Intruder module, but it suffices.

recursive grep is easy to configure, as well. You go into the options, extract grep portion of the configuration and add the relevant portion of the response, probably as regex ending ni the token name (along with the equals sign if it’s there), which is typically found in either the HTTP header response or the HTML body as a body parameter. Set the stop capturing field, which is below the extract grep configuration. Usually this would be a quote or double-quote character. You may also need to set the max-length (some CSRF tokens and other anti-automation varies, so it’s best to collect a few before you settle on a maximum length).

Back in the intruder payloads section, the `select “extract grep” item to use’ field should be automatically set to the extract grep field added in the options tab. Configure the first payload as the first token found (usually the one in the intruder positions tab that was sent via the proxy history). Put it to work by using intruder menu, “start attack” as normal. That’s it — and I know you’re thinking this sounds like a mouthful, but really it’s not that bad. In some ways, I almost prefer it to the new Burp Pro 1.4beta macro language that is necessary (although it’s worth it to be able to use Spider, Scanner, and the other tools).

can you give me some hint about how/where is the stack pointer changed?

so $fakezval. $i will be allocated at he adress of ‘AAAA’ ?
Again, can you point me to the php sources where to take a look?

Note that “BBBB” is
still pointing there so effectively anything we write to $v will be referenced o
n access to “BBBB”.

You mean, that with the code
$objst->rewind();$objst->next();

we will go to the secondd element (‘BBBB’) which has a reference to the ‘AAAA’ and now we will find at that address everything that is written into $v array? I understood correctly?

In $v[$i]=$fakezval.$i PHP will change the stack pointer to make room for the ne
w variable using the same address that was used for “AAAA”. Note that “BBBB” is
still pointing there so effectively anything we write to $v will be referenced o
n access to “BBBB”.

b) In the last code snippet there are two $fakezval variables. If you read the p
ost carefully you will see he has got control over the instruction pointer. He k
nows the address of the system function, which takes it’s parameter from the sta
ck. Using the same trick as in the previous question he gets the string “sh” ont
o the stack (that is the first integer in $fakezval2 (translate those hex values into ASCII) so that when system gets called it will find it and take it as it’s first parameter.

c) I haven’t had the time to try this yet, at first sight it looks like the reference at the end on the string might be wrong (r:11;). If I have the time to look into it I will let you know.

Regarding the reading part:

a)
for($i = 0; $i < 5; $i++) {
$v[$i]=$fakezval.$i; // we repeat the same value several times to overwrite the zval that was freed
}

$fakezval.$i will overwrite the freed zval? Can you give some more details?

b) in the last example, how is the parameter to 'system' passed?

c)
also i'm trying to create manually a serialized string:

$a= unserialize('a:1:{i:0;C:16:"SplObjectStorage":173:{x:i:2;i:0;,a:10:{i:0;i:1;i:1;i:2;i:2;i:3;i:3;i:4;i:4;i:5;i:5;i:6;i:6;i:7;i:7;i:8;i:8;i:9;i:9;i:10;};O:8:"stdClass":0:{},i:1;;m:a:2:{i:1;S:19:"0100AAA01101\x00BBCCC";i:2;r:11;}}}
');

It gives me an error because of the string "0100AAA01101\x00BBCCC"

but if i try to unserialize this string separately:

$s = 'S:19:"0100AAA01101\x00BBCCC"';

echo unserialize($s) . ' ccccc';

it doesn't give me any error. any idea why?

Thanks again!

This is sort of off-topic but i’m trying anyway, perhaps you can help me…..
I saw you have commented here : http://blog.nibbles.fr/1837
and i was curious if you understand everything from that article and you could answer me to some questions about that…..

Thanks a lot!

Thanks for the information, I especially enjoyed this article as you included the asm overview. If you have any further information on the startup processes of the x86 arch, I would very much enjoy reading it.

Regards,
Force