CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source

https://github.com/zomasec/CVE-2024-4577

Associated Vulnerability

Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Description

CVE-2024-4577 Exploit POC

Readme

# CVE-2024-4577 PoC Exploit

![CVE-2024-4577](static/cve.png)

## Description
This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a critical vulnerability affecting all versions of PHP running on Windows. The vulnerability allows attackers to execute arbitrary code remotely. The flaw also impacts the XAMPP development environment installed on Windows systems. Researchers have observed active scanning for this vulnerability, making it crucial for affected organizations to update their PHP installations promptly.

## Vulnerability Details
The vulnerability stems from an argument injection bug resulting from an incomplete fix for a separate vulnerability dating back to 2012 (CVE-2012-1823). The PHP development team overlooked the Best-Fit feature of encoding conversion within the Windows operating system, allowing unauthenticated attackers to bypass previous protections. This oversight enables attackers to execute arbitrary code on remote PHP servers through an argument injection attack.

## Exploitation Scenarios
1. **PHP Running in CGI Mode:** Attackers can exploit this vulnerability directly when PHP is configured in CGI mode, commonly used in web server setups.
2. **Exposed PHP Binary in CGI Directory (XAMPP):** The default mode for XAMPP, a popular PHP development environment, exposes the PHP binary in the CGI directory, making it vulnerable to exploitation.

## Usage
1. Install the tool using the command:
   ```
   go install -v github.com/zomasec/CVE-2024-4577/cmd/CVE-2024-4577
   ```

2. Use the tool with the following flags:
   ```
   CVE-2024-4577 -l/-d <hostsFile>/<host> -c <concurrency> -timeout <timeout>
   ```
   - `-l`: File containing a list of hosts to scan.
   - `-d`: Single host to scan.
   - `-c`: Number of concurrent scans (default is 10).
   - `-timeout`: Request timeout in seconds (default is 5).

   Example:
   ```
   CVE-2024-4577 -l hosts.txt -c 20 -timeout 10
   ```
3. You can use these dorks :
Hunter:```header.server="PHP"```
FOFA: ```server="PHP"```
SHODAN: ```server: PHP os:Windows```

 
---

## Resources
1. [Tenable Blog - CVE-2024-4577 Proof of Concept Available for PHP CGI Argument Injection Vulnerability](https://www.tenable.com/blog/cve-2024-4577-proof-of-concept-available-for-php-cgi-argument-injection-vulnerability)
2. [Duo Decipher - Critical PHP Flaw CVE-2024-4577 Patched](https://duo.com/decipher/critical-php-flaw-cve-2024-4577-patched)

File Snapshot


 [4.0K]  /data/pocs/252ff8265651e6b0454a1f668c54d0e48da8fc8d
├── [4.0K]  cmd
│   └── [4.0K]  CVE-2024-4577
│       └── [1.1K]  main.go
├── [4.0K]  config
│   └── [ 401]  config.go
├── [ 129]  go.mod
├── [ 332]  go.sum
├── [1.0K]  LICENSE
├── [4.0K]  pkg
│   ├── [4.0K]  client
│   │   └── [ 673]  client.go
│   ├── [4.0K]  exploit
│   │   └── [1.0K]  exploit.go
│   ├── [4.0K]  runner
│   │   └── [ 839]  runner.go
│   └── [4.0K]  utils
│       └── [ 709]  utils.go
├── [2.4K]  README.md
└── [4.0K]  static
    └── [325K]  cve.png

9 directories, 11 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!