Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Description
This is an Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)
Readme
## Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)

[LetsDefend Write-up] PHP-CGI (CVE-2024–4577)


**Scenario:** Our Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) identified a potential attack targeting a critical system component at 12:05 PM UTC. This write-up details the investigation process to confirm the exploitation attempt and understand the attacker's actions.

**Investigation:**

1. **Understanding the Vulnerability (CVE-2024-4577):** 
    - Resources provided valuable insights into the vulnerability and potential exploitation methods.

2. **Identifying the Vulnerable PHP Version:**
    - Two methods were employed:
        - Analyzing `news.txt` for PHP update history.
        - Directly running `php.exe -v` to determine the version. 
    - **Vulnerable Version:** 8.2.19 

3. **Verifying PHP-CGI Configuration:**
    - Analyzed `httpd.conf` to confirm the directive enabling exploitability through `php-cgi.exe`.

4. **Identifying Attacker's IP:**
    - Examined `access.log` within the Apache logs directory.
    - **Attacker IP:** 192.168.110.1 

5. **Targeted Page:**
    - While the application primarily uses `upload.php`, the attacker might have used an `index.html` for testing purposes.
    - **Targeted Page:** ( Likely upload.php)

6. **Apache Version:**
    - Inspected `error.log` to determine the Apache version.
    - **Apache Version:** 2.4.59 

7. **Analyzing Executed Processes:**
    - Initial investigation using PECmd and Timeline Explorer revealed no suspicious activity.
    - Correlating access and error logs identified successful attack attempts.
    - Timeline Explorer identified the following processes executed after successful exploitation:
        - whoami.exe
        - calc.exe

**Exploit Identification:** The attacker exploited the zero-day vulnerability (CVE-2024-4577).

**Learning Outcomes:**

- This challenge provided hands-on experience with:
    - Investigating zero-day vulnerabilities (CVE-2024-4577)
    - Identifying vulnerable software versions
    - Analyzing exploit methods
    - Utilizing Prefetch for potential command detection

**Note:** This write-up excludes specific details like vulnerable version, attacker IP, and targeted page to avoid providing a blueprint for attackers. 



Badge Acquired
Cve 2024 4577
Php Cgi
Cybersecurity
Lets Defend
Letsdefendio

## Writeup By: ph1n3y
File Snapshot

 [4.0K]  /data/pocs/d901d3072ee8b267ea4b17eb12eced7243e1907c
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →