In 2009 one of the hottest topics has been code reuse and return oriented programming as means to bypass exploitation mitigation features in modern operating systems. We have seen ROP being applied to x86, SPARC, ARM and even election machines. Time has come to take ROP into the world of web application security.
This presentation consists of two parts that will apply code reuse and ROP techniques to modern PHP exploits. The first part will show how ROP is applied entirely at the PHP level, reusing code parts of the already running PHP application to eventually achieve arbitrary code execution. It will be detailed how different PHP vulnerability classes can be used for these attacks, demonstrating some lesser known facts and tricks in PHP exploitation on the way.
The second part of the presentation will go below the PHP level and feature a previously unknown memory corruption in PHP itself that is exposed to remote attackers through several widespread PHP applications. It will be demonstrated step by step how it is possible to develop a remote exploit for this vulnerability, defeating ASLR and NX/DEP on the way, by utilizing an information leak and returning into the PHP interpreter to execute arbitrary PHP code.