Exploitation Summary
EIP tracks 1 public exploit for CVE-2006-4020. PoCs published by Andi.
AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in PHP's sscanf() function (CVE-2006-4020) to achieve remote code execution. It manipulates memory allocation to overwrite a return address and execute shellcode, binding a shell to port 20000.
Description
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Andi · phplocallinux
https://www.exploit-db.com/exploits/2193
This exploit targets a buffer overflow vulnerability in PHP's sscanf() function (CVE-2006-4020) to achieve remote code execution. It manipulates memory allocation to overwrite a return address and execute shellcode, binding a shell to port 20000.
Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target:
PHP <= 4.4.3 / 5.1.4
No auth needed
Prerequisites:
PHP with vulnerable sscanf() function · Ability to execute PHP code on the target system · Specific memory layout for successful exploitation
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (39)
Core 39
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/19415
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0669.html
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11062
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0682.html
Exploit, Patch, Vendor Advisory mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/442438/30/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1016984
Exploit, URL Repurposed x_refsource_misc
http://www.plain-text.info/sscanf_bug.txt
Vendor Advisory x_refsource_confirm
http://www.php.net/release_5_1_5.php
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21768
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21403
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:144
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21847
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_20_sr.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22487
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-342-1
Vendor Advisory x_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2006-221.htm
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22039
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2006-0688.html
Exploit, Patch x_refsource_confirm
http://bugs.php.net/bug.php?id=38322
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21683
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/23247
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21467
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_19_sr.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22004
Vendor Advisory x_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2006-222.htm
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22538
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21546
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/21608
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22440
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/22069
Vendor Advisory x_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2006-223.htm
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_22_sr.html
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3193
Vendor Advisory x_refsource_confirm
http://www.php.net/ChangeLog-5.php#5.1.5
Vendor Advisory vendor-advisory
x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
Third Party Advisory vendor-advisory
x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200608-28.xml
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/1341
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2006-0736.html
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_52_php.html
Scores
EPSS
0.0154
EPSS Percentile
71.6%
Details
Status
published
Products (34)
php/php
4.0 (8 CPE variants)
php/php
4.0.0
php/php
4.0.1 (3 CPE variants)
php/php
4.0.2
php/php
4.0.3 (2 CPE variants)
php/php
4.0.4 (2 CPE variants)
php/php
4.0.5
php/php
4.0.6
php/php
4.0.7 (4 CPE variants)
php/php
4.1.0
... and 24 more
Published
Aug 08, 2006
Tracked Since
Feb 18, 2026