Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
exploit.pl

README.md

CVE-2007-1465

Experiment Environment

Ubuntu 8.10

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-1465/dproxy-0.5.tar.gz
tar -xvf dproxy-0.5.tar.gz
cd dproxy-0.5
make

Problems in Installation & Configuration

How to trigger vulnerability

Server:

sudo ./dproxy -d -c ./dproxy.conf

Client:

perl exploit.pl

PoCs

dproxy 0.5 - Remote Buffer Overflow (Metasploit)

DProxy Stack-Based Buffer-Overflow Vulnerability

But those two PoCs are dependent on metasploit. So I rewrite the PoC and upload it to this folder.

Vulnerability Details & Patch

Root Cause

In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long is copied into a variable called query_string, which is at most 2048 bytes. As this is done using strcpy, the stack can be overwritten which leads to arbitrary command execution.

105    /* child process only here */       
106    signal(SIGCHLD, SIG_IGN);           
107                                        
108    strcpy( query_string, pkt.buf );    
109    decode_domain_name( query_string ); 
110    debug("query: %s\n", query_string );

Stack Trace

Patch

--- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100 +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100 @@ -105,7 +105,7 @@ /* child process only here */ signal(SIGCHLD, SIG_IGN);

    • strcpy( query_string, pkt.buf );
  • strncpy( query_string, pkt.buf, sizeof(query_string) ); decode_domain_name( query_string ); debug("query: %s\n", query_string );

References

You can’t perform that action at this time.