Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
exploit.pl

README.md

CVE-2007-1465

Experiment Environment

Ubuntu 8.10

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-1465/dproxy-0.5.tar.gz
tar -xvf dproxy-0.5.tar.gz
cd dproxy-0.5
make

Problems in Installation & Configuration

How to trigger vulnerability

Server:

sudo ./dproxy -d -c ./dproxy.conf

Client:

perl exploit.pl

PoCs

dproxy 0.5 - Remote Buffer Overflow (Metasploit)

DProxy Stack-Based Buffer-Overflow Vulnerability

But those two PoCs are dependent on metasploit. So I rewrite the PoC and upload it to this folder.

Vulnerability Details & Patch

Root Cause

In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long is copied into a variable called query_string, which is at most 2048 bytes. As this is done using strcpy, the stack can be overwritten which leads to arbitrary command execution.

105    /* child process only here */       
106    signal(SIGCHLD, SIG_IGN);           
107                                        
108    strcpy( query_string, pkt.buf );    
109    decode_domain_name( query_string ); 
110    debug("query: %s\n", query_string );

Stack Trace

Patch

--- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100 +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100 @@ -105,7 +105,7 @@ /* child process only here */ signal(SIGCHLD, SIG_IGN);

    • strcpy( query_string, pkt.buf );
  • strncpy( query_string, pkt.buf, sizeof(query_string) ); decode_domain_name( query_string ); debug("query: %s\n", query_string );

References

You can’t perform that action at this time.