Ubuntu 8.10

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-1465/dproxy-0.5.tar.gz
tar -xvf dproxy-0.5.tar.gz
cd dproxy-0.5
make

Server:

sudo ./dproxy -d -c ./dproxy.conf

Client:

perl exploit.pl

dproxy 0.5 - Remote Buffer Overflow (Metasploit)

DProxy Stack-Based Buffer-Overflow Vulnerability

But those two PoCs are dependent on metasploit. So I rewrite the PoC and upload it to this folder.

In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long is copied into a variable called query_string, which is at most 2048 bytes. As this is done using strcpy, the stack can be overwritten which leads to arbitrary command execution.

105    /* child process only here */       
106    signal(SIGCHLD, SIG_IGN);           
107                                        
108    strcpy( query_string, pkt.buf );    
109    decode_domain_name( query_string ); 
110    debug("query: %s\n", query_string );

--- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100 +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100 @@ -105,7 +105,7 @@ /* child process only here */ signal(SIGCHLD, SIG_IGN);

• • strcpy( query_string, pkt.buf );

• strncpy( query_string, pkt.buf, sizeof(query_string) ); decode_domain_name( query_string ); debug("query: %s\n", query_string );