• Microsoft IIS WebDav ScStoragePathFromUrl Overflow
    Disclosure Date: 2017-03-26
    First seen: 2020-04-26
    exploit/windows/iis/iis_webdav_scstoragepathfromurl
    Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016. Original exploit by Zhiniang Peng and Chen Wu. Authors: - Zhiniang Peng - Chen Wu - Dominic Chell <dominic@mdsec.co.uk> - firefart - zcgonvh <zcgonvh@qq.com> - Rich Whitcroft - Lincoln
  • Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
    Disclosure Date: 2010-09-14
    First seen: 2020-04-26
    auxiliary/dos/windows/http/ms10_065_ii6_asp_dos
    The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value. Authors: - Heyder Andrade <heyder@alligatorteam.org> - Leandro Oliveira <leadro@alligatorteam.org>
  • MS09-053 Microsoft IIS FTP Server NLST Response Overflow
    Disclosure Date: 2009-08-31
    First seen: 2020-04-26
    exploit/windows/ftp/ms09_053_ftpd_nlst
    This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) Authors: - Kingcope <kcope2@googlemail.com> - hdm <x@hdm.io>
  • MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
    Disclosure Date: 2002-04-10
    First seen: 2020-04-26
    exploit/windows/iis/ms02_018_htr
    This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have trouble terminating a bind shell. If you set EXITFUNC to thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters. Authors: - stinko <vinnie@metasploit.com>
  • MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
    Disclosure Date: 2001-06-18
    First seen: 2020-04-26
    exploit/windows/iis/ms01_033_idq
    This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server. Authors: - MC <mc@metasploit.com>
  • MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution
    Disclosure Date: 2001-05-15
    First seen: 2020-04-26
    exploit/windows/iis/ms01_026_dbldecode
    This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. This module has been tested successfully on: Windows 2000 Professional (SP0) (EN); Windows 2000 Professional (SP1) (AR); Windows 2000 Professional (SP1) (CZ); Windows 2000 Server (SP0) (FR); Windows 2000 Server (SP1) (EN); and Windows 2000 Server (SP1) (SE). Note: This module will leave a Metasploit payload exe in the IIS scripts directory. Authors: - jduck <jduck@metasploit.com>
  • MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
    Disclosure Date: 1998-07-17
    First seen: 2020-04-26
    exploit/windows/iis/msadc
    This module can be used to execute arbitrary commands on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj or AdvancedDataFactory to inject shell commands into Microsoft Access databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN). Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively used in the wild in the late Ninties. MDAC versions affected include MDAC 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS installed, and NT4 Servers with the NT Option Pack installed or upgraded 2000 systems often running IIS3/4/5 however some vulnerable installations can still be found on newer Windows operating systems. Note that newer releases of msadcs.dll can still be abused however by default remote connections to the RDS is denied. Consider using VERBOSE if you're unable to successfully execute a command, as the error messages are detailed and useful for debugging. Also set NAME to obtain the remote hostname, and METHOD to use the alternative VbBusObj technique. Authors: - aushack <patrick@osisecurity.com.au>
  • Microsoft IIS HTTP Internal IP Disclosure
    First seen: 2020-04-26
    auxiliary/scanner/http/iis_internal_ip
    Collect any leaked internal IPs by requesting commonly redirected locations from IIS. CVE-2000-0649 references IIS 5.1 (win2k, XP) and older. However, in newer servers such as IIS 7+, this occurs when the alternateHostName is not set or misconfigured. Also collects internal IPs leaked from the PROPFIND method in certain IIS versions. Authors: - Heather Pilkington - Matthew Dunn - k0pak4
8 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!