New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #4246 - undef method 'payload_exe' error in ms01_026_dbldecode.rb #4321
Conversation
This fixes an undef method 'payload_exe' error. We broke this when all modules started using Msf::Exploit::CmdStager as the only source to get a command stager payload. The problem with that is "payload_exe" is an accessor in CmdStagerTFTP, not in CmdStager, so when the module wants to access that, we trigger the undef method error. To be exact, this is the actual commit that broke it: 7ced592 Fix rapid7#4246
Tried both of your methods but still the same result. i even tried including Msf::Exploit::CmdStagerTFTP |
Please do method 1, and print your result (the last step). If you actually still get undef method error that way, you probably did something wrong. |
Method 1 should get you to do something like this:
|
Yep it was my mistake i apologize.. should something else happen after 2014-12-12 16:23 GMT+01:00 sinn3r notifications@github.com:
|
If you have a vulnerable IIS, yeah I THINK you get a shell. But I have no Windows 2000 to test this so I have no idea how well this exploit works. It was written by jduck, who's been a really good exploit dev so I can only assume it probably works. |
One of his early commits was this: It says "nt4".... if this means Windows NT, then he might have tested the exploit on a IIS 4 machine. In that case........ it's pretty much unverifiable by us nowadays -_- |
Yep but i am still able to find online NT machine online with iis 2014-12-12 16:34 GMT+01:00 sinn3r notifications@github.com:
|
I do appreciate your effort to test the module, but if by online NT machine you mean some random NT machine you have found on the Internet that you don't own or have permission to test, please stay away from it. That type of testing is actually illegal and I don't really want anybody to do any illegal activities because of trying to verify a patch. If we can't find a NT or 2000 ISO to install and test, over here we basically don't test it (or we find another way to prove the patch works, which in this case would be method 1). Thanks again. |
Dont worry i am fully aware of law around these things i am testing only 2014-12-12 16:43 GMT+01:00 sinn3r notifications@github.com:
|
I'm trying to set up a win2000 for testing... |
Put Windows 2000 SP4 server up, unfortunately doesn't look vulnerable. My ism.dll version is 5.0.2.2195.6620. According to http://www.security-database.com/detail.php?alert=MS01-026 vulnerable installations are: |
The hasn't been any feedback from @swiftblade19 on 14 days, so I'm going to proceed with Method1 |
Verification through Method 1 worked:
landing |
Hi, I tested both methods but mz machine seems to be not vulnerable. If you 2014-12-26 19:40 GMT+01:00 Juan Vazquez notifications@github.com:
|
Fix #4246
Root Cause
This fixes an undef method 'payload_exe' error. We broke this when all modules started using Msf::Exploit::CmdStager as the only source to get a command stager payload. The problem with that is "payload_exe" is an accessor in CmdStagerTFTP, not in CmdStager, so when the module wants to access that, we trigger the undef method error.
To be exact, this is the actual commit that broke it: 7ced592
Verification
I don't have a Windows 2000 box anymore so I had to fix this bug without a test box. But by looking at the source and the commit history, I'm pretty sure this is the right fix.
Choose a way to verify:
Method 1
This is basically how I verified it as "working":
print_debug(@exe_payload.inspect)
at line 200.use exploit/windows/iis/ms01_026_dbldecode
set WINDIR C:\\Windows
set rhost [IP]
(Something with IIS)run
Method 2
If you actually have a vulnerable IIS box for this, then you should choose this way:
use exploit/windows/iis/ms01_026_dbldecode
set WINDIR C:\\Windows
set rhost [IP]
run